IIS Allows ODBD Data Access

Vulnerability Description

Brief description: A vulnerability in Microsoft Data Access Components (MDAC) allows an attacker to execute arbitrary commands.

Full description: The Microsoft Internet Information Server (IIS) allows "implicit remoting," in which the web server accepts requests from any remote site. The Remote Data Services (RDS) package in the Windows NT Option Pack provides controlled access to remote network services via IIS. One specific component, RDS DataFactory, allows implicit remoting by default. Thus, unauthorized clients can query an IIS web server and obtain access to the OLE database and other data sources available to the local IIS server. Note that the remote client must provide authentication information in its request, but the request can come from any host (not just those within the site).

Microsoft lists the following possibilities for unauthorized web users:

1) Allowing unauthorized users to execute shell commands on the IIS system as a privileged user.

2) On a multi-homed Internet-connected IIS system, using Microsoft Data Access Components (MDAC) to tunnel SQL and other ODBC data requests through the public connection to a private back-end network.

3) Allowing unauthorized accessing to secured, non-published files on the IIS system.

Components: Internet Information Server version 4.0; Microsoft Data Access Components version 1.5, 2.0; Microsoft Data Access Components version 2.1 if installed as an upgrade; Microsoft Data Access Components (any version) is the Sample Pages for RDS are installed

Systems: Windows NT 4.0, Windows 2000

Effect(s) of exploiting: Any command can be executed as the user of IIS, and any file IIS can access could be read

Detecting the hole:

1. If the virtual directory /msadc and the following registry keys exist, then the system is vulnerable: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\RDSServer.DataFactory, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\AdvancedDataFactory, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\VbBusObj.VbBusObjCls

Fixing the hole:

The fix is a configuration change and depends on which version of MDAC is installed and whether you want to turn off RDS functionality.
1. To disable RDS functionality for all versions of MDAC:
   1. Delete the virtual directory /msadc from the default web site.
   2. Delete these three keys from the IIS host: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\RDSServer.DataFactory, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\AdvancedDataFactory, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch\VbBusObj.VbBusObjCls
2. If you need RDS functionality and have MDAC version 1.5c (the version of Msdadc.dll is 1.50.3506.0):
   1. Install MDAC version 2.1 and configure that properly (see below).
   2. Check that the sample pages for RDS are not installed. Look for the folder %systemdrive%\program files\common files\system\msadc\samples . If it exists, delete it and all its subfolders. Then delete the DLL %systemdrive%\program files\common files\system\msadc\samples\selector\middle_tier\vbbusobj\vbbusobj.dll and the registry key VbBusObj.VbBusObjCls.
   3. To disable anonymous access to RDS, turn off Anonymous Access for the /msadc directory.
3. If you need RDS functionality and have MDAC version 2.0, 2.0 SP1, or 2.0 SP2 (The version of Oledb32.dll for all three versions is 2.0.1706.0 and the versions of MsDadc.dll are 2.0.3002.4 for 2.0 and 2.0.3002.23 for 2.0 SP1 and 2.0 SP2):
   1. Set HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\DataFactory\HandlerInfo\HandlerRequired to 1. (Microsoft has a small program that will do this.)
   2. Check that the sample pages for RDS are not installed. Look for the folder %systemdrive%\program files\common files\system\msadc\samples . If it exists, delete it and all its subfolders. Then delete the DLL %systemdrive%\program files\common files\system\msadc\samples\selector\middle_tier\vbbusobj\vbbusobj.dll and the registry key VbBusObj.VbBusObjCls.
   3. To disable anonymous access to RDS, turn off Anonymous Access for the /msadc directory.
4. If you need RDS functionality and have installed MDAC version 2.1.0.3513.2 (SQL), 2.1.1.3711.6 (Internet Explorer 5), or 2.1.1.3711.11 (GA) as an upgrade (the versions of MsDadc.dll are 2.10.3513.0, 2.10.3711.2, and 2.10.3711.2, respectively, and the versions of Oledb32.dll are 2.10.3513.0, 2.10.3711.2, and 2.10.3711.9, respectively):
   1. Set HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\DataFactory\HandlerInfo\HandlerRequired to 1. (Microsoft has a small program that will do this.)
   2. Check that the sample pages for RDS are not installed. Look for the folder %systemdrive%\program files\common files\system\msadc\samples . If it exists, delete it and all its subfolders. Then delete the DLL %systemdrive%\program files\common files\system\msadc\samples\selector\middle_tier\vbbusobj\vbbusobj.dll and the registry key VbBusObj.VbBusObjCls.
   3. To disable anonymous access to RDS, turn off Anonymous Access for the /msadc directory.

Other information: If you want to only allow specific database requests, you can create a custom handler to control or filter incoming requests. Microsoft's Using the Customization Handler Feature in RDS 2.0 describes how to do this.

This vulnerability is another manifestation of the "iis cmd" vulnerability. Using the two in combination allows the attacker to run commands with IIS's privileges on the IIS server.

Keywords

remote access

Cataloguing

PA Classification(s):

RISOS Classification(s):

DCS Classification(s):

CVE Number: CVE-1999-1011 -- The Remote Data Service (RDS) DataFactory component of Microsoft Data Access Components (MDAC) in IIS 3.x and 4.x exposes unsafe methods, which allows remote attackers to execute arbitrary commands.

Exploit Information

Attack: See Rain Forest Puppy's exploit ; Bugtraq's database entry 529 gives directons for its use.

Related Information

Advisories: CIAC Information Bulletin J-054, Unauthorized Access to IIS Servers through ODBC Data Access with RDS , citing Microsoft Security Bulletin MS99-025, Unauthorized Access to IIS Servers through ODBC Data Access with RDS ; Security Focus database entry 529 ; ISS X-Force database entry nt-iis-rds

Related Vulnerabilities:

Reportage

Reporting: Microsoft Security Team in Microsoft Security Bulletin MS98-025 (July 14, 1998 )

Revision Number 1

1. Patrick LeBlanc (7/3/2000):