Re: New attack vectors and a vulnerability dissection of MS03-007
From: Hall, Chadd (Chadd.Hall@PFSNT.PRIMERICA.COM)
Date: Mon, 7 Apr 2003 08:04:00 -0400 From: "Hall, Chadd" <Chadd.Hall@PFSNT.PRIMERICA.COM> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
It seems that another vector for this attack has been found as David
predicted. Does anyone have any information on patching desktops without IIS
on them (Win2kpro/XP) for this local exploit of ntdll? A link to the code is
Thanks to Packetstorm for always providing great security info.
Distributed Systems Security
Primerica Financial Services
A division of CitiGroup
If computer security is an illusion, as some have suggested, let us
all strive to be David Copperfield.
NOTICE: This email contains confidential or proprietary information that
maybe legally privileged.
It is intended only for the named recipient(s). If an addressing or
transmission error has
misdirected the email, please notify the author by replying to this message.
If you are not
the named recipient, you are not authorized to use, disclose, distribute,
copy, print, or
rely on this email, and should immediately delete it from your computer
system. This email may
also contain information or opinion that is not necessarily representing
the opinion of Primerica
Financial Services or Citigroup. This material is not to be published or
rebroadcast in any fashion.
The patch announced by Microsoft on the 17th March 2003 fixed a security
vulnerability in the core of the Windows 2000 operating system. This flaw
was actively being exploited through WebDAV requests to Microsoft's Internet
Information Server 5. It must be stressed that IIS was simply the attack
vector; the method or route used to actually exploit the flaw. The problem,
however, is much wider in scope than just simply machines running IIS.
Researchers at NGSSoftware have isolated many more attack vectors including
java based web servers and other non-WebDAV related issues in IIS. Due to
this, NGSSoftware urge Windows 2000 users to apply the patch.
For a paper that examines the vulnerability in detail, please read
Delivery co-sponsored by Prometric - More than testing, learning.
Prometric, part of The Thomson Corporation, is the leader in
technology-enabled testing and assessment services for information
technology certification, academic admissions, professional licensure and
certifications, computer-based driver's licensing, and corporate testing.