Weaknesses and countermeasures of Windows operating system cryptosystem (graph)--vulnerability research

Source: Internet
Author: User
Tags goto hash versions

First, the question of the proposed

In this paper, only a few of the problems identified in the actual work, the current widely used in the Windows operating system hidden in a few of the dangerous weaknesses of the cryptographic system to analyze and give corresponding countermeasures, these dangerous weaknesses caused by computer security risks, hoping to arouse the attention of relevant users.
1, Windows operating system "User Login" dialog box problem
Figure A is the familiar "User Login" dialog box:

Figure A
As we all know, if you wish, you can now "crack" the "test" user shown in Figure A by a number of utilities that can be easily downloaded from the Internet to obtain the correct password that was originally set in the Test.pwl file, although it may take some time to impersonate the user "test" Log on to the operating system or application systems to evade the security audit system.
The problem is that the Windows operating system's built-in password security system has many weaknesses and even defects, resulting in the above operating system at least the security link-user login, only a system called "SPWL" dynamic link library file, only modify its " one " byte, Windows operating system This minimum security link is invalidated! There is little "time cost" to use this vulnerability compared to the "crack" approach described above.
Related experiments:
Locate the system dynamic-link library file named "SPWL" within the Windows operating system, and then change {10} to {00} after the hexadecimal string is searched in the common hexadecimal editor, that is, the hexadecimal string is changed after a word. B9 2B}, namely:
Search →b9 2B
For →b9 2B
Save this change, and then try to log in again, you will find that all the users in the system initialization files, can be arbitrary password or even just a return key form easy to log in, and "legitimate" users are difficult to detect.
2, the Windows operating system "Identity Login" dialog box issues
Figure B is the familiar "identify login" dialog box:

Figure B
The most common feature of this "identify login" dialog box is when a user tries to use the Outlook Express e-mail component built into the Windows operating system and is ejected by the Windows operating system. You can send and receive e-mail through Outlook Express when the user selects his or her identity and enters the correct password.
In the same way, you can download some relevant utilities on the internet to "crack" the password identified by the "TesT" above, and then you can send and receive messages by impersonating a legitimate user's identity, but it takes time to get results after these utilities are executed.
In the same way, we found that the built-in password security system in the Windows operating system has a relative weakness, resulting in the user's "Identity password" in the same name-only to a system named "sident" dynamic link library file, only modify its " two " Byte, This security aspect of the Windows operating system also fails.
Related experiments:
Locate the system dynamic link library file named "Sident" within the Windows operating system, and then search the hexadecimal string {8A 8ad33a19751a84d274128a 01} In the common hexadecimal editor after the { 18} changed to {19} and {58} to {59}, that is, the above hexadecimal string was changed two bytes and then changed to {8A 8ad33a19751a 84d27412 8A 01}, namely:
Search →8a 8ad3 3a19 751A 84d2 7412 8A 01
For →8a 8ad3 3a19 751A 84d2 7412 8A 01
Save this change, and then try to log in again, you will find that all identities, can be arbitrary password or even just a enter the form of easy login! The "identity" owners who are being identified are hard to detect!
3, Windows operating system "Connection Login" dialog box problem
Figure C You are familiar with the "Connect Login" dialog box:

Figure C
As we all know, it is now easy to use the utility program, the password form of the text box to "perspective." We're not talking about this here, and we want to talk about the dangerous weaknesses in the Windows operating system's password security system, so that we can avoid similar omissions in our application systems and make our own applications more secure.
We found that the built-in password security system in the Windows operating system has the relevant weaknesses, resulting in the above "TesT" user's password in the memory in order to appear in plaintext, there is no need to "perspective" and as long as in memory a little sniff.
Related experiments:
Using a memory profiler or debugger running at the system level, we can easily detect the connection login password for figure C in system memory (Figure C "TesT" The user has previously set the password "chinese!10-01-1949"):
Windows operating System "Connection login" Password memory probe results [2]
Address 80FD9E2A up
00-00 3F 8C 03 26 01 ...????????. ...
6E 21-31 to 2D to 2D to chinese!10-01-19
For the 00-00 of ..... ...., and the other is a very, very.
B4 03 22 01-54 65 73 54 00 00 00 00. G. ... ". TesT....
In the above probing results, we can easily find that the "TesT" User's connection password is "chinese!10-01-1949".
4. Windows operating system "Share Login" Settings dialog box problem
Figure D is the familiar "Share Login" Settings dialog box:

Figure D
As you know, the dialog box above can also be easily used to "perspective" the text box in the form of a password through a utility program. We're not going to talk about that here.
We found that the built-in password security system in the Windows operating system has weaknesses, but also caused the above "TesT" user's "read-only" password and "full access" password in the memory to appear in plaintext, there is no "perspective" and as long as in the memory of a little sniff.
Related experiments:
With a memory profiler running at the system level or a debugger, we can easily sniff out the password for shared logins in the system memory (Figure D "TesT" user's pre-set "read Only" password and "full access" password are "testtest" and "!! goto!! " --up to eight characters):
"Shared Login" for Windows operating system setting password memory probe results
testtest .".
.....
TesT ...., "the.
Address 816b57f2
.., ..., and .....
.
In the above probing results, we can easily find that the "TesT" user's "read Only" password is "testtest" and its "full access" password is "!! goto!! " )。

Analysis of the problems and countermeasures

1, about the Windows operating system "User Login" dialog box issues
We will analyze the core code for the "User login" password in the Windows operating system as listed below.
: :
The above has carried on several one-way hash operation and obtains the length is 128 bits hash string (concrete algorithm analysis slightly) and then and saves in corresponding PWL file the correct value comparison, see the following code.
: :
7fa71d97 B910000000 mov ecx, 00000010 ; The hash string is 128 bits or 16 bytes
7fa71d9c 2bc0 Sub eax, eax; initialize EAX registers
7fa71d9e F3 RepZ
7fa71d9f A6 CMPSB; 128-bit hash string alignment
7fa71da0 7405 JE 7fa71da7 equal, the system thinks the user password is correct
7fa71da2 1bc0 sbb eax, eax; otherwise, the Password alignment error flag
7FA71DA4 83d8ff sbb eax, FFFFFFFF
7FA71DA7 85c0 test eax, eax; testing password pair flag bit
7FA71DA9 b8261c0000 mov eax, 00001c26; preset password error message
7fa71dae 7502 jne 7fa71db2 Password comparison error, then turn
7fa71db0 33c0 xor eax, eax;
7FA71DB2 5F pop edi; Recovery site
7FA71DB3 5E pop esi; Recovery site
7FA71DB4 5B pop ebx recovery site
7FA71DB5 8BE5 mov esp, EBP;
7fa71db7 5D Pop EBP recovery site
7FA71DB8 C20400 ret 0004;
: :
It can be seen from the above analysis that when we change the length of the cipher pair from "0x10h" to "0"-that is, the
will mov ecx, 000000
instead mov ecx, 000000
Only change the " one " byte, the "User login" password will be "forever" the correct result.
It is quite dangerous to rely solely on a "REPZ CMPSB" directive to determine the system-level password, and the decisive flow of the password-safe-class directives of the Windows operating system simply through a conditional statement is a "traditional" low-level approach, and the protection effect is rather fragile. Because no matter how "stunning" the one-way hash result of the operating system is, no matter how many rounds of large load iterations the operating system has performed before executing the "REPZ cmpsb" instruction, all we need to do is put a "point" on this "critical path"-security at this level will fail.
Countermeasures:
The biggest "negligence" of the Windows operating system here is that the 128-bit hash string that was finally obtained from the "painstaking consideration" is only involved in a simple comparison and is not used more effectively, suggesting:
The last operation of the 128-bit hash string regardless of its right and wrong as a new round of decoding iterative operation of the input operator, the subsequent part of the key code or data decoding, so that the user entered the correct password can naturally correctly continue to load the Windows operating system, Otherwise, you can only cause an error prompt to continue loading the Windows operating system correctly .
In fact, this is an obvious security breach. Do not assume that system-level files on the storage device are set to read-only, hide, and so on. In fact, as long as the system's storage device can be "physically" read and written, then the sensitive system-level files on its "tampering" will not be a "pretty" difficult thing. And in most cases, it's easier to do. Further discussion of this vulnerability will be carried out in the article "Fragile software copyright protection methods and Countermeasures", and an effective solution is given accordingly.
2, about the Windows operating system "Identity Login" dialog box issues
We listed the core code for the "Identity login" password in the Windows operating system for analysis as follows.
:: ┏ecx, eax point to user input password and correct password
