[11074] in bugtraq
FW: Microsoft Security Bulletin (MS99-025)
daemon@ATHENA.MIT.EDU (Horsfall, William A)
Mon Jul 19 19:25:49 1999
Content-Return: allowed
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <738EF80A948ED211B4300000F840E91CBCDDDC@FALCON.CORNING.COM>
Date: Mon, 19 Jul 1999 13:39:29 -0400
Reply-To: "Horsfall, William A" <HorsfallWA@CORNING.COM>
From: "Horsfall, William A" <HorsfallWA@CORNING.COM>
X-To: BUGTRAQ <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
> ----------
> From: Microsoft Product Security[SMTP:secnotif@MICROSOFT.COM]
> Sent: Monday, July 19, 1999 1:23 PM
> To: MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM
> Subject: Microsoft Security Bulletin (MS99-025)
>
> The following is a Security Bulletin from the Microsoft Product Security
> Notification Service.
>
> Please do not reply to this message, as it was sent from an unattended
> mailbox.
> ********************************
>
> Microsoft Security Bulletin (MS99-025)
> --------------------------------------
>
> Re-Release: Unauthorized Access to IIS Servers through ODBC Data Access with
> RDS
>
> Originally Released as MS98-004, July 17, 1998
> Re-Released as MS99-025, July 19, 1999
>
> Preface
> =======
> This bulletin is a re-release of Microsoft Security Bulletin MS98-004,
> issued July 17, 1998. It has recently been brought to our attention that
> this vulnerability has been used to gain unauthorized access to
> Internet-connected systems that have not been updated as per the
> instructions in MS98-004. The intent of re-releasing this bulletin is to
> serve as a reminder about this vulnerability, to restate the threat, and
> encourage system administrators to evaluate their systems to determine if
> their systems have been correctly configured and updated to protect against
> this vulnerability.
>
> Summary
> =======
> Microsoft encourages the following actions be taken on systems that have
> Microsoft(r) Internet Information Server 3.0 or 4.0 and Microsoft Data
> Access Components 1.5, both of which are installed during a default
> installation of the Windows NT(r) 4.0 Option pack:
> - Install the latest version of MDAC (currently MDAC 2.1 SP2).
>
> However, simply upgrading from MDAC 1.5 to MDAC 2.0, or MDAC 2.1 is not
> sufficient. For systems not explicitly utilizing RDS functionality, you
> should also:
> - Delete the /msdac virtual directory from the default Web site, or
> - Apply registry settings that disable the DataFactory object. (See
> the Q&A for the registry settings to adjust, or to download a .REG
> file that can make the changes for you.)
>
> For systems implicitly utilizing RDS functionality, you should:
> - Disable Anonymous Access for the /msadc directory in the default
> Web site, and/or
> - Create a Custom Handler to control or filter incoming requests.
> (http://www.microsoft.com/Data/ado/rds/custhand.htm)
>
> If you do not complete these steps, unauthorized access as described below
> may still be possible.
>
> Frequently asked questions regarding this vulnerability and updating
> systems to protect against it can be found at
> http://www.microsoft.com/security/bulletins/MS99-025faq.asp
>
> Issue
> =====
> The RDS DataFactory object, a component of Microsoft Data Access Components
> (MDAC), exposes unsafe methods. When installed on a system running Internet
> Information Server 3.0 or 4.0, the DataFactory object may permit an
> otherwise unauthorized web user to perform privileged actions, including:
> - Allowing unauthorized users to execute shell commands on the
> IIS system as a privileged user.
> - On a multi-homed Internet-connected IIS system, using MDAC to
> tunnel SQL and other ODBC data requests through the public connection
> to a private back-end network.
> - Allowing unauthorized accessing to secured, non-published files on
> the IIS system.
>
> Affected Software Versions
> ==========================
> - Microsoft Internet Information Server 3.0 or 4.0 that have or
> have had Microsoft Data Access Components 1.5 installed on it.
>
> NOTE: IIS can be installed as part of other Microsoft products like
> Microsoft BackOffice and Microsoft Site Server.
>
> NOTE: MDAC 1.5 is installed during a default installation of the Windows NT
> 4.0 Option Pack.
>
> Patch Availability
> ==================
> Newer versions of Microsoft Data Access Components (MDAC versions 2.0 and>
> 2.1) resolve these known vulnerabilities. However, a system that had MDAC
> 1.5 installed on it, and then upgraded to MDAC 2.0 or MDAC 2.1 must still
> take actions to disable the DataFactory object. (See the Q&A for the
> registry settings to adjust, or to download a .REG file that can make the
> changes for you.)
>
> Current versions of Microsoft Data Access Components can be downloaded from
> the following web site:
> - Microsoft Data Access Download Site
> (http://www.microsoft.com/data/download.htm)
>
> More Information
> ================
> Please see the following references for more information related to this
> issue.
> - Microsoft Security Bulletin MS99-025: Frequently Asked Questions,
> http://www.microsoft.com/security/bulletins/MS99-025faq.asp
> - Microsoft Knowledge Base (KB) article Q184375,
> Security Implications of RDS 1.5, IIS, and ODBC,
> http://support.microsoft.com/support/kb/articles/q184/3/75.asp
> - Microsoft Universal Data Access Download Page,
> http://www.microsoft.com/data/download.htm
> - Installing MDAC Q&A,
> http://www.microsoft.com/data/MDAC21info/MDACinstQ.htm
> - Microsoft Security Advisor web site,
> http://www.microsoft.com/security/default.asp
> - IIS Security Checklist,
> http://www.microsoft.com/security/products/iis/CheckList.asp
>
> Obtaining Support on this Issue
> ===============================
> Microsoft Data Access Components (MDAC) is a fully supported set of
> technologies. If you require technical assistance with this issue,
> please contact Microsoft Technical Support. For information on
> contacting Microsoft Technical Support, please see
> http://support.microsoft.com/support/contact/default.asp.
>
> Acknowledgments
> ===============
> Microsoft acknowledges Greg Gonzalez of ITE (http://www.infotechent.net) for
> bringing additional information regarding this vulnerability to our
> attention. Microsoft also acknowledges Russ Cooper (NTBugTraq) for his
> assistance around this issue.
>
> Revisions
> =========
> - July 19, 1999: Bulletin Created as re-release of MS98-004.
>
> -------------------------------------------------------------------------
>
> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
> WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
> EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
> FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
> SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
> INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
> EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
> POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
> LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
> FOREGOING LIMITATION MAY NOT APPLY.
>
> (c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.
>
> *******************************************************************
> You have received this e-mail bulletin as a result of your registration
> to the Microsoft Product Security Notification Service. You may
> unsubscribe from this e-mail notification service at any time by sending
> an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
> The subject line and message body are not used in processing the request,
> and can be anything you like.
>
> For more information on the Microsoft Security Notification Service
> please visit http://www.microsoft.com/security/services/bulletin.asp. For
> security-related information about Microsoft products, please visit the
> Microsoft Security Advisor web site at http://www.microsoft.com/security.
>
