Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Fate Research Labs Presents: Analysis of the NTDLL.DLL Exploit
From: Dave Aitel <dave () immunitysec com>
Date: Fri, 28 Mar 2003 12:19:17 -0500

  "The NTDLL.DLL exploit was first discovered due to the compromise of a
  military web server on March 17. This was the first publicly
  use of an unpublished exploit: Bugtraq only accounts for a small
  percentage of the actual exploits and vulnerabilities that exist. This
  was the first known case where an unreleased or "zero-day" exploit was
  utilized to compromise machines before it was publicly announced."

Both contradicts itself and is not true.

  "A web site containing a continuously growing list of applications
  use ntdll.dll is provided in the appendix."

That would be, uh, ALL NT applications?

Dave Aitel
SVP Research and Engineering
Immunity, Inc.
http://www.immunitysec.com/CANVAS/ <--"Exploits that don't have to brute

On Fri, 28 Mar 2003 09:30:23 -0600
"Eric Hines" <eric.hines () fatelabs com> wrote:


I have written a 13 page analysis of NTDLL.DLL webdav exploit, which
is located at
http://www.fatelabs.com/library/fatelabs-ntdll-analysis.pdf . This
paper provides granular detail on the affected component, log traces
for log analysis, exploit output, and packet traces for those looking
to make their own signatures. The paper is based on the exploit
released by Roman Soft to Bugtraq in combination with his follow-up
RET address brute forcer. Remember, the exploit can be easily modified
to use GET, LOCK, et. al.

Our Log Analysis team will be posting the logs and full packet traces
to the log division's web site located at http://www.fatelabs.com
shortly. In addition, as updates are made to this paper and as
different methods of exploiting this buffer overflow are discovered by
our team, we will make updates to the paper located at our site.

P.S. Thanks to Roman Medina for his follow-up and response.

Eric Hines
Internet Warfare and Intelligence
Fate Research Labs

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]