Re: New attack vectors and a vulnerability dissection of MS03-007

From: Hall, Chadd (Chadd.Hall@PFSNT.PRIMERICA.COM)
Date: 04/07/03

  • Next message: Russ: "Re: IIS 5: strange problems handling certain file names"
    Date:         Mon, 7 Apr 2003 08:04:00 -0400
    From: "Hall, Chadd" <Chadd.Hall@PFSNT.PRIMERICA.COM>
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    All,

    It seems that another vector for this attack has been found as David
    predicted. Does anyone have any information on patching desktops without IIS
    on them (Win2kpro/XP) for this local exploit of ntdll? A link to the code is
    included.

    Thanks to Packetstorm for always providing great security info.

    http://packetstorm.acm.miami.edu/0304-exploits/regexploit.c
    <http://packetstorm.acm.miami.edu/0304-exploits/regexploit.c>

    _________________________________
    Chadd Hall
    Distributed Systems Security
    Primerica Financial Services
    A division of CitiGroup
    chadd.hall@<nospam>pfsfhq.com
    770.564.7752
    If computer security is an illusion, as some have suggested, let us
    all strive to be David Copperfield.

    NOTICE: This email contains confidential or proprietary information that
    maybe legally privileged.
    It is intended only for the named recipient(s). If an addressing or
    transmission error has
    misdirected the email, please notify the author by replying to this message.
    If you are not
    the named recipient, you are not authorized to use, disclose, distribute,
    copy, print, or
    rely on this email, and should immediately delete it from your computer
    system. This email may
     also contain information or opinion that is not necessarily representing
    the opinion of Primerica
    Financial Services or Citigroup. This material is not to be published or
    rebroadcast in any fashion.

    Prev:

    The patch announced by Microsoft on the 17th March 2003 fixed a security
    vulnerability in the core of the Windows 2000 operating system. This flaw
    was actively being exploited through WebDAV requests to Microsoft's Internet
    Information Server 5. It must be stressed that IIS was simply the attack
    vector; the method or route used to actually exploit the flaw. The problem,
    however, is much wider in scope than just simply machines running IIS.
    Researchers at NGSSoftware have isolated many more attack vectors including
    java based web servers and other non-WebDAV related issues in IIS. Due to
    this, NGSSoftware urge Windows 2000 users to apply the patch.

    For a paper that examines the vulnerability in detail, please read
    http://www.ngssoftware.com/papers/ms03-007-ntdll.pdf
    <http://www.ngssoftware.com/papers/ms03-007-ntdll.pdf> .

    Cheers,
    David Litchfield
    NGSSoftware Ltd
    +44(0)208 401 0070
    http://www.ngssoftware.com/ <http://www.ngssoftware.com/>

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by Prometric - More than testing, learning.
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    http://www.prometric.com

    Prometric, part of The Thomson Corporation, is the leader in
    technology-enabled testing and assessment services for information
    technology certification, academic admissions, professional licensure and
    certifications, computer-based driver's licensing, and corporate testing.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


  • Next message: Russ: "Re: IIS 5: strange problems handling certain file names"

    Relevant Pages

    • Re: buffer overrun attack
      ... Here is a description of an attack against the WebDAV / NTDLL vulnerability ... > Buffer overrun is a very dangerous security threat to your IIS and windows ... buffer overrun means the memory pointer has ...
      (microsoft.public.inetserver.iis.security)
    • RE: #Include with parent paths
      ... It's hard to tell whether this was an automated attack or whether it was ... Disabling parent paths simply means that you can't use ... IIS directly. ... > websites/virtual directories is a security risk (even though it is enabled ...
      (microsoft.public.inetserver.iis.security)
    • Re: Securing socket communications
      ... Thanks for your reply David. ... This means that with every installation of my server, ... I guess i can use IIS only in the login phase, and send back a secret key, ... You will get "out of the box" security, ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: Remove Content-Location header in IIS 6.0
      ... Hotfixes are free - call Microsoft PSS and say you need a hotfix, ... you gain nothing in the way of security here IMHO. ... Most automated webserver attack ... > As the article above indicates, there are ways to alter this tag in IIS ...
      (microsoft.public.inetserver.iis.security)
    • Re: Mac Server Hacked In Less Than 6 Hours
      ... Windows has RAS, and for it is built in since NT 3.1 ... | A typical IIS box and this Mac are not the same thing so the comparison ... IIS has been subject to quite a few bugs and so have ... Security isn't a proprietary attribute. ...
      (sci.crypt)