NTDLL.DLL Buffer Overrun Vulnerability
Windows 2000 / IIS5 / WebDAV

PO Box 395, Holden, MA,01520

Tel: 617-921-5410

Translate

Home

About KLC

Services

SMAC

Trojan Analysis Security Resources Spoof MAC Address

 

Virus/Worm/Trojan
Resources

Trojan Paper

Virus List

Trojans Library

Trojan Ports

Symantec AV

Virus Alert


Updated 05/13/2003

NTDLL.DLL Buffer Overrun Vulnerability (MS03-007) on Windows 2000 / IIS5 / WebDAV

URL for this article: http://www.klcconsulting.net/articles/webdav/webdav_vuln.htm 

Version 1.9 (Latest update: 5/13/2003)


Author: 

Kyle Lai, CISSP, CISA

KLC Consulting, Inc.

klai@klcconsulting.net 

www.klcconsulting.net 

Table of Contents     back to top

 

Overview     back to top

Before we begin: --- There is additional information on the Webcast from SANS WebDAV Buffer Overflow Exploit Against IIS 5.0 and NTDLL Attack FAQ by Russ Cooper.  The webcast is archived and is highly recommended if you want to learn more about this vulnerability. ---

Microsoft released an advisory on a very serious vulnerability on Windows 2000 (NTDLL.DLL) on March 17, 2003 and it was classified as a CRITICAL vulnerability.  As of March 25, 2003, we know of many DLLs associated with NTDLL.DLL, and therefore, it is critical for system owners to fix this vulnerability as soon as possible.  

Updated on 4/23/2003 from Microsoft:  Windows NT 4.0 also contains the underlying vulnerability in ntdll.dll, however it does not support WebDAV and therefore the known exploit was not effective against Windows NT 4.0. Microsoft has now released a patch for Windows NT 4.0.

Severity Rating: (from Microsoft security advisory MS03-007)

Windows NT 4.0 Important
Windows NT 4.0 Terminal Server Edition Important
Windows 2000 Critical

Note: The Microsoft patches are the only ways to completely fix this vulnerability.

Note: There is a significant risk of exposure to this vulnerability because it is directly associated with the WebDAV component of IIS5, which is included and enabled by default when installing Windows 2000 servers.  Un-patched IIS 5 servers with WebDAV enabled that are connected to the Internet would allow anyone to exploit this vulnerability via HTTP ports.

Since there are a huge number of IIS servers installed around the world, this could potentially be one of the most serious and most widespread problems.  There have been many great discussions about this WebDAV buffer overflow vulnerability. Even though there are many workarounds provided by Microsoft, the patch from Microsoft is still the only way to protect your system from this vulnerability. KLC CONSULTING strongly advises system owners to apply this patch as soon as possible, HOWEVER, make sure you evaluate the patch in a test environment first, before applying it to your production environment.

Planning a patch process for this vulnerability is extremely critical because the exploits have been publicly available.  In this article, we include 2 versions of publicly available exploits, and in the Exploit Analysis section, we include a paper demonstrating these exploits.  There are significant concerns that these zero-day exploits might have been tested underground for quite some time.  We know for a fact that an exploit of this vulnerability has been used to successfully hack an Army web server on March 11, 2003, a week before Microsoft released the security advisory.

The rumors on the street expect a worm with a WebDAV exploit to spread within the next few weeks or months.  As we do not like to speculate on rumors, there is a substantial amount of chatter on the Internet concerning large exploits that are likely take place.

Technical description from Microsoft Security Bulletin MS03-007:

"Microsoft Windows 2000 supports the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol. WebDAV, defined in RFC 2518, is a set of extensions to the Hyper Text Transfer Protocol (HTTP) that provide a standard for editing and file management between computers on the Internet. A security vulnerability is present in a Windows component used by WebDAV, NTDLL.DLL, and results because the component contains an unchecked buffer.

An attacker could exploit the vulnerability by sending a specially formed HTTP request to a machine running Internet Information Server (IIS). The request could cause the server to fail or to execute code of the attacker’s choice. The code would run in the security context of the IIS service (which, by default, runs in the LocalSystem context).