797972C3 8d4de8 Lea ecx, DWORD ptr [ebp-18]
797972c6 8D85E8FDFFFF Lea eax, DWORD ptr [Ebp+fffffde8]
797972CC 8a18 mov bl, byte ptr [eax] ; Get the first password character
797972CE 8AD3 mov dl, bl; save copy
797972D0 3a19 cmp bl, byte ptr [ecx]; match the correct password
797972D2 751A jne 797972EE; The first password character is incorrect
797972D4 84d2 test DL, DL; is the last password character?
797972d6 7412 JE 797972EA; Yes, turn.
797972d8 8a5801 mov bl, byte ptr [eax+01] ; Get the next password character
797972DB 8AD3 mov dl, BL; save its copy
797972DD 3a5901 cmp bl, byte ptr [ecx+01]; match the correct password
797972E0 750C jne 797972EE; compare to not succeed then turn
797972E2/inc eax; Adjust current password character pointer
797972E3/inc eax; Adjust current password character pointer
797972E4/INC ECX; Adjust the correct password character pointer
797972E5/INC ECX; Adjust the correct password character pointer
797972E6 84d2 test DL, DL; is the last password character?
797972E8 75E2 jne 797972CC; not yet compared to the end of the turn
797972EA 33c0 xor eax, eax, end of pair and all correct
797972EC EB05 jmp 797972f3; turn to follow up test flag bit
797972EE 1bc0 sbb eax, eax end but not right
797972f0 83d8ff sbb eax, ffffffff; Place error flag bit
797972F3 85c0 test eax, eax; testing flag bit
797972f5 7434 JE 7979732B; passwords are correct.
: :
It can be seen from the above analysis that when we refer to the same address as the two pointers eax and ecx of the cipher, the above
will mov bl, byte ptr [eax]
insteadmov bl, byte ptr [ecx]
will mov bl, byte ptr [eax+01]
insteadmov bl, byte ptr [ecx+01]
Only change the " two " Byte, the "Identity login" password comparison results will be "forever" correct. This is also an obvious security vulnerability. This vulnerability stems from the explicit password comparison of the instructions too close, it is easy to "tamper" with the relevant instruction code to achieve the purpose of "impersonation" attack.
Countermeasures:
First of all, we should try to avoid the comparison of plaintext passwords, and as far as possible will be plaintext password "code", the clear text password through a robust digest password algorithm "" "After" "submerged" in length at least in 128-bit high-intensity one-way hash string (specific reference to our published " The hidden trouble and the countermeasure of the large Web application software system security login, if you do not have this "patience" to do this work, it should at least consider the code to judge the relevant instructions "discrete" and not as now and then "closely" linked, more secure approach please refer to our completed " Fragile software copyright protection methods and Countermeasures, this paper gives an effective solution accordingly.
3, about the Windows operating system "Connection login" dialog box issues
The reason is that the Windows operating system for this type of password decoding and analysis, there is no such as "User Login" dialog box to adopt a more secure "Openpasswordcache" method of allocating memory, nor on the memory of the password storage after the necessary "Qing 0." So we can easily find the user's sensitive data through a memory probe.
Countermeasures:
First consider enabling a more secure "Openpasswordcache" method to allocate memory, and make sure that the "clear 0" work on the password memory unit must be performed immediately after the password is compared to protect against the memory profiler "peek" attack. If you need a more secure password to judge, you should avoid the presence of plaintext passwords in memory as much as possible, please refer to our complete "fragile software copyright protection methods and Countermeasures", which gives an effective solution.
4, about the Windows operating system, "Shared Login" Settings dialog box issues
The reason is that the Windows operating system for this type of password decoding and analysis, neither the use of a more secure "Openpasswordcache" method of allocating memory, nor on the memory of the password storage after the necessary "Qing 0." So we can easily find the user's sensitive data through a memory probe.
Countermeasures:
First consider enabling a more secure "Openpasswordcache" method to allocate memory, and make sure that the "clear 0" work on the password memory unit must be performed immediately after the password is compared to protect against the memory profiler "peek" attack. If you need a more secure password to judge, you should avoid the presence of plaintext passwords in memory as much as possible, please refer to our complete "fragile software copyright protection methods and Countermeasures", which gives an effective solution.

