Re: Fate Research Labs Presents: Analysis of the NTDLL.DLL Exploit

[Dave Aitel <dave () immunitysec com>]

  "The NTDLL.DLL exploit was first discovered due to the compromise of a
  military web server on March 17. This was the first publicly
documented
  use of an unpublished exploit: Bugtraq only accounts for a small
  percentage of the actual exploits and vulnerabilities that exist. This
  was the first known case where an unreleased or "zero-day" exploit was
  utilized to compromise machines before it was publicly announced."

Both contradicts itself and is not true.

  "A web site containing a continuously growing list of applications
that
  use ntdll.dll is provided in the appendix."

That would be, uh, ALL NT applications?

Dave Aitel
SVP Research and Engineering
Immunity, Inc.
http://www.immunitysec.com/CANVAS/ <--"Exploits that don't have to brute
force."


On Fri, 28 Mar 2003 09:30:23 -0600
"Eric Hines" <eric.hines () fatelabs com> wrote:

> Lists:
>
> I have written a 13 page analysis of NTDLL.DLL webdav exploit, which
> is located at
> http://www.fatelabs.com/library/fatelabs-ntdll-analysis.pdf . This
> paper provides granular detail on the affected component, log traces
> for log analysis, exploit output, and packet traces for those looking
> to make their own signatures. The paper is based on the exploit
> released by Roman Soft to Bugtraq in combination with his follow-up
> RET address brute forcer. Remember, the exploit can be easily modified
> to use GET, LOCK, et. al.
>
> Our Log Analysis team will be posting the logs and full packet traces
> to the log division's web site located at http://www.fatelabs.com
> shortly. In addition, as updates are made to this paper and as
> different methods of exploiting this buffer overflow are discovered by
> our team, we will make updates to the paper located at our site.
>
> P.S. Thanks to Roman Medina for his follow-up and response.
>
>
> Eric Hines
> Internet Warfare and Intelligence
> Fate Research Labs
> http://www.fatelabs.com