Although Microsoft has supplied a patch for this vulnerability and recommends all affected customers install the patch immediately, additional tools and preventive measures have been provided that customers can use to block the exploitation of this vulnerability while they are assessing the impact and compatibility of the patch. These temporary workarounds and tools are discussed in the “Workarounds” section in the FAQ below.

NTDLL.DLL is actually found on NT 3.51, NT 4.0, W2K and XP, but only the version in Windows 2000 is vulnerable."

Through the author’s exposure to various aspects on this topic and wide range of research analysis (a good one from David Litchfield,) applying the Microsoft Patch seems to be the ONLY way to truly protect yourself from WebDAV exploit attacks.

However, before you apply this patch to any systems, make sure you understand the caveats to the Microsoft Patch.  Read the following section before applying this patch to save yourself from major problems.  The following "caveats" are from the "Additional information about this patch" section of Microsoft Security Bulletin MS03-007.

Caveats:
If you are running Windows 2000 SP2, before installing this patch please check the version of ntoskrnl.exe on your system. To verify the version of ntoskrnl.exe on your system, perform the following steps:

1. Browse to the %windir%\system32 directory

2. Right-click ntoskrnl.exe

3. Choose properties.

The version information is located on the ‘version’ tab.

Versions of ntoskrnl.exe between 5.0.2195.4797 and 5.0.2195.4928 (inclusive) are not compatible with this patch. These versions were only distributed with Product Support Services hotfixes.

If the patch for this issue is installed on a system with one of these versions of ntoskrnl.exe, the machine will fail on the first reboot with a Stop 0x00000071 message and will have to be recovered using the Windows 2000 recovery console and the backup copy of ntdll.dll stored in the “\winnt\$NTUninstallQ815021$” directory.

To update a system with a version of ntoskrnl.exe distributed from Product Support Services, you must first contact PSS before applying this patch. Information on contacting Product Support Services can be found at:

http://support.microsoft.com

Alternatively you can upgrade to SP3 prior to installing this patch. 

Please refer to the Microsoft Security Bulletin for more details:

Simplified version (End user version)
http://www.microsoft.com/security/security_bulletins/ms03-007.asp

More Technical version: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-007.asp 

Version History     back to top

Version 1.0 - March 20, 2003

Version 1.1 - March 21, 2003

Version 1.2 - March 24, 2003

Version 1.3 - March 26, 2003

Version 1.4 - March 29, 2003 (added Exploit Analysis)

Version 1.5 - April 12, 2003 (added 1 new Exploit)

Version 1.6 - April 15, 2003 (added new IIS5/WebDAV scan utility from KLC)

Version 1.7 - April 23, 2003 (Microsoft included NT 4.0 systems to this vulnerability in its advisory MS03-007)

Version 1.8 - April 26, 2003 (Links update)

Version 1.9 - May 13, 2003 (Additional exploits and snort signatures)

What is WebDAV?     back to top

WebDAV stands for "Web-based Distributed Authoring and Versioning". It is a set of extensions to the HTTP protocol, which allows users to collaboratively edit and manage files on remote web servers.  WebDAV is supported by Windows 2000.

More detailed information on the Microsoft implementation of WebDAV is available at: (Microsoft) Communicating XML Data over the Web with WebDAV

What types of systems and applications are vulnerable?     back to top

  •  

  • Systems that have IIS 5 with WebDAV enabled on Windows 2000.  IIS 5 is installed on all Windows 2000 servers by default.

    Note: IIS 5.0 WITHOUT WebDAV enabled on Windows 2000 is NOT vulnerable, but it is recommended that all necessary security measures be applied in order to better prevent any future vulnerabilities.

  • Microsoft Sharepoint running on Windows 2000 uses WebDAV.

  • www.webdav.org/projects shows commercial products that use WebDAV.  Please check with the vendors for impacts related to this vulnerability.

What is the impact?     back to top

The following is extracted from the FAQ section of the Microsoft Security Bulletin MS03-007.

This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could gain complete control over an affected web server. This would give the attacker the ability to take any desired action on the server, including changing web pages, reformatting the hard drive or adding new users to the local administrators group.

Cause:

The vulnerability exists because of an unchecked buffer in a component of Windows, Ntdll.dll, that can be called using WebDAV. By sending a specially constructed request through WebDAV, an attacker could cause code to run on a web server in the Local System security context.

