Vulnerabilities and Countermeasures of Windows operating system password system (Figure)

Source: Internet
Author: User
Document directory
  • I. Question proposal
  • Ii. Problem Analysis and Countermeasures
  • Iii. Conclusion

I. Question raised this article only lists the issues found in actual work, this paper analyzes several hidden security vulnerabilities related to cryptographic systems in Windows operating systems that are currently widely used, and provides corresponding countermeasures. These security vulnerabilities cause computer security risks, it is expected to attract the attention of relevant users. 1. Windows operating system "User Logon" dialog boxFigure A is the familiar "User Logon" dialog box:

Figure A everyone knows that if you want, now, you can use A lot of utilities that can be easily downloaded from the Internet to perform Crack for the "TesT" User shown in Figure A to obtain the original settings in TesT. the correct password in the PwL file, although it takes some time to escape the Security Audit System by impersonating the user "TesT" to log on to the operating system or application system. The problem is that the built-in password security system of the Windows operating system has many vulnerabilities and even defects, resulting in a minimum security link for the above Operating System-user login, you only need to modify the dynamic link library file of a system named "■ spwL" One"Byte later, the minimum security link of the Windows operating system becomes invalid! Compared with the preceding "Crack" method, this vulnerability has almost no "time cost ". Related experiments:Find the system dynamic link library file "■ spwL" in the Windows operating system, and then search for the hexadecimal string {B9 in the common hexadecimal editor. 10After 00 00 2B}, Change {10} to {00}. That is, the above hexadecimal string is changed to {B9 after one byte. 0000 00 00 2B}, I .e:
Search → B91000 00 00 2B for → B90000 00 00 2B
Save the change and try to log on again. You will find that all users recorded in the system initialization file can easily log on with any password or even just one enter key, however, "legal" users are hard to perceive. 2. Windows operating system "Login ID" dialog boxFigure B shows the familiar "Logon ID" dialog box:

Figure B the "sign in" dialog box is most common when a user tries to use the OutLooK Express email component built in the Windows operating system popped up by the Windows operating system. After you select your own identity and enter the correct password, you can send and receive emails through OutLooK Express. Similarly, you can download some related utilities on the Internet to use the password "Crack", which is marked as "TesT", and then send and receive emails using a fake user identity, however, it takes time to get results after running these utilities. Similarly, we discovered the vulnerabilities related to the built-in password security system of the Windows operating system, as a result, the user's "identity and password" is virtually empty-you only need to modify the" Two"Bytes later, this security link of the Windows operating system also becomes invalid. Related experiments:Find the system dynamic link library file "■ sidenT" in the Windows operating system, and then search for the hexadecimal string {8A in the common hexadecimal editor. 188AD33A19751A84D274128A 5801} and then changed {18} to {19} and {58} to {59}. That is, the above hexadecimal string was changed to {8A after two bytes were modified. 198AD33A19751A 84D27412 8A 5901}, I .e:
Search → 8A188AD3 3A19 751A 84D2 7412 8A5801 for → 8A198AD3 3A19 751A 84D2 7412 8A5901
Save the change and try to log on again. You will find that all the identifiers can easily log on with any password or even just one enter key! The recognized "logo" owner is hard to detect! 3. Windows operating system "connection Logon" dialog boxFigure C "connection Logon" dialog box:

As you all know in Figure C, you can easily view the text box in password format through a utility ". We will not discuss this content here. We hope to discuss the dangerous vulnerabilities in the password security system of the Windows operating system so that you can avoid similar omissions in your application system, makes our own application systems more secure. We found the vulnerabilities related to the built-in password security system of the Windows operating system. As a result, the password of the above "TesT" User appeared in the memory with an explicit code, you don't need to "View" it at all, but you just need to probe it in the memory. Related experiments:Use a system-level memory probe or debugger, we can easily find the connection and login password in Figure C in the system memory (Figure C "TesT" user's pre-set password is "Chinese! "): Windows OS "connection Logon" password memory probe result[2]
Address: 80FD9E2A, 00 00 00 00 00-00 00 00 3F 03 8C 03 26 01 ..........?... &. 43 68 69 6E 65 73 65 21-31 30 2D 30 31 2D 31 39Chinese! 10-01-1934 39 00 00 00 00 00 00-00 00 00 00 00 00 0049... 00 00 67 03 B4 03 22 01-54 65 73 54 00 00 00... g ...".TesT....
