exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

FS-112002-MDAC

FS-112002-MDAC
Posted Nov 24, 2002
Site foundstone.com

Foundstone Research Labs Advisory - 112002 - MDAC : Microsoft Data Access Components (MDAC) is a collection of components that provide the back-end technology which enables database access for Windows platforms. One of the components within MDAC, Remote Data Services (RDS), enables controlled Internet access to remote data resources through Internet Information Services (IIS). Such access allows users to execute files including .dll and .exe extensions, thereby providing increased site functionality. In general RDS embodies two functional technologies: Data Space and Data Control. The technology exploited within MDAC utilizes the DataSpace object of RDS which acts as a middle layer between the local command execution and the web front end. Due to incorrect string handling within the RDS interface, it is possible for a malicious user to gain control of the remote system via over-running a buffer.

tags | remote, web, local
systems | windows
SHA-256 | b459f3412c2d95369b0424fdc5ce3c56decc698c701bb274121447dc85d55650

FS-112002-MDAC

Change Mirror Download
- ----------------------------------------------------------------------
Foundstone Research Labs Advisory - 112002 - MDAC

Advisory Name: Remotely Exploitable Buffer Overflow in Microsoft MDAC
Release Date: November 20, 2002
Application: MDAC versions 2.1, 2.5 and 2.6
Internet Explorer 6.0 Gold, 5.5 SP2, and 5.01 SP3
Platforms: Windows NT/2000
Severity: Critical
Vuln Type: Unauthenticated Remote Code Execution
Vendors: Microsoft Corporation (http://www.microsoft.com)
Authors: Barnaby Jack (labs@foundstone.com)
CVE Candidate: CAN-2002-1142
Reference: http://www.foundstone.com/advisories
- ----------------------------------------------------------------------

Overview:

Microsoft Data Access Components (MDAC) is a collection of components
that provide the back-end technology which enables database access for
Windows platforms. MDAC is installed and implemented by default in
Windows 2000, and within the Windows NT 4.0 option pack.

One of the components within MDAC, Remote Data Services (RDS), enables
controlled Internet access to remote data resources through Internet
Information Services (IIS). Such access allows users to execute files
including .dll and .exe extensions, thereby providing increased site
functionality. In general RDS embodies two functional technologies:
Data Space and Data Control. The technology exploited within MDAC
utilizes the DataSpace object of RDS which acts as a middle layer
between the local command execution and the web front end. Due to
incorrect string handling within the RDS interface, it is possible for
a malicious user to gain control of the remote system via overrunning
a buffer.

Due to the nature of the components within MDAC and RDS, Internet
Explorer (IE) is also adversely affected and may be compromised by a
malicious web server even if the MDAC components are not installed on
the client system. Certain versions of IE allow for crafted HTTP
Response packets to overrun internal components allowing for arbitrary
code to be executed on the client system.

Detailed Description:

The RDS interface is provided through the file msadcs.dll. To exploit
this vulnerability a user would send an IIS server a POST request to
msadcs.dll and supply an abnormally long string for the Content-Type
parameter; it would then overwrite various portions of heap memory. By
overwriting certain function pointers within memory (eg:
unhandledexceptionfilter), it is possible to kill the current thread
of IIS or even execute arbitrary code within the remote process before
terminating the thread.

In addition to the server-side aspect, the vulnerability also affects
the RDS DataSpace object for string handling responses within Internet
Explorer and may be used to exploit clients via a malicious web
server. If a user were to browse a malicious site, the malicious web
server could craft a remote call to force a new session that would
bring the client back to the website via the new session. At this
point, the server's malformed and malicious HTTP response would cause
a buffer overrun within IE that could allow for the server to run
unauthenticated arbitrary code on the client system before killing the
IE thread.

Vendor Response:

Microsoft has released a fix for these vulnerabilities which modifies
the string handling code within the DataSpace object of RDS. The fix
is available at: http://windowsupdate.microsoft.com

Foundstone would like to thank Microsoft Security Response Center for
their prompt handling of this vulnerability.

Solution:

Foundstone recommends reviewing the Microsoft Security Bulletin and
immediately applying the Microsoft patch. The Microsoft Security
Bulletin can be viewed at the following location.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329414

The FoundScan Enterprise Vulnerability Management System has been
updated to check for this vulnerability. For more information on
FoundScan, go to: http://www.foundstone.com

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close