Brief description: If the Microsoft JET OLE DB Provider or Microsoft DataShape Provider are installed with IIS, a remote user could use the shell() Visual Basic command on the server to run arbitrary commands with administrator level privileges on the target host.
Full description: Microsoft JET OLE DB Provider or Microsoft DataShape Provider invoke JET 3.5, which allows calls to VBA's shell() function, which lets the user run shell commands (see RFP9901: NT ODBC remote vulnerabilities . IIS 4.0, by default, installs MDAC 1.5. This includes RDS, which allows for remote access to ODBC components over the web, through a .DLL located at /msadc/msadcs.dll (see RFP9902: RDS/IIS vulnerability and exploit ).
Components: Microsoft IIS 4.0 (trusted), Microsoft IIS 3.0 (trusted), Microsoft Index Server 2.0 (trusted), Microsoft MDAC 2.1UPGRADE (trusted), Microsoft MDAC 2.1CLEAN (trusted), Microsoft MDAC 2.0 (trusted), Microsoft MDAC 1.5 (trusted), Microsoft Site Server 3.0 (trusted)
Systems: Microsoft Windows NT 4.0 (trusted)
Effect(s) of exploiting: Attackers can execute arbitrary commands as administrator.
Detecting the hole:
Fixing the hole:
Other information:
PA Classification(s):
RISOS Classification(s):
DCS Classification(s):
CVE Number: CVE-1999-0233 -- IIS allows users to execute arbitrary commands using .bat or .cmd files.
Attack: Rain Forest Puppy's msadc.pl exploit .
Advisories: Security Focus database entry 529 ; RFP labs Advisory RFP9907 ; ISS X-Force http-iis-cmd ; Microsoft knowledge base articles Internet Information Server Security .CMD /.BAT Patch and IIS Security Concern Using Batch Files for CGI
Related Vulnerabilities:
Reporting: Microsoft in Microsoft Security Bulletin MS98-004 (July 14, 1998 )