In the above exploration results, we can easily find that the connection password of the "TesT" user is "Chinese! ". 4. Windows operating system "shared login" dialog boxFigure D is the "shared login" Setting dialog box that everyone is familiar:

Figure D as you know, the above dialog box can also be easily used to "View" the text box in the form of a password ". We will not discuss this here. We will discuss it from another angle. We found the vulnerabilities related to the built-in password security system of the Windows operating system, which also caused the "read-only" password and "Full Access" password of the above "TesT" users to appear in the memory with an explicit code, you don't need to "View" it at all, but you just need to probe it in the memory. Related experiments:Use a system-level memory probe or debugger, we can easily find the shared login password in Figure D in the system memory (the "read-only" password set by the user in Figure D "TesT" and the "full access" password set in advance are "TesTTesT "and! GoTo !!" -- A maximum of eight characters ): Result of memory probe for Windows operating system "shared login" Setting Password
Address 816B55D2 00 00 00 B6 0F 00 00 40-00 00 E7 02 64 03 2A 01 ....... @. 54 65 73 54 65 73 54-00 00 00 00 00 00TesTTesT. 00 00 00 00 00 00 00 00-00 00 00 00 00 00 ......... 00 00 3F 03 8C 03 26 01-00 00 00 00 00 00 00 00 ..?... &.. 00 00 00 00 00 00 00 00-00 00 00 00 00 00 ......... 00 00 00 00 00 00 00 00 00-00 00 67 03 B4 03 22 01 ......... 54 65 73 54 00 00 00 00-00 00 00 00 00 00 00 00TesT..... Address 816B57F2 from 00 00 00 00 00 00 00-05 00 57 04 74 06 2E 01 ......... 21 21 47 6F 54 6F 21 21-00 00 00 00 00 00!! GoTo !!.
In the above exploration results, we can easily find that the "read-only" password of the "TesT" user is "TesTTesT" and its "Full Access" password is "! GoTo !!"). Ii. Problem Analysis and Countermeasures 1. Questions about the "User Logon" dialog box of the Windows operating systemWe will analyze the core code of the "user login" password in the Windows operating system as follows.
: The preceding one-way HasH operation is performed multiple times and a 128-bit HasH string is obtained (the specific algorithm analysis is omitted). Then, the HasH string is compared with the correct value saved in the corresponding PWL file, see the following code. ::7FA71D97 b90000000 mov ecx, 00000010The HasH string is 128 bits, that is, 16 bytes.7FA71D9C 2BC0 sub eax, eax; initialize EAX register 7FA71D9E F3 repz 7FA71D9F A6 cmpsb; compare 128-bit HasH strings to 7405 je 7FA71DA7; equal, the system considers the User Password correct 1_1bc0 sbb eax, eax; otherwise, 7FA71DA4 83D8FF sbb eax, FFFFFFFF7FA71DA7 85C0 test eax, eax; test password comparison mark position 7FA71DA9 B8261C0000 mov eax, limit 1c26; preset Password error message 7FA71DAE 7502 jne 7FA71DB2; if the password comparison is incorrect, convert 7FA71DB0 33C0 xor eax and eax; otherwise, set the correct password to 7FA71DB2 5F pop edi; restore the scene 7FA71DB3 5E pop esi; recover the 7FA71DB4 5B pop ebx at the site; recover the 7FA71DB5 8BE5 mov esp and ebp at the site; recover the 7FA71DB7 5D pop ebp at the site; recover the 7FA71DB8 C20400 ret 0004 at the site; and return ::
From the above analysis, we can see that when we change the length of the password comparison from "0x10H" to "0"-that is, the above
Convert mov ecx, 00000010 ChangeMov ecx, 00000000
Only change" One"Byte," User Login "password comparison results will be" always "correct. It is quite dangerous to rely solely on a "repz cmpsb" command to determine the system-level password. Instead, you can use only one conditional statement to select the decisive direction of the password security instruction of the Windows operating system, in fact, it is a "traditional" low-level practice, and the protection effect is quite fragile. Regardless of the length of the one-way HasH result used by the operating system, or the number of rounds of heavy-load iterative coding performed by the operating system before executing the repz cmpsb command, we only need to implement "Point Points" on this "Key Path"-security protection at this level will be ineffective. Countermeasure:The biggest "negligence" of the Windows operating system here is that the 128-bit HasH string obtained after "painstaking efforts" is only involved in simple comparison and is not used more effectively. We recommend that you: The 128-bit HasH string obtained from the final operation is used as the input operator for the next round of decoding iteration regardless of its right or error. It decodes some key code or data in the future, in this way, after you enter the correct password, you will