MICROSOFT.WINDOWS.2000.AND.NT4.SOURCE.CODE-SCENELEADER

[psac]

MICROSOFT.WINDOWS.2000.AND.NT4.SOURCE.CODE-SCENELEADER

Windows 2000 and NT4 source code leaked?
Posted by Matt - 02-12-04 13:22 - 4 comments

Earlier today internet and IRC sites were abuzz with the news that the source code to both Windows 2000 and Windows NT4 had leaked out onto the net. WinBeta.Org has investigated these claims and the alleged screenshot posted on Neowin and they'appear to be real but incomplete'.

This must be highly embarressing for Microsoft, who will undoubtedly be scrambling to find the source of the leak of their highly confidential Operating Systems.

Windows XP and Windows 2003 server source codes do not appear to have leaked at the moment.

For those who ascribe to theories of collusion with "No Such Agency" backdoor keys to Windows 2000, this may infact be a positive spin for Microsoft if such a backdoor is not found. Of course, to those that claim Elvis is indeed working at a gas station in Kansas, who's to say this is infact the retail code that Microsoft has been sharing? Maybe it's a 'sanitized' version?

Intellectual Property laws as well as public perception of one of the world's largest companies are on the line here. Microsoft's response will be indicative of just how important this code is to them, even given that it is outdated code - maybe they will use this as a corporate scare tactic to make companies upgrade to Windows XP?

Ahh, a theorists paradise indeed...

News Source: In-House


WINDOWS的來源碼有40G呢，
這個只是一小部分。

http://tech.sina.com.cn/other/2004-0...47291762.shtml



太平洋的速度還不錯嘛
http://www.pconline.com.cn/news/gjyj/0402/312499.html

感覺像是MS故意透露的。


BetaNews has learned that Thursday's leak of the Windows 2000 source code originated not from Microsoft, but from long-time Redmond partner Mainsoft. The leaked code includes 30,915 files and was apparently removed from a Linux computer used by Mainsoft for development purposes. The source code represents Windows 2000 Service Pack 1.

Clues to the source code's origin lie in a "core dump" file, which is left by the Linux operating system to record the memory a program is using when it crashes. Further investigation by BetaNews revealed the machine was likely used by Mainsoft's Director of Technology, Eyal Alaluf.

果然是這個core dump 洩漏的真正的來源

Prior to Microsoft's Shared Source Initiative launched in 2001, Mainsoft, which calls itself "the software porting company," was one of only two partners with access to the Windows source code under Microsoft's Windows Interface Source Environment (WISE) program.

The goal of WISE is to enable developers to write applications using Windows APIs and deploy them on Unix operating systems such as Linux.

Mainsoft extended its WISE agreement with Microsoft in March 2000 to include access to the Windows 2000 source. Microsoft subsequently employed Mainsoft to port Windows Media Player 6.3 and Internet Explorer to Unix.

M$的這個WISE計劃竟然是讓程序員用winapi在Unix,linux上寫程序
這個MainSoft就是試驗移植WMP和IE到Unix！

大家綁好安全帶，注意安全哦。

http://www.microsoft.com/presspass/p...dowssource.asp

[psac]

