[NCLUG] New winNT problem?
Michael Dwyer
mdwyer at sixthdimension.com
Mon Sep 17 10:08:53 MDT 2001
> I've been getting a few httpd logs (on Linux) showing something like
this:
> GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
> Is this another WinNT problem going around?
This is the Unicode exploit done up in a new way. This line
says navigate backwards up the tree and run cmd.exe with a
command of 'dir'. If the machine is exploitable, it would
return a directory listing.
http://packetstormsecurity.org/0010-exploits/iis-unicode.txt
This is a pretty old exploit, and if the admin did the code-red
super-patch, this should be closed.
Apache, of course, isn't bothered by this.
More information about the NCLUG
mailing list