"The NTDLL.DLL exploit was first discovered due to the compromise of a military web server on March 17. This was the first publicly documented use of an unpublished exploit: Bugtraq only accounts for a small percentage of the actual exploits and vulnerabilities that exist. This was the first known case where an unreleased or "zero-day" exploit was utilized to compromise machines before it was publicly announced." Both contradicts itself and is not true. "A web site containing a continuously growing list of applications that use ntdll.dll is provided in the appendix." That would be, uh, ALL NT applications? Dave Aitel SVP Research and Engineering Immunity, Inc. http://www.immunitysec.com/CANVAS/ <--"Exploits that don't have to brute force." On Fri, 28 Mar 2003 09:30:23 -0600 "Eric Hines" <eric.hines@fatelabs.com> wrote: > Lists: > > I have written a 13 page analysis of NTDLL.DLL webdav exploit, which > is located at > http://www.fatelabs.com/library/fatelabs-ntdll-analysis.pdf . This > paper provides granular detail on the affected component, log traces > for log analysis, exploit output, and packet traces for those looking > to make their own signatures. The paper is based on the exploit > released by Roman Soft to Bugtraq in combination with his follow-up > RET address brute forcer. Remember, the exploit can be easily modified > to use GET, LOCK, et. al. > > Our Log Analysis team will be posting the logs and full packet traces > to the log division's web site located at http://www.fatelabs.com > shortly. In addition, as updates are made to this paper and as > different methods of exploiting this buffer overflow are discovered by > our team, we will make updates to the paper located at our site. > > P.S. Thanks to Roman Medina for his follow-up and response. > > > Eric Hines > Internet Warfare and Intelligence > Fate Research Labs > http://www.fatelabs.com > > > >
