NTDLL.DLL Exploit Code

The "WebDAV" vulnerability discussed in Microsoft Security Bulletin MS03-007 has a scope much larger than just IIS and WebDAV.

Because the true vulnerability lies in a core system DLL file (ntdll.dll) there are a number of potential ways to exploit the vulnerability and WebDAV is just one attack vector. For more information you can see the following: New Attack Vectors of MS03-007

There are rumors circulating that new exploit code is in the wild. Can anyone confirm or deny this? Does anyone know what attack vectors this new exploit code claims to exploit?

Any news or insights would be helpful.

Yes, right now on BugTraq you can freely download and compile 2 scripts and hammer IIS. I have both and I have had mixed results with them.

You can get the scripts here:
www.rs-labs.com
Regards.

Tony: The document you cite says that the patch will fix it thus the vectors are irrelevant if you are patched.

SecuriTeam also has the code

I'd say it's more than just in the wild..

My systems are patched. One of my customers however patched only public-facing Windows 2000 servers running IIS 5.0 with WebDAV enabled. I am trying to get them to patch all Windows 2000 servers and workstations regardless of IIS to proactively protect against these potential new attack vectors.

In the meantime I had heard rumors of new exploit code using vectors other than WebDAV and figured if I can corroborate those rumors that would get my customer to understand the urgency extends beyond WebDAV.

Also, just from a curiosity standpoint I am interested to know what other vectors malicious coders will choose to exploit the ntdll.dll flaw.

Thanks for the feedback.

You should subscribe to the BugTraq mailing list on the Security Focus website.

www.securityfocus.com

This discussion is going on right now.

Hope this helps.

I do subscribe to that list (and just about every other security and SecurityFocus mailing list). I am not a coder (a dabbler and a wannabe- but not a programmer by any stretch) so a lot of time the messages seem like gibberish to me. I try to keep reading them though hoping I will eventually catch on and understand what they're talking about.

The discussion I have seen thus far on SecurityFocus revolves around the WebDAV exploit still. I know that the WebDAV exploit is being openly discussed. I want to know if other attack vectors aside from WebDAV have been proven or had exploit code developed for them yet.

Maybe I am missing something on the Bugtraq list. Are they actually talking about other ways to exploit ntdll.dll aside from WebDAV and I am just not understanding??

Thanks for the heads up.

Yes, and on other popular lists they are discussing how soon this will be ported over to a worm. My guess is sometime within the next 2 weeks. Wanna take an over-under on that? LOL :)

:)

I'm going to have to go with under on this one.

This is some farther reading on the exploit NTDLL

It a small analysis of the exploit, I didn't see it here so I figure I would add it.