[MDAC] Buffer Overrun Leads To Code Execution


Recommended Posts

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------

Title: Buffer Overrun in Microsoft Data Access Components Could

Lead to Code Execution (Q329414)

Date: 20 November, 2002

Software:

Microsoft Data Access Components (MDAC) 2.1

Microsoft Data Access Components (MDAC) 2.5

Microsoft Data Access Components (MDAC) 2.6

Microsoft Internet Explorer 5.01

Microsoft Internet Explorer 5.5

Microsoft Internet Explorer 6.0

Impact: Run code of attacker?s choice

Max Risk: Critical

Bulletin: MS02-065

Microsoft encourages customers to review the Security Bulletins at:

http://www.microsoft.com/security/security...ns/ms02-065.asp

http://www.microsoft.com/technet/security/...in/MS02-065.asp.

- ----------------------------------------------------------------------

Issue:

======

Microsoft Data Access Components (MDAC) is a collection of components

used to provide database connectivity on Windows platforms. MDAC is

a ubiquitous technology, and it is likely to be present on most

Windows systems:

- - It is included by default as part of Windows XP, Windows 2000, and

Windows Millennium.

- - It is available for download as a stand-alone technology in its

own right.

- - It is either included in or installed by a number of other products

and technologies. For instance, MDAC is included in the Windows NT

4.0 Option Pack, and some MDAC components are present as part of

Internet Explorer even if MDAC itself is not installed.

MDAC provides the underlying functionality for a number of database

operations, such as connecting to remote databases and returning data

to a client. One of the MDAC components, known as Remote Data

Services(RDS), provides functionality that support three-tiered

Architectures ? that is, architectures in which a client?s requests

for service from a back-end database are intermediated through a web

site that applies business logic to them. A security vulnerability

is present in the RDS implementation, specifically, in a function

called the RDS Data Stub, whose purpose it is to parse incoming

HTTP requests and generate RDS commands.

The vulnerability results because of an unchecked buffer in the Data

Stub. By sending a specially malformed HTTP request to the Data Stub,

an attacker could cause data of his or her choice to overrun onto the

heap. Although heap overruns are typically more difficult to exploit

than the more-common stack overrun, Microsoft has confirmed that in

this case it would be possible to exploit the vulnerability to run

code of the attacker?s choice on the user?s system.

Both web servers and web clients are at risk from the vulnerability:

- ----------------------------------------------------------------------

- - Web servers are at risk if a vulnerable version of MDAC is

installed

and running on the server. To exploit the vulnerability against

such

a web server, an attacker would need to establish a connection with

the server and then send a specially malformed HTTP request to it,

that would have the effect of overrunning the buffer with the

attacker?s chosen data. The code would run in the security context

of the IIS service (which, by default, runs in the LocalSystem

context)

- - Web clients are at risk in almost every case, as the RDS Data Stub

is included with all current versions of Internet Explorer and

there is no option to disable it. To exploit the vulnerability

against a client, an attacker would need to host a web page that,

when opened, would send an HTTP reply to the user's system and

overrun the buffer with the attacker's chosen data. The web page

could be hosted on a web site or sent directly to users as an HTML

Mail. The code would run in the security context of the user.

Clearly, this vulnerability is very serious, and Microsoft recommends

that all customers whose systems could be affected by them take app-

ropriate action immediately. Web server administrators should either

install the patch, disable MDAC and/or RDS, or upgrade to MDAC 2.7,

which is not affected by the vulnerability. Web client users should

install the patch immediately on any system that is used for web

browsing. It is important to stress that the latter guidance applies

to any system used for web browsing, regardless of any other

protective measures that have already been taken. For instance, a

web server on which RDS had been disabled would still need the patch

if it was occasionally used as a web client.

Mitigating Factors:

====================

Web Servers

- - Web servers that are using MDAC version 2.7 (the version that

shipped with Windows XP) or later are not affected by the vulner-

ability.

- - Even if a vulnerable version of MDAC were installed, a web server

would only be at risk if RDS were enabled. RDS is disabled by

default

on clean installations of Windows XP and Windows 2000, and can be

disabled on other systems by following the guidance in the IIS

Security Checklist. In addition, the IIS Lockdown Tool will

automatically disable RDS when used in its default configuration.

- - If the URLScan tool were deployed with its default ruleset (which

allows only ASCII data to be present in an HTTP request), it is

likely that the vulnerability could only be used for denial of

service attacks.

- - IIS can be configured to run with fewer than administrative priv-

ileges. If this has been done, it would likewise limit the

privileges

that an attacker could gain through the vulnerability.

- - IP address restrictions, if applied to the RDS virtual directory,

could enable the administrator to restrict access to only trusted

users. This is, however, not practical for most web server

scenarios.

Web clients

- - The HTML mail-based attack vector could not be exploited auto-

matically on systems where Outlook 98 or Outlook 2000 were used

in conjunction with the Outlook Email Security Update, or Outlook

Express 6 or Outlook 2002 were used in their default

configurations.

- - Exploiting the vulnerability would convey to the attacker only the

user?s privileges on the system. Users whose accounts are

configured

to have few privileges on the system would be at less risk than

ones who operate with administrative privileges.

Risk Rating:

============

- Internet systems: Critical

- Intranet systems: Critical

- Client systems: Critical

Patch Availability:

===================

- A patch is available to fix this vulnerability. Please read the

Security Bulletin at

http://www.microsoft.com/technet/security/...in/ms02-065.asp

for information on obtaining this patch.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.