果然是mainsoft的，CORE裡面有環境變數。以後絕對不要提供任何crash報告。


程式碼:--------------------------------------------------------------------------------
LESSOPEN=|/usr/bin/lesspipe.sh %s
USERNAME=eyala
HISTSIZE=1000
HOSTNAME=voltaire
LOGNAME=eyala
INIT_VERSION=sysvinit-2.78
MAIL=/var/spool/mail/eyala
MACHTYPE=i386
TERM=xterm
HOSTTYPE=i386-linux
PATH=.:/il2/users/eyala/bin:/project/bin:/project/bin.linux:/bin:/etc:/sbin:/usr/sbin:/usr/ucb:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/usr/local/bin:/u/tools/sys/bin:/usr/atria/bin
CONSOLE=/dev/console
KDEDIR=/usr
HOME=/il2/users/eyala
INPUTRC=/etc/inputrc
PREVLEVEL=N
RUNLEVEL=5
SHELL=/bin/tcsh
XAUTHORITY=/il2/users/eyala/.Xauthority
USER=eyala
GDM_LANG=en_US
AUTOBOOT=YES
VENDOR=intel
GROUP=floppy
QTDIR=/usr/lib/qt-2.1.0
BOOT_IMAGE=linux_mvfs
DISPLAY=:0.0
LANG=en_US
HOST=voltaire
OSTYPE=linux
GDMSESSION=KDE
PWD=/usr/ms/win2k_sp1/private/security/msv_sspi
SHLVL=2
LS_COLORS=no=00:fi=00:di=01;34:ln=01;36i=40;33:so=01;35:bd=40;33;01:cd=40;33;01r=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:
WINDOWID=50331657
lib_path_name=LD_LIBRARY_PATH
MWOS=linux
MWARCH=i86
MWARCH_OS=i86_linux
LD_LIBRARY_PATH=/usr/lib
MANPATH=/usr/man:/usr/local/man:/usr/share/man
DOMAIN=mainsoft.com
MAILCAPS=.mailcap:/usr/local/etc/mailcap
NNTPSERVER=cia
PAGER=less
REPLYTO=eyala@mainsoft.com
ORGANIZATION=Mainsoft Co. Ltd.
MWBATCH_SERVER=lod:8000
MSOFTLM_HOST=@xor
MAINSOFTLM_HOST=@xor
CC=gcc
CCPP=g++
previous_tty=pts/2
XHOME=/usr/X11R6/bin
XAPPLRESDIR=/il2/users/eyala/app-defaults
EDITOR=vi
BASE_LIBPATH=/usr/lib
BASE_PATH=.:/il2/users/eyala/bin:/project/bin:/project/bin.linux:/bin:/etc:/sbin:/usr/sbin:/usr/ucb:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/usr/local/bin:/u/tools/sys/bin:/usr/atria/bin
all_variables=USERNAME XAUTHORITY MWARCH_OS lib_path_name LOGNAME OSTYPE WINDOWID INPUTRC CCPP MWOS SHLVL HOME LESSOPEN PWD REPLYTO LD_LIBRARY_PATH LS_COLORS CONSOLE KDEDIR DISPLAY MAINSOFTLM_HOST NNTPSERVER GDM_LANG MACHTYPE MWBATCH_SERVER GDMSESSION BASE_LIBPATH HOST HOSTNAME HOSTTYPE XHOME MWARCH LANG MAIL QTDIR CC BASE_PATH EDITOR MANPATH MAILCAPS PATH RUNLEVEL AUTOBOOT GROUP XAPPLRESDIR VENDOR PAGER HISTSIZE ORGANIZATION PREVLEVEL BOOT_IMAGE DOMAIN SHELL TERM INIT_VERSION previous_tty MSOFTLM_HOST USER DISPLAY CLEARCASE_ROOT __________HOME
cleanup_included=1
--------------------------------------------------------------------------------


Microsoft Investigates Possible Leak of Windows Source
Microsoft Investigates Possible Leak of Windows Source
By Nate Mook and David Worthington, BetaNews
February 12th, 2004, 7:35 PM

BREAKING NEWS
Microsoft is currently investigating a potential severe security
breach that has possibly let loose onto the Internet source code for its
Windows 2000 operating system. Portions of the code viewed by BetaNews contain
a mix of library files, executables, text documents, scripts, and un-compiled
code.

In addition, rumors have begun to circulate claiming that the source code
to Windows NT4 has also gone astray.

If the leak is in fact deemed legit, it is unknown how much of the source
has been compromised, and just how damaging its disclosure will be for Microsoft
.

The claimed Windows 2000 source code archive contains 30,915 files written
with 13.5 million lines of code. The source is dated July 25, 2000, placing
it after the official release of the operating system, which was rumored
to contain between 35 and 50 million lines of code in its entirety.

Early references to "Whistler" -- the code-name for Windows XP -- can be
found in the files, which is consistent with the post-Windows 2000 time frame.

A Microsoft spokesperson told BetaNews that the company was looking into
this as a matter of due diligence. "At this time, all we have to say is the
rumor regarding the availability of Windows source code is based the speculation
of an individual who saw a small section of un-identified code and thought
it looked like Windows code," the spokesperson said. "If a small section
of Windows source code were to be available, it would be a matter of intellectua
l
property rights rather than security."