naturally be able to correctly load the Windows operating system. Otherwise, you will only be prompted to continue loading the Windows operating system correctly.. In fact, this is an obvious security vulnerability. Do not think that the system-level files on the storage device have the "read-only", "hidden" and other permissions, so you can rest assured. As a matter of fact, as long as the system's storage devices can be read and written "physically", "tampering" on sensitive system-level files will not be a "rather" difficult thing. In most cases, this is easy to implement. Further discussions on this security vulnerability will be conducted in the article "protection methods and countermeasures for Vulnerable Software Copyrights" and an effective solution will be provided accordingly. 2. Questions about the "Login ID" dialog box of the Windows operating systemWe will analyze the core code of the "Login ID" password in the Windows operating system as follows.
: ┏ ECX, EAX point to the user to enter the password and the correct password 797972C3 8D4DE8 lea ecx, dword ptr [ebp-18] 797972C6 8D85E8FDFFFF lea eax, dword ptr [ebp + FFFFFDE8]797972CC 8A18 mov bl, byte ptr [eax]; Get the first Password character797972CE 8AD3 mov dl, bl; Save the copy 797972D0 3A19 cmp bl, byte ptr [ecx]; compare with the correct password 797972D2 751A jne 797972EE; the first Password character is incorrect: 797972D4 84D2 test dl, dl; is the last Password character? 797972D6 7412 je 79797972ea;797972D8 8A5801 mov bl, byte ptr [eax + 01]; Get the Next Password character797972DB 8AD3 mov dl, bl; save its copy 797972DD 3A5901 cmp bl, byte ptr [ecx + 01]; compare with the correct password 797972E0 750C jne 797972EE; if the comparison fails, convert to 797972E2 40 inc eax; adjust the character pointer of the current password 797972E3 40 inc eax; adjust the character pointer of the current password 797972E4 41 inc ecx; and adjust the character pointer of the correct password 7972e5 41 inc ecx; adjust the correct password character pointer 797972E6 84D2 test dl, dl; is the last Password character? Listen 75E2 jne 797972CC; if the comparison is not completed, convert to 797972EA 33C0 xor eax, eax; the comparison is complete and all are correct 797972EC EB05 jmp 797972F3; convert to the subsequent test flag 797972EE 1BC0 sbb; the comparison is over but incorrect: 797972F0 83D8FF sbb eax, FFFFFFFF; set the error flag to 797972F3 85C0 test eax and eax; test flag ::
From the above analysis, we can see that when we compare the two passwords EAX and ECX point to the same address-that is, the above
Set Mov bl, byte ptr [Eax]ChangeMov bl, byte ptr [Ecx] Set Mov bl, byte ptr [Eax+ 01] ChangeMov bl, byte ptr [Ecx+ 01]
Only change" Two"Byte, the comparison result of" identify login "password will be" always "correct. This is also an obvious security vulnerability. This vulnerability is caused by the fact that commands with plaintext passwords are too close. It is easy to "tamper" the relevant command code to launch a "fake name" attack. Countermeasure:First, we should try to avoid comparison of plaintext passwords, and try to convert plaintext passwords into "passwords, the plaintext password is "torn down" by a robust digest cryptographic algorithm and "Drowned" in a 128-bit high-strength one-way hash string (For details, refer to the large-scale Web application software we published ). system Security logon risks and countermeasures ), if we do not have this "patience" to do this job, we should at least consider "discretization" the commands related to password analysis and determination, rather than "closely" connecting them as before and after, for more secure practices, please refer to the article "protection methods and countermeasures for Vulnerable Software Copyrights", which provides an effective solution accordingly. 3. Questions about the Windows operating system "connection Logon" dialog boxThe reason is that the Windows operating system does not use the safe "OpeNPassworDCachE" method as in the "user login" dialog box to allocate the relevant memory, there is no need to "clear" the existence of the Password Storage ". Therefore, we can easily find the user's sensitive data through memory exploration. Countermeasure:First, enable the safe "OpeNPassworDCachE" method to allocate the relevant memory, and ensure that the "reset" Operation on the password memory unit must be performed immediately after the password is compared, to defend against the "peat" attack of the memory probe tool. If you need a safer password, try to avoid plaintext passwords in the memory. For more information, see the article "protection methods and countermeasures for Vulnerable Software Copyrights, provide an effective solution accordingly. 