Dave Aitel
28/03/03, 20:50
"The NTDLL.DLL exploit was first discovered due to the compromise of a
military web server on March 17. This was the first publicly
documented
use of an unpublished exploit: Bugtraq only accounts for a small
percentage of the actual exploits and vulnerabilities that exist. This
was the first known case where an unreleased or "zero-day" exploit was
utilized to compromise machines before it was publicly announced."
Both contradicts itself and is not true.
"A web site containing a continuously growing list of applications
that
use ntdll.dll is provided in the appendix."
That would be, uh, ALL NT applications?
Dave Aitel
SVP Research and Engineering
Immunity, Inc.
http://www.immunitysec.com/CANVAS/ <--"Exploits that don't have to brute
force."
On Fri, 28 Mar 2003 09:30:23 -0600
"Eric Hines" <eric.hines@fatelabs.com> wrote:
> Lists:
>
> I have written a 13 page analysis of NTDLL.DLL webdav exploit, which
> is located at
> http://www.fatelabs.com/library/fatelabs-ntdll-analysis.pdf . This
> paper provides granular detail on the affected component, log traces
> for log analysis, exploit output, and packet traces for those looking
> to make their own signatures. The paper is based on the exploit
> released by Roman Soft to Bugtraq in combination with his follow-up
> RET address brute forcer. Remember, the exploit can be easily modified
> to use GET, LOCK, et. al.
>
> Our Log Analysis team will be posting the logs and full packet traces
> to the log division's web site located at http://www.fatelabs.com
> shortly. In addition, as updates are made to this paper and as
> different methods of exploiting this buffer overflow are discovered by
> our team, we will make updates to the paper located at our site.
>
> P.S. Thanks to Roman Medina for his follow-up and response.
>
>
> Eric Hines
> Internet Warfare and Intelligence
> Fate Research Labs
> http://www.fatelabs.com
>
>
>
>
military web server on March 17. This was the first publicly
documented
use of an unpublished exploit: Bugtraq only accounts for a small
percentage of the actual exploits and vulnerabilities that exist. This
was the first known case where an unreleased or "zero-day" exploit was
utilized to compromise machines before it was publicly announced."
Both contradicts itself and is not true.
"A web site containing a continuously growing list of applications
that
use ntdll.dll is provided in the appendix."
That would be, uh, ALL NT applications?
Dave Aitel
SVP Research and Engineering
Immunity, Inc.
http://www.immunitysec.com/CANVAS/ <--"Exploits that don't have to brute
force."
On Fri, 28 Mar 2003 09:30:23 -0600
"Eric Hines" <eric.hines@fatelabs.com> wrote:
> Lists:
>
> I have written a 13 page analysis of NTDLL.DLL webdav exploit, which
> is located at
> http://www.fatelabs.com/library/fatelabs-ntdll-analysis.pdf . This
> paper provides granular detail on the affected component, log traces
> for log analysis, exploit output, and packet traces for those looking
> to make their own signatures. The paper is based on the exploit
> released by Roman Soft to Bugtraq in combination with his follow-up
> RET address brute forcer. Remember, the exploit can be easily modified
> to use GET, LOCK, et. al.
>
> Our Log Analysis team will be posting the logs and full packet traces
> to the log division's web site located at http://www.fatelabs.com
> shortly. In addition, as updates are made to this paper and as
> different methods of exploiting this buffer overflow are discovered by
> our team, we will make updates to the paper located at our site.
>
> P.S. Thanks to Roman Medina for his follow-up and response.
>
>
> Eric Hines
> Internet Warfare and Intelligence
> Fate Research Labs
> http://www.fatelabs.com
>
>
>
>