February 28, 2005 
Hat-Squad Advisory: GFI L.N.S.S 5.0- Insecure Credential Storage

Product: GFI Languard Network Security Scanner 
Vendor Url: http://gfi.com/
Version: 5.0
Vulnerability: Insecure Credential Storage
Release Date: February 28, 2005 

Vendor Status: 
Informed on 22 February 2005
Response: 22 February 2005
 Released: 28 February 2005

Overview: 

GFI L.N.S.S is vulnerability scanner that helps administrators to identify security holes in their networked systems . This product has also a built-in patch management solution to deploy missing patches on detected vulnerable systems .
In order to remotely deploy patches, the user should provide enough credentials for the L.N.S.S to authenticate itself with remote system in order to install patches. An administrative level privilege is needed to install patches on remote systems.
As L.N.S.S is usually used in domain environments, the account prepared for L.N.S.S is usually a member of "Domain Admins" group or a similar high privileged group which have complete control over all members of domain. Product provided two options for privileged scanning and deployment "currently logged-on user" and "Alternative Credentials". Hopefully in order to save typos GFI save the entered password for you in "Alternative Credentials" mode there is also another option in L.N.S.S to save scan reports to a MS-SQL server . Here again you should provide and account on MS-SQL server for the application .
A weakness were discovered in this product that make it possible to dump the saved credentials INSTANTLY and without any offline attack to recover saved credentials which is a domain username and password in this case. 


Problem: 

Each time the L.N.S.S process ( lnss.exe ) is loaded to do scan or deployment job by use of saved credentials , it's possible to read saved username & password instantly from the memory space of the process, because L.N.S.S load them in memory as clear-text strings . By use of a simple-short code it's possible to dump both MS-SQL and DOMAIN username/passwords from local system . Notice that in order to access memory space of lnss process you should have enough privileges (usually local admin).
Although it makes the attack vector more limited, but does not reduce the risk level of this weakness because the attacker gains access to a domain-admin level account password in CLEAR-TEXT by use of a locally Privileged account . This could be used by a malicious code or by use of another remote vulnerability in the system. 


Exploit: 

Use your custom memory-dump code or any provided tool to dump memory space of the process.
"Prosess Memory Dumper" code  provided by KD-TEAM ( http://www.kd-team.com/tools/MemPDump.kd_team.rar )
can be easily customised to complete our mission . greets to DiabloHorn ;)

Vendor Response: 

Vendor has been notified for this weakness , and they confirmed it . but till time
they did not provided any patch or workaround for this weakness .

Workaround :

GFI should fix their code ASAP , and use encryption . but till that :

* Do NOT run the LNSS process in low privilaged accounts ( GFI's default is run as SYSTEM , keep it )
* Do NOT save your password ( at least domain-account used for scan ) in application.
* Try NOT to use "Alternative Credentials"  mode while using LNSS.

Credits: 
This Vulnerability has been discovered by Seyed Hamid Kashfi(hamid@hat-squad.com)

The original advisory could be found at: http://www.hat-squad.com/en/000160.html