David Litchfield of NGS Software posted an article "New Attack Vectors and a Vulnerability Dissection of MS03-007." This article is available at http://www.ngssoftware.com/papers/ms03-007-ntdll.pdf.

Here is a quote from David Litchfield's posting on NTBugTraq on March 21, 2003:  "The patch announced by Microsoft on the 17th March 2003 fixed a security vulnerability in the core of the Windows 2000 operating system. This flaw was actively being exploited through WebDAV requests to Microsoft's Internet Information Server 5. It must be stressed that IIS was simply the attack vector; the method or route used to actually exploit the flaw. The problem, however, is much wider in scope than just simply machines running IIS. Researchers at NGSSoftware have isolated many more attack vectors including java based web servers and other non-WebDAV related issues in IIS. Due to this, NGSSoftware urge Windows 2000 users to apply the patch."

What is the fix?     back to top

In a nutshell, this is what you should do:

  • Start the Registry Editor (Regedt32.exe)

  • Locate and click on the following registry key;

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters

  • On the Edit menu, click Add Value, and then add the following registry value;

    • Data Type: DWORD

    • Value Name: DisableWebDAV

    • Value Data: 1 (0 means WebDAV is enabled)

Warning: If MaxClientRequestBuffer is set, the tool restarts IIS. When you use this tool, some requests may not function as expected. Microsoft has confirmed that when you set the MaxClientRequestBuffer value to 16 KB, some programs may not function correctly. To work around such problems, try increasing the requested size to a value larger than the default setting. Alternatively, to prevent this particular exploit vector, set a MAXURL in URLScan or disable WebDAV. You can do this through URLScan or the IIS Lockdown tool.

In addition, here is some more technical input from Matt Scarborough who has added the following comments on NTBugTraq:

------------------------

Nice FAQ. Some clarifications and info.

"4. Microsoft's UrlScan tool is capable of limiting the length of a request (URL) to a webserver."

This is actually the "URL Buffer Size Registry Tool." UrlScan does not touch HKLM\SYSTEM\CCS\Services\w3svc\parameters DWORD=MaxClientRequestBuffer

On IIS 5.0 WebDAV (httpext.dll) is invoked based on the headers *not* the verb or URL. This is why the [DenyHeaders] [DenyVerbs] and [AllowVerbs] entries in URLScan.ini all need to be configured to ensure that WebDAV is not invoked.

Without UrlScan, instead of the expected:

Verb URL Proto
-------------------
PROPFIND / HTTP/1.1

request, any unknown verb will invoke WebDAV, e.g.,

Verb URL Proto
-------------------
HACKERZ / HTTP/1.1
Content-Type: text/xml
Translate: f
Depth: 1
User-Agent: Microsoft Data Access Internet Publishing Provider DAV
Host: www.nonexistant
Connection: Keep-Alive
Accept: */*
Content-Length:378

<?xml version="1.0" ?>
<propfind xmlns="DAV:">
<snip>

will invoke WebDAV. Once PREPROC_HEADERS gets the attack and passes it to WebDAV, its game over. The body "<?xml..." is of course superfluous. (PROPFIND is my example, and not a valid attack.)

Since we know the WebDAV attack vector requires nearly 64K of header, it is a crucial and easy fix to set MaxClientRequestBuffer now to a safely smaller, but operable value, then plan to patch soon.

Microsoft's setmaxurllength.exe tool or policy template make this pretty easy for Administrators of Windows networks to lock down against this single WebDAV attack vector into NTDLL.DLL before the coming Electronic Apocalypse.

Those who can't remotely
* apply a patch, or
* push out a machine policy, or
* set a Registry value
are simply doomed.

Matt Scarborough 2003-03-19

------------------------

 

How to detect / scan WebDAV vulnerabilities on a system?     back to top

Many people have made scanning tools, which are available on the NTBugTraq website.  Some of the following information is from NTBugTraq - NTDLL Attack FAQ, by Russ Cooper.  

