Crash Dumps and Password Exposure

Sending process crash dumps can lead to the exposure of passwords and other sensitive information especially if they were saved before a process was trying to send entered user data over a secure protocol. Here’s an incident that happened to me this morning. I was trying to login to an online banking system to check my balances and when I entered my user id and password in IE and clicked Continue button the system experienced a small delay and then a WER dialog box appeared asking me to either check online for a solution, debug or close the program. I chose Close the program and a full process memory dump was saved because I have already set up LocalDumps on my old Vista system (the problem was also reproducible).

I opened the crash dump and found that it was a heap corruption:

0:004> kL 100
ChildEBP RetAddr 
02c9cb18 77815620 ntdll!KiFastSystemCallRet
02c9cb1c 77843c62 ntdll!NtWaitForSingleObject+0xc
02c9cba0 77843d4b ntdll!RtlReportExceptionEx+0x14b
02c9cbe0 7785fa87 ntdll!RtlReportException+0x3c
02c9cbf4 7785fb0d ntdll!RtlpTerminateFailureFilter+0x14
02c9cc00 777b9bdc ntdll!RtlReportCriticalFailure+0x6b
02c9cc14 777b4067 ntdll!_EH4_CallFilterFunc+0x12
02c9cc3c 77815f79 ntdll!_except_handler4+0x8e
02c9cc60 77815f4b ntdll!ExecuteHandler2+0x26
02c9cd10 77815dd7 ntdll!ExecuteHandler+0x24
02c9cd10 7785faf8 ntdll!KiUserExceptionDispatcher+0xf
02c9d084 77860704 ntdll!RtlReportCriticalFailure+0x5b
02c9d094 778607f2 ntdll!RtlpReportHeapFailure+0×21
02c9d0c8 7782b1a5 ntdll!RtlpLogHeapFailure+0xa1
02c9d110 7781730a ntdll!RtlpCoalesceFreeBlocks+0×4b9
02c9d208 77817545 ntdll!RtlpFreeHeap+0×1e2
02c9d224 76277e4b ntdll!RtlFreeHeap+0×14e
02c9d26c 760f7277 kernel32!GlobalFree+0×47

02c9d280 76594a1f ole32!ReleaseStgMedium+0×124
02c9d294 765f7feb urlmon!ReleaseBindInfo+0×4c
02c9d2a4 765b9a87 urlmon!CINet::ReleaseCNetObjects+0×3d
02c9d2bc 765b93f0 urlmon!CINetHttp::OnWininetRequestHandleClosing+0×60
02c9d2d0 77582078 urlmon!CINet::CINetCallback+0×2de
02c9d418 77588f5d wininet!InternetIndicateStatus+0xfc
02c9d448 7758937a wininet!HANDLE_OBJECT::~HANDLE_OBJECT+0xc9
02c9d464 7758916b wininet!INTERNET_CONNECT_HANDLE_OBJECT::~INTERNET_CONNECT_HANDLE_OBJECT+0×209
02c9d470 77588d5e wininet!HTTP_REQUEST_HANDLE_OBJECT::`vector deleting destructor’+0xd
02c9d480 77584e72 wininet!HANDLE_OBJECT::Dereference+0×22
02c9d48c 77589419 wininet!DereferenceObject+0×21
02c9d4b4 77589114 wininet!_InternetCloseHandle+0×9d
02c9d4d4 0004aaaf wininet!InternetCloseHandle+0×11e
WARNING: Frame IP not in any known module. Following frames may be wrong.
02c9d4e0 765a5d25 0×4aaaf
02c9d4fc 765a5c1b urlmon!CINet::TerminateRequest+0×82
02c9d50c 765a5a3c urlmon!CINet::MyTerminate+0×7b
02c9d51c 765a5998 urlmon!CINetProtImpl::Terminate+0×13
02c9d538 765a5b92 urlmon!CINetEmbdFilter::Terminate+0×17
02c9d548 765b9bc1 urlmon!CINet::Terminate+0×23
02c9d55c 765979f2 urlmon!CINetHttp::Terminate+0×48
02c9d574 7659766b urlmon!COInetProt::Terminate+0×1d
02c9d598 765979c0 urlmon!CTransaction::Terminate+0×12d
02c9d5b8 76597a2d urlmon!CBinding::ReportResult+0×92
02c9d5d0 76596609 urlmon!COInetProt::ReportResult+0×1a
02c9d5f8 76596322 urlmon!CTransaction::DispatchReport+0×1d9
02c9d624 7659653e urlmon!CTransaction::DispatchPacket+0×31
02c9d644 765a504b urlmon!CTransaction::OnINetCallback+0×92
02c9d65c 7741fd72 urlmon!TransactionWndProc+0×28
02c9d688 7741fe4a user32!InternalCallWinProc+0×23
02c9d700 7742018d user32!UserCallWinProcCheckWow+0×14b
02c9d764 7742022b user32!DispatchMessageWorker+0×322
02c9d774 7094c1d5 user32!DispatchMessageW+0xf
02c9f87c 708f337e ieframe!CTabWindow::_TabWindowThreadProc+0×54c
02c9f934 7647426d ieframe!LCIETab_ThreadProc+0×2c1
02c9f944 7627d0e9 iertutil!CIsoScope::RegisterThread+0xab
02c9f950 777f19bb kernel32!BaseThreadInitThunk+0xe
02c9f990 777f198e ntdll!__RtlUserThreadStart+0×23
02c9f9a8 00000000 ntdll!_RtlUserThreadStart+0×1b

