lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20030328121917.4067d2b3.dave@immunitysec.com>
Date: Fri, 28 Mar 2003 12:19:17 -0500
From: Dave Aitel <dave@...unitysec.com>
To: bugtraq@...urityfocus.com
Subject: Re: Fate Research Labs Presents: Analysis of the NTDLL.DLL Exploit


  "The NTDLL.DLL exploit was first discovered due to the compromise of a
  military web server on March 17. This was the first publicly
documented
  use of an unpublished exploit: Bugtraq only accounts for a small
  percentage of the actual exploits and vulnerabilities that exist. This
  was the first known case where an unreleased or "zero-day" exploit was
  utilized to compromise machines before it was publicly announced."

Both contradicts itself and is not true.

  "A web site containing a continuously growing list of applications
that
  use ntdll.dll is provided in the appendix."

That would be, uh, ALL NT applications?

Dave Aitel
SVP Research and Engineering
Immunity, Inc.
http://www.immunitysec.com/CANVAS/ <--"Exploits that don't have to brute
force."


On Fri, 28 Mar 2003 09:30:23 -0600
"Eric Hines" <eric.hines@...elabs.com> wrote:

> Lists:
> 
> I have written a 13 page analysis of NTDLL.DLL webdav exploit, which
> is located at
> http://www.fatelabs.com/library/fatelabs-ntdll-analysis.pdf . This
> paper provides granular detail on the affected component, log traces
> for log analysis, exploit output, and packet traces for those looking
> to make their own signatures. The paper is based on the exploit
> released by Roman Soft to Bugtraq in combination with his follow-up
> RET address brute forcer. Remember, the exploit can be easily modified
> to use GET, LOCK, et. al.
> 
> Our Log Analysis team will be posting the logs and full packet traces
> to the log division's web site located at http://www.fatelabs.com
> shortly. In addition, as updates are made to this paper and as
> different methods of exploiting this buffer overflow are discovered by
> our team, we will make updates to the paper located at our site.
> 
> P.S. Thanks to Roman Medina for his follow-up and response.
> 
> 
> Eric Hines
> Internet Warfare and Intelligence
> Fate Research Labs
> http://www.fatelabs.com
> 
> 
> 
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