The easiest way to detect whether your systems are vulnerable to WebDAV vulnerability is to run one of the following scanning tools.  Of course if you prefer Telnet or Netcat, follow the directions below:

  1. Netcat or Telnet to the specified host with the http port (usually port 80)
    i.e. "telnet www.samplehost.com 80" or "nc -vv www.samplehost.com 80"

  2. Type "OPTIONS * HTTP/1.0" (if you use the Windows 2000 command prompt, you might not see the characters as you type them, but the text is in the background, so you can keep typing)

  3. Press Enter twice.

  4. You should see the following results displayed.   This test only shows whether WebDAV component is enabled or disabled on your system, and not if it is vulnerable.  If you detected any systems that have WebDAV enabled, you should then determine if they are vulnerable.  Again, only systems that have IIS 5 with WebDAV enabled are vulnerable, and only the Microsoft patch will truly protect your systems from WebDAV vulnerability.

WebDAV enabled:

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Mon, 17 Mar 2003 21:49:00 GMT
Content-Length: 0
Accept-Ranges: bytes
DASL:
DAV: 1, 2

Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Cache-Control: private

WebDAV disabled:

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Mon, 17 Mar 2003 21:49:00 GMT
Public: OPTIONS, TRACE, GET, HEAD, POST
Content-Length: 0

Display from IIS 4

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Fri, 21 Mar 2003 08:53:04 GMT
Public: OPTIONS, TRACE, GET, HEAD, POST, PUT, DELETE
Content-Length: 0

Exploits     back to top

There are several versions of exploit codes in circulation for this particular vulnerability.  These exploits are provided for research and educational purpose only.  In our opinion, we feel that in order to protect yourself with good Intrusion Detection System (IDS) signature rules, you need to understand the vulnerabilities that these published exploit codes expose.  KLC Consulting did not in any way participate in the creation of these exploits; we simply gathered these publicly available exploits.  Disclaimer: Use these exploits at your own risk.  You are responsible for your own actions with regards to their use!

We were well aware of the IIS WebDAV exploits; however as we expected, NTDLL.DLL vulnerability goes beyond IIS WebDAV.  We came across another exploit using malformed registry files (.reg) to cause buffer overflow and then to gain the root access.  

KLC Consulting Security Team tested several exploits in a lab environemnt and they successfully exploited vulnerable systems without any difficulties.  KLC Consulting again reminds system administrators to patch vulnerable systems ASAP.

  1. Here are a few versions of publicly available IIS WebDAV exploits (be aware that there are more out there).  The following exploits use the "SEARCH" verb to conduct exploits, but other verbs like GET, LOCK should work too.  When using the SEARCH verb in an exploit, you will probably see the IIS5 log showing the method as "SEARCH" and the status as "411" or "500"

Status code:

  • 411 - Length Required
  • 500 - Internal Server Error

These exploits will crash IIS5 servers, and use the IIS5 process to create a shell program on a port defined in the exploit, thus allowing anyone to telnet to that port, or simply using NetCat and get a command prompt with root (administrative) privilege.

  1. Here is a publicly available exploit that causes buffer overrun by using a malformed registry file (.reg).

 

Exploit Analysis     back to top

A great exploit analysis on RoMaNSoFt's exploit was done by Eric Hines of Fate Research Labs.  His analysis demonstrates how the exploit works, and provides screenshots of the exploit being performed in a lab environment.  It also analyzes the packets captured by Ethereal, as well as the IIS5 log.

For more information, please refer to http://www.fatelabs.com/library/fatelabs-ntdll-analysis.pdf

Intrusion Detection Systems (IDS) signatures     back to top

  • There are many ways to exploit this vulnerability.  Please refer to the exploit files in the Exploit section and Nessus rules from for attack methods.
  • ISS

  • Snort Signatures: from snort.org.:

    • SID: 2090:

      alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0a|Content-type|3a| text/xml|0a|HOST|3a|"; content:"Accept|3a| |2a|/|2a0a|Translate|3a| f|0a|Content-length|3a|5276|0a0a|"; distance:1; reference:cve,CAN-2003-0109; reference:bugtraq,7716; classtype:attempted-admin; sid:2090; rev:2;)

  • Snort Signatures: from intrusion.com, under category "Web-IIS", has 20 general snort signatures for IIS5 WebDAV Exploits.  These signatures identify intrusions by different WebDAV verbs other than "SEARCH".