So I quicky enable full page heap for iexpolore.exe and tried to login again. The crash happened after the same GUI sequence and the new dump was saved again with the following stack trace:

0:004> kL 100
ChildEBP RetAddr 
04c590cc 77815610 ntdll!KiFastSystemCallRet
04c590d0 7627a5d7 ntdll!NtWaitForMultipleObjects+0xc
04c5916c 7627a6f0 kernel32!WaitForMultipleObjectsEx+0x11d
04c59188 762ee2a5 kernel32!WaitForMultipleObjects+0x18
04c591f4 762ee4d1 kernel32!WerpReportFaultInternal+0x16d
04c59208 762cff4d kernel32!WerpReportFault+0x70
04c59294 77827fc1 kernel32!UnhandledExceptionFilter+0x1b5
04c5929c 777b9bdc ntdll!__RtlUserThreadStart+0x6f
04c592b0 777b4067 ntdll!_EH4_CallFilterFunc+0x12
04c592d8 77815f79 ntdll!_except_handler4+0x8e
04c592fc 77815f4b ntdll!ExecuteHandler2+0x26
04c593ac 77815dd7 ntdll!ExecuteHandler+0x24
04c593ac 0004a058 ntdll!KiUserExceptionDispatcher+0xf
WARNING: Frame IP not in any known module. Following frames may be wrong.
04c596b4 0004a12e 0x4a058
04c596d4 765bb7b1 0×4a12e
04c59714 765bb32b urlmon!CINetHttp::INetAsyncSendRequest+0×347
04c59f34 765bb4c8 urlmon!CINetHttp::INetAsyncOpenRequest+0×2cf
04c59f48 765bac97 urlmon!CINet::INetAsyncConnect+0×24b
04c59f60 765a6af9 urlmon!CINet::INetAsyncOpen+0×11b
04c59f70 765a6aaa urlmon!CINet::INetAsyncStart+0×1a
04c59f8c 765a693f urlmon!CINet::StartCommon+0×198
04c59fa8 765a6b5e urlmon!CINet::StartEx+0×1c
04c59fdc 76598e84 urlmon!COInetProt::StartEx+0xc2
04c5a02c 76599411 urlmon!CTransaction::StartEx+0×3e1
04c5a0b4 76599022 urlmon!CBinding::StartBinding+0×602
04c5a0f8 76599fc0 urlmon!CUrlMon::StartBinding+0×169
04c5a120 6ca4eac6 urlmon!CUrlMon::BindToStorage+0×90
04c5a14c 6ca4e9cb mshtml!CStreamProxy::Bind+0xce
04c5a3ec 6ca4b277 mshtml!CDwnBindData::Bind+0×74b
04c5a414 6ca4b118 mshtml!NewDwnBindData+0×15f
04c5a464 6c9cf0aa mshtml!CDwnLoad::Init+0×121
04c5a4b8 6ca4aa61 mshtml!CHtmLoad::Init+0×1fe
04c5a4dc 6ca4a967 mshtml!CDwnInfo::SetLoad+0×119
04c5a4fc 6c9ce021 mshtml!CDwnCtx::SetLoad+0×7a
04c5a514 6c9cec7b mshtml!CHtmCtx::SetLoad+0×13
04c5a534 6c9c25c9 mshtml!CMarkup::Load+0×167
04c5a738 6cb6f395 mshtml!CMarkup::LoadFromInfo+0xb5a
04c5a910 6cb6f532 mshtml!CDoc::DoNavigate+0×1508
04c5aa30 6cde557e mshtml!CDoc::FollowHyperlink2+0xda7
04c5aaf8 6cde5170 mshtml!CFormElement::DoSubmit+0×405
04c5ab0c 6ca01bc5 mshtml!CFormElement::submit+0×11
04c5ab28 6ca8adc3 mshtml!Method_void_void+0×75