Sources indicates the leak is valid, but incomplete. Comments -- which are
added to track changes to source code during development -- refer to specific
bugs, Microsoft employees, and even organizational charts. Product code
names are abound, with references to Daytona, Cairo, and Memphis, as well
as beta timetables. The archive contains graphics files for Windows 2000
and Internet Explorer 5.0 included in resource files, according to sources.

Comments such as, "potentially off-by-1, but who cares..." are buried within
code for the Windows Taskbar. Sources tell BetaNews there is no reference
that calls Netscape developers "Weenies," as was alleged in court documents.
Other comments range from mundane technical jargon to all out profanity.

This is not the first time Microsoft has experienced a code leak. Incomplete
source to Microsoft's DOS version 6.22 surfaced years ago, but received
little attention due to its obsolecence.

Senior Jupiter Research analyst Joe Wilcox told BetaNews he was surprised
by the news. "I find it hard to believe that source code would leak. After
all, companies put source code under lock and key, typically with no outside
access available. That said, a substantial leak would be devastating for
Microsoft."

"A source code leak would present multiple problems for Microsoft," explained
Wilcox. "First, the loss of valuable intellectual property worth hundreds
of millions in development cost. Second, hackers could look for and exploit
new security vulnerabilities. That could create credibility loss for Microsoft,
as beta timetables. The archive contains graphics files for Windows 2000
and Internet Explorer 5.0 included in resource files, according to sources.

Comments such as, "potentially off-by-1, but who cares..." are buried within
code for the Windows Taskbar. Sources tell BetaNews there is no reference
that calls Netscape developers "Weenies," as was alleged in court documents.
Other comments range from mundane technical jargon to all out profanity.

This is not the first time Microsoft has experienced a code leak. Incomplete
source to Microsoft's DOS version 6.22 surfaced years ago, but received
little attention due to its obsolecence.

Senior Jupiter Research analyst Joe Wilcox told BetaNews he was surprised
by the news. "I find it hard to believe that source code would leak. After
all, companies put source code under lock and key, typically with no outside
access available. That said, a substantial leak would be devastating for
Microsoft."

"A source code leak would present multiple problems for Microsoft," explained
Wilcox. "First, the loss of valuable intellectual property worth hundreds
of millions in development cost. Second, hackers could look for and exploit
new security vulnerabilities. That could create credibility loss for Microsoft,
as some businesses question the security of Windows. Finally, Windows NT
and 2000 are the foundation of Windows."

Eric Steil contributed to this report.
--------------------------------------------------------------------

微軟還沒有關於這方面的聲明
This is not the first time that people have reported leaked copies of
Windows source code. In 2000, Wired News reported that the source code
for Whistler (now Windows XP) had been leaked, though they never
confirmed it.
http://www.wired.com/news/business/0,1367,35135,00.html
WinBeta is also reporting on the new leak
http://www.winbeta.org/winbeta/forum...t=0&#entry9449

0-day exploits being used on Microsofts network, foul play by privileged
partners or a hoax? Let's see what Microsoft reports.
Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@pivx.com
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net>
-----Original Message-----
From: Gadi Evron [mailto:ge@egotistical.reprehensible.net]
Sent: Thursday, February 12, 2004 1:49 PM
To: bugtraq@securityfocus.com
Cc: full-disclosure@lists.netsys.com; Thor Larholm
Subject: W2K source "leaked"?

A couple of days ago a friend of mine drew my attention to the source
making rounds on the encrypted p2p networks, I was hoping it would take
a bit longer for it to be "out", but that was just day-dreaming.
Thor Larholm just gave me this URL, as you can notice, the server is
busy: http://www.neowin.net/comments.php?id=17509
I never believed in 0-days. "New" or more to the point
un-known-to-the-public exploits and vulnerabilities exist and are being
used.
In my opinion "0-days" virtually don't exist. It's usually either some
vulnerability that is long known and a COP or a worm is created. Or
exploits that will nearly never see the "public" but exist and are used
by few individuals.. but now... I don't know.

How often does a brand new exploit come out without prior warning and
"attack" the net?

*If* this really is the.. _real_ source code for W2K (and according to
the article NT4 as well).... we'll see what happens next.

People didn't need help finding vulnerabilities in Windows before, but
it just became a whole lot easier and a lot less demanding on the "m4d
#4x0r 5k111z".