  • Snort Signatures: by Joe Stewart, GCIH at http://www.lurhq.com/webdav.html .  This site also listed several exploits.

    • alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT WebDav ntdll.dll (rs_iis)"; flow: to_server; content:"|0190 9090 685e 56c3 9054 59ff d158 33c9|"; reference:cve,CAN-2003-0109; reference:url,www.lurhq.com/webdav.html; classtype:attempted-admin; sid:1000010; rev:1;)

    • alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT WebDav ntdll.dll (kralor probe)"; flow: to_server; content:"|5345 4152 4348 202f 2048 5454 502f 312e 310d 0a48 6f73 743a|"; depth:24; dsize:<89; reference:cve,CAN-2003-0109; reference:url,www.lurhq.com/webdav.html; classtype:attempted-admin; sid:1000011; rev:1;)

    • alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT WebDav ntdll.dll (kralor shellcode)"; flow: to_server; content:"|558b ec33 c953 5657 8d7d a2b1 25b8 cccc|"; reference:cve,CAN-2003-0109; reference:url,www.lurhq.com/webdav.html; classtype:attempted-admin; sid:1000012; rev:1;)

    • alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT WebDav ntdll.dll (webdavx.pl)"; flow: to_server; content:"|4c4f 434b 202f 4141 4141 4141 4141 4141|"; reference:cve,CAN-2003-0109; reference:url,www.lurhq.com/webdav.html; classtype:attempted-admin; sid:1000013; rev:1;)

    • alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT WebDav ntdll.dll (wd.pl)"; flow: to_server; content:"|4c4f 434b 202f 5858 5858 5858 5858 5858|"; reference:cve,CAN-2003-0109; reference:url,www.lurhq.com/webdav.html; classtype:attempted-admin; sid:1000014; rev:1;)

    • alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT WebDav ntdll.dll (KaHT probe)"; flow: to_server; content:"|5573 6572 2d41 6765 6e74 3a20 4b61 4854 0d0a|"; reference:cve,CAN-2003-0109; reference:url,www.lurhq.com/webdav.html; classtype:attempted-admin; sid:1000015; rev:1;)

 

Frequently Asked Questions     back to top

  • Q: Which NTDLL.DLL files are vulnerable?
    A: Only Windows 2000.  Check this Microsoft site to search for all versions of NTDLL.DLL.

  • Q: Will IIS 5 logs show evidence of WebDAV exploits.  
    A: It may or may not show evidence of exploits.

  • Q: Is Small Business Server 2000 affected by WebDAV vulnerability?
    A: YES, if you run IIS 5 with WebDAV enabled.

  • Q: After applying patches to the vulnerable systems, will they be require to reboot?  
    A: Yes, they will have to be rebooted for the patches to take effect.  On critical systems that you must keep running, you will need to schedule a downtime to apply the patches.  Make sure you test the patches and mitigation methods in a test environment before moving to a production environment.

  • Q: What should I do if a system is compromised through a WebDAV exploit?
    A: If a system is compromised, this system cannot be trusted anymore.  If this is a production system, it would be best to rebuild this system with a backup.

  • *************************************************
    Is OWA Vulnerable To The IIS WebDAV Exploit?   (from SANS Webcast speaker, Chris Weber)
    *************************************************

    Many questions about OWA security have arisen due to the latest critical vulnerability exploitable through IIS's WebDAV. Let's clear the air about these. Refer to MS03-007 for more details.
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-007.asp

    Is OWA vulnerable to the latest WebDAV related problem MS03-007?
    The short answer is no, but you should still apply the mitigating factors and/or patch listed in the bulletin. Now let's look at the details. 

    The IIS WebDAV implementation is unrelated to OWA's, they are two separate binaries, using completely different function calls. When you install OWA, it installs it's own DLL for WebDAV functionality. However, the IIS version still remains. 

    The function call exploited cannot be reached through OWA's implementation of WebDAV. This doesn't mean it can't be reached via other means that may reveal themselves down the road, but that discussion will only complicate the question. For now just bear in mind that the actual vulnerability lies in an API function exposed by NTDLL.DLL, a core Windows component. This function is unrelated to WebDAV, except for the fact that IIS's version of WebDAV happens to make a call to it. So, technically speaking, WebDAV is not what's vulnerable, but NTDLL.DLL is.