04c5ab9c 6ca96e11 mshtml!CBase::ContextInvokeEx+0×5d1
04c5abec 6cb89057 mshtml!CElement::ContextInvokeEx+0×9d
04c5ac28 6ca8a7c1 mshtml!CFormElement::VersionedInvokeEx+0xf0
04c5ac78 6d1f392a mshtml!PlainInvokeEx+0xea
04c5acb8 6d1f3876 jscript!IDispatchExInvokeEx2+0xf8
04c5acf4 6d1f4db6 jscript!IDispatchExInvokeEx+0×6a
04c5adb4 6d1f4d10 jscript!InvokeDispatchEx+0×98
04c5ade8 6d1f2bfd jscript!VAR::InvokeByName+0×135
04c5ae34 6d1f40c5 jscript!VAR::InvokeDispName+0×7a
04c5ae64 6d1f4e23 jscript!VAR::InvokeByDispID+0xce
04c5b000 6d1f123b jscript!CScriptRuntime::Run+0×2abe
04c5b0e8 6d1f1175 jscript!ScrFncObj::CallWithFrameOnStack+0xff
04c5b134 6d1f493c jscript!ScrFncObj::Call+0×8f
04c5b1b8 6d1f2755 jscript!NameTbl::InvokeInternal+0×137
04c5b1ec 6d1f2fa4 jscript!VAR::InvokeByDispID+0×17c
04c5b388 6d1f123b jscript!CScriptRuntime::Run+0×29e0
04c5b470 6d1f1175 jscript!ScrFncObj::CallWithFrameOnStack+0xff
04c5b4bc 6d1f0fa3 jscript!ScrFncObj::Call+0×8f
04c5b538 6d1d3ea3 jscript!CSession::Execute+0×175
04c5b584 6d1d552f jscript!COleScript::ExecutePendingScripts+0×1c0
04c5b5e8 6d1d5345 jscript!COleScript::ParseScriptTextCore+0×29a
04c5b610 6c9ca304 jscript!COleScript::ParseScriptText+0×30
04c5b668 6cb954c2 mshtml!CScriptCollection::ParseScriptText+0×219
04c5d700 6cb7a568 mshtml!CWindow::ExecuteScriptUri+0×19f
04c5d748 6cb95810 mshtml!CWindow::NavigateEx+0×5a
04c5d7b4 6cb956b5 mshtml!CDoc::ExecuteScriptUri+0×262
04c5d7f0 6cc66b68 mshtml!CDoc::ExecuteScriptURL+0×4e
04c5d844 6cad41a7 mshtml!CHyperlink::ClickAction+0×269
04c5d854 6cad416e mshtml!CAnchorElement::ClickAction+0×10
04c5d888 6cb296c5 mshtml!CElement::DoClick+0×155
04c5d8b8 6cad01ff mshtml!CAnchorElement::DoClick+0×6d
04c5d954 6cbae941 mshtml!CDoc::PumpMessage+0xf63
04c5dacc 6cad4408 mshtml!CDoc::OnMouseMessage+0×55d
04c5dbf8 6caa9241 mshtml!CDoc::OnWindowMessage+0×9d9
04c5dc24 7741fd72 mshtml!CServer::WndProc+0×78
04c5dc50 7741fe4a user32!InternalCallWinProc+0×23
04c5dcc8 7742018d user32!UserCallWinProcCheckWow+0×14b
04c5dd2c 7742022b user32!DispatchMessageWorker+0×322
04c5dd3c 7094c1d5 user32!DispatchMessageW+0xf
04c5fe44 708f337e ieframe!CTabWindow::_TabWindowThreadProc+0×54c
04c5fefc 7647426d ieframe!LCIETab_ThreadProc+0×2c1
04c5ff0c 7627d0e9 iertutil!CIsoScope::RegisterThread+0xab
04c5ff18 777f19bb kernel32!BaseThreadInitThunk+0xe
04c5ff58 777f198e ntdll!__RtlUserThreadStart+0×23
04c5ff70 00000000 ntdll!_RtlUserThreadStart+0×1b

