漏洞说明:
WINDOWS系统访问共享文件时(file:\\协议,可以在HTM里面夹杂此协议),会自动试着以当前用户的身份连接(发送用户名、加密的密码),如果不能连接才提示用户输入用户名和密码,所以造成密码泄漏,
WINDOWS密码泄露漏洞相关代码及分析
。影响版本:WIN95、WIN98、WINNT、WIN2000。
补救措施:找微软。
下面是WIN98系统的泄露密码相关代码分析。这是文件VREDIR.VXD的一段代码:
15760 sub_0285 proc near
15760 55 push ebp
15761 8B EC mov ebp,esp
15763 83 EC 0C sub esp,0Ch
15766 33 C0 xor eax,eax
15768 53 push ebx
15769 56 push esi
1576A 57 push edi
1576B 8B 7D 08 mov edi,dword ptr [ebp+PARAMETER_1]
1576E 8B 5D 14 mov ebx,dword ptr [ebp+PARAMETER_4]
15771 66| C7 43 01 00FF mov word ptr [ebx+1],0FFh
15777 8B 77 1C mov esi,dword ptr [edi+1Ch]
1577A 8A 47 05 mov al,byte ptr [edi+5]
1577D 8B 55 10 mov edx,dword ptr [ebp+PARAMETER_3]
15780 C6 03 0D mov byte ptr [ebx],0Dh
15783 8B 0C 85 00000AE0 mov ecx,dword ptr data_0114[eax*4] ;
1578A 8B 45 18 mov eax,dword ptr [ebp+PARAMETER_5]
1578D 66| 89 43 05 mov word ptr [ebx+5],ax
15791 89 4D F8 mov dword ptr [ebp+LOCAL_2],ecx
;the login user block 用户信息块
15794 66| 0F B6 4A 18 movzx cx,byte ptr [edx+18h]
15799 66| 89 4B 07 mov word ptr [ebx+7],cx
1579D 8D 42 2C lea eax,dword ptr [edx+2Ch]
157A0 ?0 push eax
157A1 E8 FFFFFADA call sub_0282
157A6 66| 89 43 09 mov word ptr [ebx+9],ax
157AA 83 C4 04 add esp,4
157AD C7 43 13 00000000 mov dword ptr [ebx+13h],0
157B4 8B 55 10 mov edx,dword ptr [ebp+PARAMETER_3]
157B7 C7 43 17 00000000 mov dword ptr [ebx+17h],0
157BE 8B 4A 28 mov ecx,dword ptr [edx+28h]
157C1 89 4B 0B mov dword ptr [ebx+0Bh],ecx
;key
157C4 66| 8B 4A 1A mov cx,word ptr [edx+1Ah]
157C8 66| 8B C1 mov ax,cx
157CB 66| 25 0200 and ax,200h
157CF 66| 3D 0001 cmp ax,1
157D3 B8 00000000 mov eax,0
157D8 83 D0 FF adc eax,0FFFFFFFFh
157DB 66| 83 E1 03 and cx,3
157DF 83 E0 04 and eax,4
157E2 66| 83 F9 01 cmp cx,1
157E6 89 43 17 mov dword ptr [ebx+17h],eax
157E9 1B C9 sbb ecx,ecx
157EB 41 inc ecx
157EC 0B C8 or ecx,eax
157EE 83 7D F8 00 cmp dword ptr [ebp+LOCAL_2],0
157F2 89 4B 17 mov dword ptr [ebx+17h],ecx
157F5 0F 84 00000244 jz loc_1740
157FB 8A 4A 19 mov cl,byte ptr [edx+19h]
; SECURITY MODE 安全模式
;是服务方发过来的数据,所以服务方可以主动按其需要修改
157FE F6 C1 01 test cl,1
15801 0F 84 000001CB jz loc_1739
; USER OR SHARE MODE
;共享控制的跳转
15807 80 7F 05 02 cmp byte ptr [edi+5],2
1580B 75 53 jne short loc_1729
1580D 8B 45 F8 mov eax,dword ptr [ebp+LOCAL_2]
15810 8B 70 28 mov esi,dword ptr [eax+28h]
15813 85 F6 test esi,esi
15815 74 12 jz short loc_1726
15817 8D 7B 1D lea edi,dword ptr [ebx+1Dh]
1581A B9 00000006 mov ecx,6
1581F F3/ A5 rep movsd
15821 66| C7 43 0F 0018 mov word ptr [ebx+0Fh],18h
;PASSWORD LONG
15827 EB 06 jmp short loc_1727
15829 loc_1726:
15829 66| C7 43 0F 0000 mov word ptr [ebx+0Fh],0
1582F loc_1727:
1582F 33 C0 xor eax,eax
15831 8B 4D F8 mov ecx,dword ptr [ebp+LOCAL_2]
15834 66| 8B 43 0F mov ax,word ptr [ebx+0Fh]
15838 8B 71 2C mov esi,dword ptr [ecx+2Ch]
1583B 85 F6 test esi,esi
1583D 8D 7C 18 1D lea edi,dword ptr [eax+1Dh][ebx]
15841 74 12 jz short loc_1728
15843 B9 00000006 mov ecx,6
15848 F3/ A5 rep movsd
1584A 66| C7 43 11 0018 mov word ptr [ebx+11h],18h
15850 E9 000000E8 jmp loc_1736
15855 loc_1728:
15855 66| C7 43 11 0000mov word ptr [ebx+11h],0
1585B E9 000000DD jmp loc_1736
15860 loc_1729:
15860 C7 45 FC 00001A78 mov dword ptr [ebp+LOCAL_1],1A78h
15867 F6 46 1C 20 test byte ptr [esi+1Ch],20h
1586B 74 08 jz short loc_1730
1586D 83 C6 35 add esi,35h
15870 89 75 FC mov dword ptr [ebp+LOCAL_1],esi
15873 EB 12 jmp short loc_1731
15875 loc_1730:
15875 8B 55 10 mov edx,dword ptr [ebp+PARAMETER_3]
15878 8B 42 0C mov eax,dword ptr [edx+0Ch]
1587B F6 40 1C 20 test byte ptr [eax+1Ch],20h
1587F 74 06 jz short loc_1731
15881 83 C0 35 add eax,35h
;THE PASSWORD POINTER
15884 89 45 FC mov dword ptr [ebp+LOCAL_1],eax
15887 loc_1731:
15887 8B 45 FC mov eax,dword ptr [ebp+LOCAL_1]
1588A 80 38 00 cmp byte ptr [eax],0;
;THE PASSWORD
1588D 75 09 jne short loc_1732
;比较看有否输入密码,如果没有密码就用用户密码替换
;因为开始还没有出来提示输入密码时就有好几次密码实验,
;所以一定有没有密码的情况,也就泄露了当前用户密码
1588F 8B 45 F8 mov eax,dword ptr [ebp+LOCAL_2]
15892 83 C0 05 add eax,5
15895 89 45 FC mov dword ptr [ebp+LOCAL_1],eax