Tutorial - ODBC RDS vulnerability

ODBC RDS vulnerability

Updated 11/22/02
CVE 1999-1011
CAN 2002-1142

Impact

This vulnerability may allow a remote attacker to take complete control of a web server.

Background

Microsoft IIS by default installs Microsoft Data Access Components (MDAC), which includes Remote Data Service (RDS). The purpose of the RDS component is to allow access to remote Open Database Connectivity (ODBC) components through IIS. The RDS interface is provided by the msadcs.dll file.

The Problem

11/22/02
CAN 2002-1142
A buffer overflow in RDS could allow a remote attacker to execute arbitrary commands on a web server by sending a specially crafted POST request with a very long Content-Type header to the msadcs.dll file. The same vulnerability could also allow a malicious web site to execute arbitrary commands on an Internet Explorer client. MDAC version prior to 2.7 on both servers and clients are affected by this vulnerability.

Windows NT and 2000 ship with vulnerable MDAC versions, but the vulnerability cannot be exploited on a default installation of a Windows 2000 web server because RDS is not enabled. Windows XP is not vulnerable because it contains MDAC 2.7.

CVE 1999-1011
A second vulnerability in msadcs.dll allows arbitrary shell commands to be embedded in queries to ODBC databases. These commands will be executed with system_local privileges, giving an attacker complete control of the system. MDAC 1.5 and 2.0 are affected by this vulnerability. Higher versions could also be affected if they were installed as upgrades to previous versions, or if the RDS Sample Pages are installed.

Resolution

If you do not need RDS functionality, a workaround for these vulnerabilities is to disable RDS. See Microsoft Security Bulletin 99-025 FAQ for instructions on disabling RDS. Note that this workaround is only effective on web servers, and does not fix the vulnerability on clients such as Internet Explorer.

To fix the problem, install patch Q329414. This patch is designed to fix the RDS buffer overflow on all platforms for both client and server applications. It is important to understand that this patch, while fixing the problem, cannot set the kill bit on the vulnerable ActiveX control, and thus cannot prevent a malicious web site from re-introducing a vulnerable version of the control. Furthermore, the installation of prior MDAC service packs can re-introduce the vulnerability, so the latest MDAC service pack should be applied before the patch is applied.

To fix the ODBC query shell command execution, upgrade to the latest version of MDAC, and ensure that it is running in safe mode. See Microsoft Security Bulletin 99-025 FAQ for more information.

Where can I read more about this?

More details on the buffer overflow are available in Microsoft Security Bulletin 02-065, CERT Advisory 2002-33, and Foundstone Advisory 112002.

For more information on the ODBC query vulnerability and alternate solutions, please refer to the Rain Forest Puppy advisory RFP9907 and Microsoft Security Bulletin 99-025.