We see that IE was trying to send an HTTP request:

 0:004> ub 765bb7b1
urlmon!CINetHttp::INetAsyncSendRequest+0x31f:
765bb799 8bce            mov     ecx,esi
765bb79b e8ef000000      call    urlmon!CINetHttp::SetOptionUserAgent (765bb88f)
765bb7a0 ff75f0          push    dword ptr [ebp-10h]
765bb7a3 ff75ec          push    dword ptr [ebp-14h]
765bb7a6 53              push    ebx
765bb7a7 53              push    ebx
765bb7a8 ff767c          push    dword ptr [esi+7Ch]
765bb7ab ff1544a06576    call    dword ptr [urlmon!_imp__HttpSendRequestW (7665a044)]

From MSDN we get the following function prototype:

BOOL HttpSendRequest(
  __in  HINTERNET hRequest,
  __in  LPCTSTR lpszHeaders,
  __in  DWORD dwHeadersLength,
  __in  LPVOID lpOptional,
  __in  DWORD dwOptionalLength
);

So we check raw stack for parameters:

0:004> dps 04c596d4
04c596d4  04c59714
04c596d8  765bb7b1 urlmon!CINetHttp::INetAsyncSendRequest+0x347
04c596dc  00cc000c ; hRequest
04c596e0  1122cd58 ; lpszHeaders
04c596e4  ffffffff ; dwHeadersLength (-1)
04c596e8  11152e88 ; lpOptional
04c596ec  00000179 ; dwOptionalLength

04c596f0  00000001
04c596f4  77583302 wininet!InternetSetOptionA
04c596f8  110f6d68
04c596fc  0000000b
04c59700  11152e88
04c59704  00000178
04c59708  00000000
04c5970c  11230fe8
04c59710  00000000
04c59714  04c59f34
04c59718  765bb32b urlmon!CINetHttp::INetAsyncOpenRequest+0×2cf
04c5971c  00cc0008
04c59720  110f6d68
04c59724  00000000
04c59728  112d2fe8
04c5972c  112d4fe8
04c59730  112d6fe0

lpszHeaders points to this string:

0:004> du 1122cd58
1122cd58  "Referer: https://www.[...XXX...].ie/o"
1122cd98  "nline/login.aspx..Accept-Languag"
1122cdd8  "e: en-ie..User-Agent: Mozilla/4."
1122ce18  "0 (compatible; MSIE 8.0; Windows"
1122ce58  " NT 6.0; Trident/4.0; MathPlayer"
1122ce98  " 2.10d; SLCC1; .NET CLR 2.0.5072"
1122ced8  "7; Media Center PC 5.0; .NET CLR"
1122cf18  " 3.5.30729; .NET CLR 3.0.30729)."
1122cf58  ".Content-Type: application/x-www"
1122cf98  "-form-urlencoded..Accept-Encodin"
1122cfd8  "g: gzip, deflate"

But lpOptional points to a string that contains the login id and password:

0:004> da 11152e88
11152e88  "__EVENTTARGET=lbtnContinue&__EVE"
11152ea8  "NTARGUMENT=&__VIEWSTATE=%2FwEPDw"
[...]
11152fc8  "u7j7pXFuOFg1%2B&txtLogin=0123456
11152fe8  “789&txtPassword=password???????”

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

One Response to “Crash Dumps and Password Exposure”

  1. Crash Dump Analysis » Blog Archive » Crash Dump Analysis of Defective Malware: A Case Study Says:

    […] websites. However I didn’t pay enough attention because it was a heap corruption (see my previous case study) and simply switched to another non-crashing browser vendor such as Apple Safari. Since then IE was […]

Leave a Reply

You must be logged in to post a comment.