exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

asb99-11.mdac_rds

asb99-11.mdac_rds
Posted Jul 1, 2000

asb99-11.mdac_rds

SHA-256 | 9c9619f4c80bf857b50c70083d86e66e4c1408e0c9d7c3fe4194016e2e3299d6

asb99-11.mdac_rds

Change Mirror Download
Allaire Security Bulletin (ASB99-11)
Solutions to Issues that Allow Users to Execute Commands on NT Servers through
MDAC RDS

Originally Posted: July 27, 1999
Last Updated: April 3, 2000

Summary
Microsoft® SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0 could allow the remote
author of a malicious SQL query to take unauthorized actions on a Microsoft SQL Server,
MSDE database, or on the underlying system that was hosting the SQL Server or MSDE
database.

As indicated in Microsoft Security Bulletin MS98-004 and MS99-025 (links below), some
Microsoft Data Access Components (MDAC) could allow unauthorized access to a web server
hosted on Microsoft Windows NT. This is not a problem with ColdFusion Server. However,
Allaire customers running on Windows NT should take the steps outlined below to protect
themselves from this vulnerability.

[NOTE: ColdFusion RDS ("Remote Development Services") are an entirely different technology
than the MDAC RDS ("Remote Data Services") and do not make use of MDAC RDS. The
remainder of this Bulletin uses "RDS" to refer to the MDAC Remote Data Services, not the
ColdFusion Remote Development Services.]

Issue
The Microsoft® SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0 vulnerability would
allow the remote author of a malicious SQL query to take unauthorized actions on a SQL Server
or MSDE database or on the underlying system that was hosting the SQL Server or MSDE
database. This means that a user could potentially pass a query through a URL to a SQL Server
provided that site/server was using SQL Server Security. The commands would be executed
with the full privileges of the owner or administrator of the database.

This vulnerability can be exploited remotely via ODBC, OLE DB or DB-Library. This means
ColdFusion Administrators who allow users to make Query and Select statements to the SQL 7
server and utilize SQL Server Security, are potentially vulnerable. This also applies to sites which
parse database queries through URLs. These queries can be modified by malicious users to
become database strings with which they can abuse this particular flaw.

This vulnerability can be exploited remotely via ODBC, OLE DB or DB-Library. This means
ColdFusion Administrators who allow users to make Query and Select statements to the SQL 7
server and utilize SQL Server Security, are potentially vulnerable. This also applies to sites which
parse database queries through URLs. These queries can be modified by malicious users to
become database strings with which they can abuse this particular flaw.

MDAC Remote Data Services (RDS ) is a component of MDAC that enables controlled
Internet access to remote server data resources. However, because the RDS DataFactory (a
component of RDS) and VbBusObj.VbBusObjCls (an RDS sample component) allows implicit
remote data access requests, it can be exploited to allow unauthorized server access. Internet
clients can potentially access ODBC database datasources available to the server, or when
combined with the VBA pipe character vulnerability (as described in Allaire Security Bulletin
ASB99-09), potentially execute commands on the server.

Affected Software Versions

This is an issue that affects customers running Microsoft Windows NT. (Because
Windows NT is a popular operating system for hosting Allaire ColdFusion Server,
Allaire has published this bulletin to notify Allaire customers of the issue.)

What Allaire is Doing
This issue is not a problem with ColdFusion, but can occur when using Microsoft Data Access
Components, Microsoft® SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0 on
Windows NT and can affect ColdFusion customers who are using Windows NT servers. To
respond to this issue, Allaire has published an Allaire Security Bulletin (ASB99-11) notifying
customers of the problem and remedies that can be used to address it. We have sent a
notification of the bulletin to customers who have subscribed to Allaire Security Notifications.

What Customers Should Do
For the SQL Server 7.0/MSDE vulnerability, users should download the latest patch from
Microsoft at: https://www.microsoft.com/downloads/release.asp?ReleaseID=19132

ColdFusion Windows NT customers who are not using the features of MDAC RDS should take
the following actions:

1.Install MDAC 2.1 GA (sp2) or higher. This step is optional but recommended. If
MDAC components are installed after the steps that follow, these steps should be
repeated.

NOTE: Allaire recommends that ALL services (ColdFusion, ColdFusion Executive,
ColdFusion RDS, Bright Tiger, Siteminder, IIS, IIS Admin, etc.) that interact with
ODBC drivers be stopped before the MDAC install is run. If you have any installation
questions please reference Microsoft's web site at https://www.microsoft.com/data.
MDAC updates may affect existing database connectivity and should be tested in a
non-production environment before deployment.

2.Delete the following registry entries if they exist:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\
Parameters\ADCLaunch\RDSServer.DataFactory

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\
Parameters\ADCLaunch\AdvancedDataFactory

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\
Parameters\ADCLaunch\VbBusObj.VbBusObjCls

3.Ensure the following registry key exists and is set as follows:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DataFactory\HandlerInfo
"handlerRequired"=dword:00000001
"DefaultHandler"="MSDFMAP.Handler"

4.For Windows NT sites running Microsoft IIS, the "/msadc" Virtual Directory on the
"Default" Web site should be removed using the IIS Management Console. This Virtual
Directory will be recreated with each new install or upgrade of Microsoft Data Access
Components to the "Default" Web site.

5.Delete the folder %SYSTEM%\Program Files\Common Files\System\msadc\samples
and all subfolders.


Allaire strongly recommends that all ColdFusion Windows NT customers who wish to
make use of the features of MDAC RDS or customers who use Windows NT as their
server operating system should closely review the Microsoft Security Bulletins
MS98-004 and MS99-025.

All ColdFusion Windows NT customers should review Allaire Security Bulletin (ASB99-09):
"Solutions to Issues that Allow Users to Execute Commands through Microsoft Access".

Related Links and Resources:

Microsoft Security Bulletin (MS00-014)
https://www.microsoft.com/technet/security/bulletin/ms00-014.asp

Microsoft MS00-014 FAQ
https://www.microsoft.com/technet/security/bulletin/fq00-014.asp

Microsoft Security Bulletin MS99-025

Microsoft Security Bulletin MS98-004

Microsoft MS99-025 FAQ

.Rain.Forest.Puppy's NT Bugtraq posting archived at the NT Bugtraq web site
(originally identifying the issue)

Russ Cooper's IIS RDS Vulnerability article on the NT Bugtraq web site



Revisions
July 27, 1999 -- Bulletin first released.
April 3, 2000 - Bulletin updated with Microsoft® SQL Server 7.0 and Microsoft Data Engine
(MSDE) vulnerability information.

Reporting Security Issues
Allaire is committed to addressing security issues and providing customers with the information
on how they can protect themselves. If you identify what you believe may be a security issue
with an Allaire product, please send an email to secure@allaire.com. We will work to
appropriately address and communicate the issue.

Receiving Security Bulletins
When Allaire becomes aware of a security issue that we believe significantly affects our products
or customers, we will notify customers when appropriate. Typically this notification will be in the
form of a security bulletin explaining the issue and the response. Allaire customers who would
like to receive notification of new security bulletins when they are released can sign up for our
security notification service.

For additional information on security issues at Allaire, please visit the Security Zone at:
https://www.allaire.com/security

THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF
ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL
ALLAIRE CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING
DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close