ISS X-Force Database: mdac-rds-client-bo(10669): Microsoft Data Access Components RDS Data Stub client heap buffer overflow

Microsoft Data Access Components RDS Data Stub client heap buffer overflow

mdac-rds-client-bo (10669)

High Risk

Description:

Microsoft Data Access Components (MDAC) is vulnerable to a buffer overflow in the Remote Data Services (RDS) Data Stub function. By creating a malicious Web page that sends a specially-crafted HTTP request when viewed, and hosting the page on a Web site or sending it to a potential victim as an HTML email, a remote attacker could overflow a buffer and execute arbitrary code on a victim's system, once the victim views the malicious page using Microsoft Internet Explorer.

Consequences:

Gain Access

Remedy:

Apply the patch for this vulnerability, as listed in Microsoft Security Bulletin MS02-065. See References.

References:

CERT Advisory CA-2002-33: Heap Overflow Vulnerability in Microsoft Data Access Components (MDAC).
CIAC Information Bulletin N-016: Buffer Overrun in Microsoft Data Access Components (MDAC).
Foundstone Research Labs Advisory - 112002 - MDAC: Remotely Exploitable Buffer Overflow in Microsoft MDAC.
Internet Security Systems Security Alert, November 21, 2002: Microsoft MDAC Remote Compromise Vulnerability.
Microsoft Corporation Web site: What You Should Know About Microsoft Security Bulletin MS02-065.
Microsoft Security Bulletin MS02-065: Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution (Q329414).
BID-6214: Microsoft Data Access Components RDS Buffer Overflow Vulnerability
CVE-2002-1142: Heap-based buffer overflow in the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) 2.1 through 2.6, and Internet Explorer 5.01 through 6.0, allows remote attackers to execute code via a malformed HTTP request to the Data Stub.
US-CERT VU#542081: Microsoft Windows Data Access Components contains heap overflow in Data Stubs when parsing a malformed HTTP request

Platforms Affected:

Microsoft Data Access Components 2.1
Microsoft Data Access Components 2.5
Microsoft Data Access Components 2.6

Reported:

Nov 20, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page