4. Questions about the Windows operating system "shared login" Setting Dialog BoxThe reason is that the Windows operating system does not use the safe "OpeNPassworDCachE" method to decode and determine such passwords, there is no need to "clear" the existence of the Password Storage ". Therefore, we can easily find the user's sensitive data through memory exploration. Countermeasure:First, enable the safe "OpeNPassworDCachE" method to allocate the relevant memory, and ensure that the "reset" Operation on the password memory unit must be performed immediately after the password is compared, to defend against the "peat" attack of the memory probe tool. If you need a safer password, try to avoid plaintext passwords in the memory. For more information, see the article "protection methods and countermeasures for Vulnerable Software Copyrights, provide an effective solution accordingly. Iii. Conclusion for products protected by a minimum-intensity robust one-way HasH algorithm, simple and possibly effective but not necessarily efficient attacks are of course the first consideration is the poor effort. Of course, its scale cannot be too large, however, for Windows operating system products, in most cases, you can omit the effort. You can simply perform a Crack or direct memory exploration, this is because it does not perform necessary maintenance and protection on the security of the memory where sensitive data such as the system instruction code and password are stored: (1) for the system instruction code, most Windows operating systems read and write, execute, and do not need to verify key command codes to prevent them from being "Tampered" in the system memory ". (2) For password data, the Windows operating system still leaves the restored password in the system memory in the clear code form after it is used, however, "the password stored in the password should be cleared after analysis and determination"-this is a common practice for people with a little bit of password security knowledge. Why is it so negligent by the Windows operating system manufacturer? At present, we have not yet obtained the Windows operating system manufacturer's local sales version. If the relevant analysis shows that only the international version has these password security system vulnerabilities discussed in this article, aside from its development costs or stability, the true intention is worth pondering. We should not consider windows 2 K or other versions as relatively safe, so we are lucky to think that they do not have the above-mentioned weaknesses in the password security system. Our analysis includes Windows 2 K and other versions. For the "user login" dialog box, Windows 2 K and other versions of the operating system also have the above security risks. You only need to modify the dynamic link library file of a system named "■ sv1_0" One"Bytes later, the minimum security link of Windows 2 K and other operating systems will fail. You can easily log on to the Super User "Administrator" without "Crack". The "time cost" is almost zero! Therefore, the discussion in this article is representative. We hope to attract everyone's attention. 2 k windows related experiments:In Windows 2 k operating system, find the system dynamic link library file "■ sv1_0", and then search for the hexadecimal string {F8 in the common hexadecimal editor. 10Change {10} In 0F 84 71 FF} to {00}, that is, the above hexadecimal string is changed to {F8 after one byte. 000F 84 71 FF}, I .e:
SearchF8100F 84 71 FFForF8000F 84 71 FF
Save the change and try to log on with the Super User "Administrator". Then, you will find related password security vulnerabilities. Countermeasure:For more information about the security vulnerabilities revealed in this example, see the article "protection methods and countermeasures for Vulnerable Software Copyrights. It turns out that for Windows operating systems that do not store passwords (KEYS) and do not have a sound password security system with hot swapping of Mobile storage media, it is not difficult for people with clear purposes and at least professional skills to "intrude" the Windows operating system. (Abusys Company) [1] This article is for reference only. If you want to repeat the experiment and data, follow the instructions provided in the original document, although we know that all the experiment examples in this article can be safely repeated, before you take actions, remember that we do not provide any form of guarantee for the resulting results. [2] The specific address values shown in this figure do not have to be constrained.
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.