I can't really say that the article is right and the source was "leaked"

or "stolen". The source is being sold/given (?) for years now to EDU's
and commercial companies for research purposes (not to mention China..).

I suppose foul play is always possible.

Can anyone confirm this is the real source code? How about a press
release?

Gadi Evron

[psac]

裡面有很多0字元的.eml文件
不錯，好東西，裡面有IE4的架構的我的文件，大家可以知道真正的瀏覽器是怎麼寫的了，還有TCP/IP的傳輸協定棧，還有NTOS的源碼，該有的都有了，工作管理器可以直接編譯，但要設定好環境
檢查了一下，缺頭文件nt.h之類的，不能編譯的!
編譯的時候出現有些文件找不到，所以我臆想是頭文件的路徑沒有設定好，私下認為設定後就可以編譯了，我只是試驗了它的applet小程序而已 !

確切說是這三個文件都找不到：

#include <nt.h>
#include <ntrtl.h>
#include <nturtl.h>
編出來一個最簡單的——黑白棋，誰知道這個是哪個版本的windows內已含有遊戲？

好多函數找不到，都注掉了，只能出來界面，不能玩的∼
win2k/private/genx/shell/gnumakefile win2k/private/genx/windows/inc/mobileq-apache.eml win2k/private/genx/letter to children - 2.eml (*) win2k/private/inet/mshtml/btools/bin/words of wisdom from dennis.eml win2k/private/inet/mshtml/build/ppcmac/ship/unix.e ml win2k/private/inet/mshtml/build/ppcmac/documentati on of problems in stress.eml win2k/private/inet/urlmon/iapp/gnumakefile win2k/private/inet/urlmon/mon/gnumakefile win2k/private/inet/xml/xml/tokenizer/parser/gnumak efile win2k/private/inet/xml/xml/tokenizer/dll/words of wisdom from dennis.eml win2k/private/inet/xml/xml/dso/letter to children - 2.eml win2k/private/inet/mshtml/gnumakefile win2k/private/inet/mshtml/tools/mips/utils/sed.exe win2k/private/ntos/w32/ntuser/kernel/

裡面有不少有趣的檔案名
連gnumakefile都有
看來m$果然也是「站在巨人的肩膀上「的
看了一個winsocks2.dll的我的文件說
要用MKS Toolkit 4.0 or later
The makefile uses CP and RM commands.

怪不得裡面有Makefile這種東西

看來當時微軟裡面用的開發平台也不都是windows的
DDK裡也沒有。
Statement from Microsoft Regarding Illegal Posting of Windows Source Code

REDMOND, Wash., Feb. 12, 2004 -- On Thursday, Microsoft became aware that portions of the Microsoft Windows 2000 and Windows NT 4.0 source code were illegally made available on the Internet. It』s illegal for third parties to post Microsoft source code, and we take such activity very seriously.

We are currently investigating these postings and are working with the appropriate law-enforcement authorities.

At this point it does not appear that this is the result of any breach of Microsoft』s corporate network or internal security.

At this time there is no known impact on customers. We will continue to monitor the situation.
源碼包含很重要的Windows安全用戶認證NTLM的算法！　

private\security\msv_sspi

NTLM

NT Lan Manager (NTLM) 是一種挑戰回應傳輸協定。Windows NT 4.0 使用 NTLM 與遠端電腦建立安全通訊信道。若要啟動該傳輸協定，遠端客戶端機應向服務器傳送一個資料包。該資料包中包含一個建立安全信道的請求。作為回應，該服務器產生一個 64 位隨機數字，並將其送回客戶端機（這就是挑戰）。然後，該客戶端機就必須發出一個回應，該回應包括其用戶名以及能夠說明該用戶身份屬實的某種形式的證據。因為該客戶端機的密碼被認為是身份證據，所以該回應採用 24 字元數字的形式，這個數字是根據該客戶端機密碼與挑戰的函數而計算得出的。

NTLM 與 LSA 和訪問標記的集成

當客戶端機將該信息送回服務器時，服務器接受該挑戰/回應對，並將其傳遞到 LSA。在 NTLM 身份驗證中，該功能將這對挑戰/回應對作為輸入信息接受，驗證該客戶端機的身份，並返回一個引用稱為訪問標記的執行對象的關鍵。