    Does IIS's version of WebDAV still function in addition to OWA's?
    Yes. If your OWA installation resides on an IIS 5.0 box that also hosts virtual roots other than /exchange, then those virtual roots may be exploitable. If you run IISLockdown and select the Exchange template, then it will disable IIS's WebDAV and those virtual roots will be protected. URLscan, a component of the IIS lockdown wizard, further protects your IIS installation as it rejects malformed requests.

    What do you recommend for servers running OWA?
    We recommend you run IISLockdown with the Exchange template. This will disable IIS's version of WebDAV, and install URLScan. If you cannot run IISLockdown, then at the very least we recommend you follow the steps in the bulletin to disable WebDAV via the registry key setting. We also recommend you run URLScan, which will mitigate the attack by limiting the buffer size that the exploit uses. 

    Do these things while you test the patch in your environment. Apply the patch as soon as possible, regardless.

    Send questions/comments to Chris Weber via chris@casabasec.com

Recommendations (Expanded from NIPC)     back to top

  • Users are encouraged to implement the patch for this vulnerability made available by Microsoft.

  • As an initial workaround Administrators can implement Microsoft's URL Scan tool to limit the lengths of URLs passed to the IIS system.

  • More information can be obtained from Microsoft's Security Bulletin MS03-007 and on workarounds from Knowledge Base document 816930

  • If don't need to apply workaround using the URL Scan tool, it is recommended that you still implement URLScan and IIS Lockdown tools in addition to the Microsoft Patch on your IIS servers to protect them from other IIS related vulnerabilities.

  • Update IDS signature files as relevant signatures become available.

  • Monitor FW, IDS, and other perimeter security devices for probes against port 80 (or other http ports) and/or attempts to exploit this vulnerability.

  • Monitor information sources for additional alerts regarding possible attack activity.

  • Report any relevant activity (increased port 80 probing or activity, web server crashes, etc.) to your agency's Incident Response Team.

  • Ensure that your incident response capability is prepared for a possible incident.

  • If successfully attacked, recognize that a system compromise may have taken place and take appropriate action based on your incident handling policy.

 

References     back to top

 

About the Author     back to top

Kyle Lai, CISSP, CISA has worked in the Information Security Industry for over 10 years.  He is the founder KLC Consulting, Inc., where he helps clients with their specific security concerns.  Mr. Lai's main areas of expertise include security architecture, risk assessments, vulnerability and penetration testing, virus analysis, security tools development, and security product analysis and research.  Prior to KLC Consulting, he provided consulting services for several large and medium size  companies in the areas of Government, Financial Services, Healthcare, Utility, Manufacturing, and Higher Education, include Department of Defense, HP, Polaroid, MIT.

Mr. Lai has published several analysis and articles on the virus, worms and Trojans, which included the analysis on the first widely spread worm targeting Windows shares, Trojan.IrcBounce, Deloder Worm and the serious Windows 2000 WebDAV vulnerability.

Mr. Lai is also the co-author of the network security utility SMAC, a Windows MAC Address Modifying tool.  It has been widely used in network troubleshooting and wireless penetration testing, among other various areas.

About KLC Consulting     back to top

KLC's mission is to provide a continuous effort to protect the confidentiality, integrity and availability of your corporate resources and data. Through each stage of the information security lifecycle, we help you prevent, detect, respond to, and resolve your enterprise security issues.

KLC encompasses security expertise in the MAC Address (Network Address) based Security, Networking and Application Security, Financial Institutions (GLBA), Healthcare (HIPAA) and Pharmaceutical (21 CFR Part 11), Vulnerability Management and Protection, Security Technologies Design and Implementation, and a full range of Professional Security Services.  

Contact     back to top

KLC Consulting, Inc.

PO Box 395

Holden, MA 01520

USA

Email: contact@klcconsulting.net

Telephone: 617-921-5410

URL: www.KLCconsulting.net 

 

 

Site Meter

Copyright © 2002-2011 KLC Consulting, Inc..
All rights reserved.