Everhart, Glenn
From:	russell.osterlund@ZURICH.COM
Sent:	Tuesday, December 01, 1998 8:05 AM
To:	NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject:	Win NT 4.0 UserId and Password available in memory
I have "stumbled upon" something peculiar concerning Windows NT 4.0
Workstation security.  It seems that the userid and password
remain in memory after a user has successfully logged on.  Specifically,
the  memory space associated with WINLOGON.EXE memory
 (the memory block containing the environment space) contains the values
"lMprNotifyUserName=xxxx" and "lMprNotifyPassword=yyyy",
where "xxxx" is the userid used to issue the logon to the workstation and
"yyyy" is the password.

Is this widely known?  It seems that basic security on a workstation has
been compromised by this behavior.

The algorithm used to discover the password and userid is the following:

1) Locate and determine WINLOGON's process id.
2) Open up this process for PROCESS_QUERY_INFORMATION and PROCESS_VM_READ
access.
3) Issue a ReadProcessMemory on the address 0x00010000 for one page.
4) Scan the copied memory area for the strings "lMprNotifyPassword=" and
"lMprNotifyUserName" and display what comes after.

Thank you in advance for your interest.

Russ Osterlund