Allaire Security Bulletin (ASB99-11) Solutions to Issues that Allow Users to Execute Commands on NT Servers through MDAC RDS Originally Posted: July 27, 1999 Last Updated: April 3, 2000 Summary Microsoft® SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0 could allow the remote author of a malicious SQL query to take unauthorized actions on a Microsoft SQL Server, MSDE database, or on the underlying system that was hosting the SQL Server or MSDE database. As indicated in Microsoft Security Bulletin MS98-004 and MS99-025 (links below), some Microsoft Data Access Components (MDAC) could allow unauthorized access to a web server hosted on Microsoft Windows NT. This is not a problem with ColdFusion Server. However, Allaire customers running on Windows NT should take the steps outlined below to protect themselves from this vulnerability. [NOTE: ColdFusion RDS ("Remote Development Services") are an entirely different technology than the MDAC RDS ("Remote Data Services") and do not make use of MDAC RDS. The remainder of this Bulletin uses "RDS" to refer to the MDAC Remote Data Services, not the ColdFusion Remote Development Services.] Issue The Microsoft® SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0 vulnerability would allow the remote author of a malicious SQL query to take unauthorized actions on a SQL Server or MSDE database or on the underlying system that was hosting the SQL Server or MSDE database. This means that a user could potentially pass a query through a URL to a SQL Server provided that site/server was using SQL Server Security. The commands would be executed with the full privileges of the owner or administrator of the database. This vulnerability can be exploited remotely via ODBC, OLE DB or DB-Library. This means ColdFusion Administrators who allow users to make Query and Select statements to the SQL 7 server and utilize SQL Server Security, are potentially vulnerable. This also applies to sites which parse database queries through URLs. These queries can be modified by malicious users to become database strings with which they can abuse this particular flaw. This vulnerability can be exploited remotely via ODBC, OLE DB or DB-Library. This means ColdFusion Administrators who allow users to make Query and Select statements to the SQL 7 server and utilize SQL Server Security, are potentially vulnerable. This also applies to sites which parse database queries through URLs. These queries can be modified by malicious users to become database strings with which they can abuse this particular flaw. MDAC Remote Data Services (RDS ) is a component of MDAC that enables controlled Internet access to remote server data resources. However, because the RDS DataFactory (a component of RDS) and VbBusObj.VbBusObjCls (an RDS sample component) allows implicit remote data access requests, it can be exploited to allow unauthorized server access. Internet clients can potentially access ODBC database datasources available to the server, or when combined with the VBA pipe character vulnerability (as described in Allaire Security Bulletin ASB99-09), potentially execute commands on the server. Affected Software Versions This is an issue that affects customers running Microsoft Windows NT. (Because Windows NT is a popular operating system for hosting Allaire ColdFusion Server, Allaire has published this bulletin to notify Allaire customers of the issue.) What Allaire is Doing This issue is not a problem with ColdFusion, but can occur when using Microsoft Data Access Components, Microsoft® SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0 on Windows NT and can affect ColdFusion customers who are using Windows NT servers. To respond to this issue, Allaire has published an Allaire Security Bulletin (ASB99-11) notifying customers of the problem and remedies that can be used to address it. We have sent a notification of the bulletin to customers who have subscribed to Allaire Security Notifications. What Customers Should Do For the SQL Server 7.0/MSDE vulnerability, users should download the latest patch from Microsoft at: http://www.microsoft.com/downloads/release.asp?ReleaseID=19132 ColdFusion Windows NT customers who are not using the features of MDAC RDS should take the following actions: 1.Install MDAC 2.1 GA (sp2) or higher. This step is optional but recommended. If MDAC components are installed after the steps that follow, these steps should be repeated. NOTE: Allaire recommends that ALL services (ColdFusion, ColdFusion Executive, ColdFusion RDS, Bright Tiger, Siteminder, IIS, IIS Admin, etc.) that interact with ODBC drivers be stopped before the MDAC install is run. If you have any installation questions please reference Microsoft's web site at http://www.microsoft.com/data. MDAC updates may affect existing database connectivity and should be tested in a non-production environment before deployment. 2.Delete the following registry entries if they exist: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\ Parameters\ADCLaunch\RDSServer.DataFactory HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\ Parameters\ADCLaunch\AdvancedDataFactory HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\ Parameters\ADCLaunch\VbBusObj.VbBusObjCls 3.Ensure the following registry key exists and is set as follows: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DataFactory\HandlerInfo "handlerRequired"=dword:00000001 "DefaultHandler"="MSDFMAP.Handler" 4.For Windows NT sites running Microsoft IIS, the "/msadc" Virtual Directory on the "Default" Web site should be removed using the IIS Management Console. This Virtual Directory will be recreated with each new install or upgrade of Microsoft Data Access Components to the "Default" Web site. 5.Delete the folder %SYSTEM%\Program Files\Common Files\System\msadc\samples and all subfolders. Allaire strongly recommends that all ColdFusion Windows NT customers who wish to make use of the features of MDAC RDS or customers who use Windows NT as their server operating system should closely review the Microsoft Security Bulletins MS98-004 and MS99-025. All ColdFusion Windows NT customers should review Allaire Security Bulletin (ASB99-09): "Solutions to Issues that Allow Users to Execute Commands through Microsoft Access". Related Links and Resources: Microsoft Security Bulletin (MS00-014) http://www.microsoft.com/technet/security/bulletin/ms00-014.asp Microsoft MS00-014 FAQ http://www.microsoft.com/technet/security/bulletin/fq00-014.asp Microsoft Security Bulletin MS99-025 Microsoft Security Bulletin MS98-004 Microsoft MS99-025 FAQ .Rain.Forest.Puppy's NT Bugtraq posting archived at the NT Bugtraq web site (originally identifying the issue) Russ Cooper's IIS RDS Vulnerability article on the NT Bugtraq web site Revisions July 27, 1999 -- Bulletin first released. April 3, 2000 - Bulletin updated with Microsoft® SQL Server 7.0 and Microsoft Data Engine (MSDE) vulnerability information. Reporting Security Issues Allaire is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with an Allaire product, please send an email to secure@allaire.com. We will work to appropriately address and communicate the issue. Receiving Security Bulletins When Allaire becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Allaire customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service. For additional information on security issues at Allaire, please visit the Security Zone at: http://www.allaire.com/security THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.