Third, the conclusion

For products that are protected by a robust one-way hash algorithm with a minimum strength, a simple and potentially effective but not necessarily efficient attack is of course the first consideration is the poor, of course, the scale can not be too large, but for Windows operating system products, in most cases even the exhaustive can be omitted, directly "crack" Or a direct memory probe can do so because it does not have the necessary maintenance and protection for the security of sensitive data such as System Directive Code and passwords:
(1) for system instruction code, the Windows operating system mostly read and write in the regular form, and lack the necessary verification to the key instruction code to prevent it from being "tampered" in the system memory.
(2) For password data, the Windows operating system will "restore" password after "use" is still in the form of plaintext left in the system memory, and "password stored within the password to judge after 0"-this is a little bit of password security knowledge of the common sense of the practice, why the Windows operating system manufacturers are so negligent?
At present, we have not yet obtained the version of the Windows operating system manufacturer in its local sales, if the relevant analysis shows that only in its international version of these cryptographic security weaknesses discussed in this article, put aside its development costs or stability, and other excuses, its real purpose is worthy of reflection.
We also do not think that Windows 2K and other versions are relatively safe, holding a lucky mind that there is no such weaknesses in the password security system. Our analysis includes Windows 2K and other versions of the "User Login" dialog box, Windows 2K and other versions of the operating system has the same security risks. Only if a dynamic link library file named "SV1_0" is modified only by modifying its " one " byte, the minimum security link of the operating system such as Windows 2K will fail. can easily with Superuser "Administrator" login, use this weakness without "crack", the relevant "time cost" is almost zero! Therefore, the discussion of this article is still representative. Hope to arouse the necessary attention.
Windows 2K version of the relevant experiments:
A system dynamic-link library file named "Sv1_0" was found within the Windows 2K operating system and then {10} was changed to {00} after searching for the hexadecimal string {F8 0F-FF FF} in the Common hex editor. The following word changes to { F8 0F FF FF}, namely:
searchF8 0F GHz FF FF
for → F8 0F , FF FF
Saving this change and then trying to log in as Superuser "Administrator" will reveal the associated password security vulnerabilities.
Countermeasures:
This example reveals the security weaknesses of the relevant countermeasures please refer to our completed "Fragile software copyright protection methods and Countermeasures", which has a more detailed analysis.
It turns out that for a Windows operating system that does not use hot-swappable Removable storage media and lacks a robust password security system, it is not difficult to "invade" the Windows operating system for people with a minimum of professional skills. (Author unit Abusys company)
[1] This article is for reference only, if the reader wishes to repeat the experiment and the data, be sure to follow all instructions provided in this article as is, although we know that all the experimental examples in this article can be safely duplicated, but before the reader acts, remember that we do not guarantee any form of the result.
[2] The exact address value of the attached document is not rigidly confined.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.