Microsoft IIS unauthorized ODBC data access with RDS
| nt-iis-rds (1212) |  High Risk |
Description:
Microsoft Data Access Components (MDAC), in the default configuration, could allow a remote attacker to access OLE database sources. A vulnerability in the DataFactory object of RDS could allow an attacker to use a Web client to send a SQL query to OLE database data sources. If the remote server is available to the Windows NT IIS server, and the attacker knows the correct IP address, SQL account and password, and database name, the attacker could retrieve the query results through the Web client. This vulnerability is compounded by the fact that many SQL databases contain a default administrator username ("sa") with a null password.
In addition, under some configurations this vulnerability could allow an attacker to execute shell commands or access files on the IIS server as a privileged user.
Consequences:
Gain Access
Remedy:
If RDS functionality is not needed, delete the /msadc virtual directory from the default Web site. If RDS functionality is needed, follow the instructions to configure MDAC properly, as listed in Microsoft Security Bulletin MS99-025: Frequently Asked Questions. See References.
Note: Microsoft orginally provided a patch for this vulnerability in MS98-004, but it was re-released in the patch released with MS99-025.
References:
- CERT Incident Note IN-1999-08: Attacks against IIS web servers involving MDAC.
- CIAC Information Bulletin J-054: Unauthorized Access to IIS Servers through ODBC Data Access with RDS.
- Internet Security Systems Security Alert #32: Vulnerabilities in Microsoft Remote Data Service.
- Microsoft Knowledge Base Article 184375: Security Implications of RDS 1.5, IIS 3.0 or 4.0, and ODBC.
- Microsoft Security Bulletin MS98-004: Unauthorized ODBC Data Access with RDS and IIS.
- Microsoft Security Bulletin MS99-025: Re-Release: Unauthorized Access to IIS Servers through ODBC Data Access with RDS.
- Microsoft Security Bulletin MS99-025 FAQ: Microsoft Security Bulletin (MS99-025): Frequently Asked Questions.
- Microsoft Universal Data Access Download page: MDAC 2.5 RTM.
- National Infrastructure Protection Center Advisory 00-060: "E-Commerce Vulnerabilities".
- National Infrastructure Protection Center Advisory 99-027: "Remote Database Services Vulnerability (RDS)".
- BID-529: NT IIS MDAC RDS Vulnerability
- CVE-1999-1011: The Remote Data Service (RDS) DataFactory component of Microsoft Data Access Components (MDAC) in IIS 3.x and 4.x exposes unsafe methods, which allows remote attackers to execute arbitrary commands.
- OSVDB ID: 272: Microsoft IIS MDAC RDS Arbitrary Remote Command Execution
Platforms Affected:
- Microsoft Data Access Components
- Microsoft Internet Information Server 4.0
- Microsoft Windows 2000
- Microsoft Windows NT 4.0
Reported:
Jul 17, 1998
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net