如果該客戶端機的用戶名為本機帳戶，則 LSA 將通過查詢相關密碼並計算來自該挑戰的回應來驗證該客戶端機的身份。如果該客戶端機的用戶名為域帳戶，則 LSA 會將請求轉交給該客戶端機的域控制器，而由該控制器來進行驗證。需要注意的要點是，要想使該客戶端機成功參與此次交換，它就必須知道形成回應的秘密（密碼）。

每次該客戶端機連線到遠端文件共享、COM 服務器等時，系統都不會提示客戶端機輸入密碼。
網上看到了，送給擠不進去FTP的朋友們：

203MB
http://especial.0zones.com/down/wind...ource.code.zip

IE 5 的程式碼基本都在裡面，大家一起來開發 SHare Browser








Release: Microsoft Windows 2000 and NT4 *Leaked* Source Code
Date: 02/12/04
Size: 42 x 5mb
Description: This is the leaked source code you've been hearing so much about brought to you buy yours truely.

-Duranged
Windows部分來源碼可能洩漏 微軟正著手調查

--------------------------------------------------------------------------------

http://www.sina.com.cn 2004年02月13日 08:47 新浪科技

　　新浪科技訊 近日，微軟正對在一些網站及聊天室裡出現的文件進行調查，因為該檔案可能包含一些Windows 2000的保密來源碼。這個大小為203MB的文件所包含的程式碼看似來自微軟的操作系統。

　　安全咨詢師德拉戈斯-魯伊(Dragos Ruiu)對該檔案進行了研究，他表示，文件中的程式碼並不完整。他說：「這一文件2月12日出現在了一個端對端網路和一個聊天室裡，每個用戶
都可以看到它。目前，這個文件已在廣泛傳播。」

　　魯伊表示，上述文件還可以增加到660MB，而且最終的大小相當於一張普通的光碟。他說，整個來源碼應該在40GB左右，這意味著如果文件中的程式碼是真的話，它們也僅僅是完整程式碼的一小部分。魯伊認為上述文件的程式碼來自Windows。

　　微軟表示，正在對有關一些文件交易商交換Windows來源碼的傳言進行調查。

　　一些安全人士對於Windows來源碼可能洩露表示擔心。賽門鐵克公司安全反應中心的進階經理奧利弗-弗裡德裡奇斯(Oliver Friedrichs)表示：「如果黑客掌握這些程式碼，這顯示不是一件好事。」

　　但微軟則對由此可能產生的安全問題反應低調。微軟表示，他們主要擔心程式碼被盜用，而不是由此可能引發的安全威脅。微軟說：「如果Windows一小部分來源碼洩露，那僅僅是侵犯知識產權問題而不是安全問題。」

　　微軟一直極力保護Windows操作系統的來源碼，僅與一些簽署了保密傳輸協定的大學和政府機構共享這些程式碼。儘管比爾-蓋茨一直宣稱Windows非常安全，但連微軟自己也很擔心來源碼外洩。微軟進階副總裁吉姆-阿爾奇(Jim Allchin)就曾表示，公開Windows來源碼有可能對於這一操作系統的安全產生致命影響。他說：「病毒的編寫者知道，如果他們獲取的Windows反病毒程序的信息越多，就越容易研發出對付這些程序的病毒。」(陳立榮編譯)

===========微軟對此事件的反應：
-----------------------------------------------------------------------------------------------------------------------------------
微軟部分Windows來源碼在網際網路上被洩露
美聯社

微軟公司(Microsoft Corp., MSFT)週四晚間稱，其視窗(Windows)操作系統的部分來源碼通過網際網路被洩露。

微軟發言人Tom Pilla在接受美聯社(The Associated Press)採訪時表示，Windows 2000和Windows NT4操作系統的部分來源碼被通過非法手段在網際網路上公開。

獲得來源碼能夠說明 黑客侵犯該操作系統，並對執行視窗系統的電腦發起襲擊。

Pilla稱，微軟於週四得知來源碼洩漏的事件，目前公司正在展開調查。他不知道來源碼中有多少已經洩漏，及有多少人能夠讀取來源碼。微軟無法立即查明洩漏的源頭，但表示已經與執法部門取得了聯繫。

Pilla表示，沒有跡象表明洩漏事件是微軟的公司網路被破壞的結果。他說，據目前所知，沒有微軟客戶受到影響。

=====================