Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: NTDLL.DLL Exploit Code

  1. #1
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830

    NTDLL.DLL Exploit Code

    The "WebDAV" vulnerability discussed in Microsoft Security Bulletin MS03-007 has a scope much larger than just IIS and WebDAV.

    Because the true vulnerability lies in a core system DLL file (ntdll.dll) there are a number of potential ways to exploit the vulnerability and WebDAV is just one attack vector. For more information you can see the following: New Attack Vectors of MS03-007

    There are rumors circulating that new exploit code is in the wild. Can anyone confirm or deny this? Does anyone know what attack vectors this new exploit code claims to exploit?

    Any news or insights would be helpful.

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Yes, right now on BugTraq you can freely download and compile 2 scripts and hammer IIS. I have both and I have had mixed results with them.

    You can get the scripts here:
    www.rs-labs.com
    Regards.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Tony: The document you cite says that the patch will fix it thus the vectors are irrelevant if you are patched.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    SecuriTeam also has the code

    I'd say it's more than just in the wild..
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830
    My systems are patched. One of my customers however patched only public-facing Windows 2000 servers running IIS 5.0 with WebDAV enabled. I am trying to get them to patch all Windows 2000 servers and workstations regardless of IIS to proactively protect against these potential new attack vectors.

    In the meantime I had heard rumors of new exploit code using vectors other than WebDAV and figured if I can corroborate those rumors that would get my customer to understand the urgency extends beyond WebDAV.

    Also, just from a curiosity standpoint I am interested to know what other vectors malicious coders will choose to exploit the ntdll.dll flaw.

    Thanks for the feedback.

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    You should subscribe to the BugTraq mailing list on the Security Focus website.

    www.securityfocus.com

    This discussion is going on right now.

    Hope this helps.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830
    I do subscribe to that list (and just about every other security and SecurityFocus mailing list). I am not a coder (a dabbler and a wannabe- but not a programmer by any stretch) so a lot of time the messages seem like gibberish to me. I try to keep reading them though hoping I will eventually catch on and understand what they're talking about.

    The discussion I have seen thus far on SecurityFocus revolves around the WebDAV exploit still. I know that the WebDAV exploit is being openly discussed. I want to know if other attack vectors aside from WebDAV have been proven or had exploit code developed for them yet.

    Maybe I am missing something on the Bugtraq list. Are they actually talking about other ways to exploit ntdll.dll aside from WebDAV and I am just not understanding??

    Thanks for the heads up.


  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Yes, and on other popular lists they are discussing how soon this will be ported over to a worm. My guess is sometime within the next 2 weeks. Wanna take an over-under on that? LOL
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830

    Cool



    I'm going to have to go with under on this one.

  10. #10
    This is some farther reading on the exploit NTDLL

    It a small analysis of the exploit, I didn't see it here so I figure I would add it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •