Re: New attack vectors and a vulnerability dissection of MS03-007

From: Hall, Chadd (Chadd.Hall@PFSNT.PRIMERICA.COM)
Date: 04/07/03

  • Next message: Russ: "Re: IIS 5: strange problems handling certain file names"
    Date:         Mon, 7 Apr 2003 08:04:00 -0400
    From: "Hall, Chadd" <Chadd.Hall@PFSNT.PRIMERICA.COM>


    It seems that another vector for this attack has been found as David
    predicted. Does anyone have any information on patching desktops without IIS
    on them (Win2kpro/XP) for this local exploit of ntdll? A link to the code is

    Thanks to Packetstorm for always providing great security info.

    Chadd Hall
    Distributed Systems Security
    Primerica Financial Services
    A division of CitiGroup
    If computer security is an illusion, as some have suggested, let us
    all strive to be David Copperfield.

    NOTICE: This email contains confidential or proprietary information that
    maybe legally privileged.
    It is intended only for the named recipient(s). If an addressing or
    transmission error has
    misdirected the email, please notify the author by replying to this message.
    If you are not
    the named recipient, you are not authorized to use, disclose, distribute,
    copy, print, or
    rely on this email, and should immediately delete it from your computer
    system. This email may
     also contain information or opinion that is not necessarily representing
    the opinion of Primerica
    Financial Services or Citigroup. This material is not to be published or
    rebroadcast in any fashion.


    The patch announced by Microsoft on the 17th March 2003 fixed a security
    vulnerability in the core of the Windows 2000 operating system. This flaw
    was actively being exploited through WebDAV requests to Microsoft's Internet
    Information Server 5. It must be stressed that IIS was simply the attack
    vector; the method or route used to actually exploit the flaw. The problem,
    however, is much wider in scope than just simply machines running IIS.
    Researchers at NGSSoftware have isolated many more attack vectors including
    java based web servers and other non-WebDAV related issues in IIS. Due to
    this, NGSSoftware urge Windows 2000 users to apply the patch.

    For a paper that examines the vulnerability in detail, please read
    <> .

    David Litchfield
    NGSSoftware Ltd
    +44(0)208 401 0070 <>

    Delivery co-sponsored by Prometric - More than testing, learning.

    Prometric, part of The Thomson Corporation, is the leader in
    technology-enabled testing and assessment services for information
    technology certification, academic admissions, professional licensure and
    certifications, computer-based driver's licensing, and corporate testing.


  • Next message: Russ: "Re: IIS 5: strange problems handling certain file names"