Microsoft Data Access Components RDS Buffer Overflow Vulnerability

Risk
High

Date Discovered
11-20-2002

Description
Microsoft Data Access Components (MDAC) contains multiple buffer overflows in a Remote Data Services (RDS) component. The server side RDS component affected is called the RDS Data Stub, while the client side is called the Data Space control.

The buffer overflows are related to the parsing of some header fields of MDAC requests performed by msadcs.dll. Symantec has determined a set of possible attack variants and is working on IDS signatures to detect all the variants.

Symantec recommends ManHunt users activate the HYBRID MODE function and apply the custom rule immediately (see below).

Symantec Intruder Alert includes a policy to detect this vulnerability. Click here to download.

Symantec NetProwler 3.51 Security Update 21 includes detection of requests made to the RDS Data Stub component of Microsoft Data Access Components (MDAC). Click here to download

Symantec Enterprise Security Manager includes a policy that will detect this vulnerability. The policy is available for download here. All users of Symantec Enterprise Security Manager should deploy this policy immediately.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code, or at the very least, cause a denial of service.

While this vulnerability affects Internet Explorer 6, Windows XP users are not at risk.

Platforms Affected
Microsoft Office 2000 SP2
Microsoft Office 2000 SR1
Microsoft SQL Server 7.0 SP2
Microsoft SQL Server 7.0 SP2 alpha
Microsoft SQL Server 7.0 SP3
Microsoft SQL Server 7.0 SP3 alpha
Microsoft SQL Server 2000
Microsoft SQL Server 2000 SP1
Microsoft SQL Server 2000 SP2
Microsoft SQL Server 2000 Desktop Engine
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Server
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server Japanese Edition
Microsoft Windows 2000 Terminal Services
Microsoft Windows 2000 Terminal Services SP1
Microsoft Windows 2000 Terminal Services SP2
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 98SE
Microsoft Windows ME
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Server 4.0
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP6a
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP6a
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP6a

Components Affected
Microsoft Internet Explorer 5.0.1 SP2
Microsoft Internet Explorer 5.0.1 SP1
Microsoft Internet Explorer 5.0.1
Microsoft Internet Explorer 5.5 SP2
Microsoft Internet Explorer 5.5 SP1
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0
Microsoft MDAC 2.1
Microsoft MDAC 2.5
Microsoft MDAC 2.6

Recommendations
Block external access at the network boundary, unless service is required by external parties.
Do not permit external access to web services unless they are explicitly required by external users.

Run all client software as a non-privileged user with minimal access rights.
Do not run Internet Explorer as a user with greater privileges than required.

Run all server processes as non-privileged users with minimal access rights.
Running IIS as an unprivileged user will limit the consequences of successful exploitation.

Do not accept communications that originate from unknown or untrusted sources.
Do not visit unknown or untrusted websites from critical systems. Do not open HTML email from unknown or untrusted users.

Symantec ManHunt Users: Symantec recommends ManHunt users activate the HYBRID MODE function and apply the custom rule immediately below (For more information on how to create custom signatures, you can refer to ManHunt Administrative Guide: Appendix A Custom Signatures for HYBRID Mode):

********************signature file*******************
#
#Variables need to be set dependent on the users network. Below are examples on how to set
#variable. For more information see ManHunt Administrative Guide: Appendix A.
#
#var EXTERNAL_NET 192.168.1.0/24
#var HTTP_SERVERS 172.16.12.23
#var HTTP_PORT 80
#
var EXTERNAL_NET any
var HTTP_SERVERS any
var HTTP_PORT any
#
#
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORT (msg:"HTTP_MDAC_Component_Query"; content:"POST"; offset:0; depth:4; nocase; content:"/msadc/msadcs.dll"; depth:30; nocase; content:".Query HTTP/1.";)

*****************EOF*******************************

Microsoft has also released a fix for this vulnerability.

Microsoft Internet Explorer 5.0.1 SP2:

Microsoft Internet Explorer 5.0.1 SP1:

Microsoft Internet Explorer 5.0.1:

Microsoft Internet Explorer 5.5 SP2:

Microsoft Internet Explorer 5.5 SP1:

Microsoft Internet Explorer 5.5:

Microsoft Internet Explorer 6.0 SP1:

Microsoft Internet Explorer 6.0:

Microsoft MDAC 2.1:

Microsoft MDAC 2.5:

Microsoft MDAC 2.6:

References
Source: SecurityFocus
URL: http://online.securityfocus.com/bid/6214

Source: CERT CA-2002-33 Heap Overflow vulnerability in Microsoft Data Access Components (MDAC)
URL: http://online.securityfocus.com/bid/4711

Source: CVE CAN-2002-1142
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1142

Source: Foundstone Research Labs Advisory - 112002 - MDAC
URL: http://www.foundstone.com/knowledge/randd-advisories-display.html?id=337

Source: Microsoft Security Bulletin MS02-065
URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-065.asp

Credits
The discovery of this vulnerability is credited to Foundstone Research Labs.

Copyright (c) 2002 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from symsecurity@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.