[NT] Remotely Exploitable Buffer Overflow in Microsoft MDAC (Technical details)

• Previous message: support@securiteam.com: "[NT] Predictable Directory Structure Allows Theft of Netscape Preferences File"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 21 Nov 2002 15:21:54 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  Remotely Exploitable Buffer Overflow in Microsoft MDAC (Technical details)
------------------------------------------------------------------------

SUMMARY

Microsoft Data Access Components (MDAC) is a collection of components that
provide the back-end technology which enables database access for Windows
platforms. MDAC is installed and implemented by default in Windows 2000,
and within the Windows NT 4.0 option pack.

One of the components within MDAC, Remote Data Services (RDS), enables
controlled Internet access to remote data resources through Internet
Information Services (IIS). Such access allows users to execute files
including .dll and .exe extensions, thereby providing increased site
functionality. In general RDS embodies two functional technologies: Data
Space and Data Control. The technology exploited within MDAC utilizes the
DataSpace object of RDS which acts as a middle layer between the local
command execution and the web front end. Due to incorrect string handling
within the RDS interface, it is possible for a malicious user to gain
control of the remote system via overrunning a buffer.

Due to the nature of the components within MDAC and RDS, Internet Explorer
(IE) is also adversely affected and may be compromised by a malicious web
server even if the MDAC components are not installed on the client system.
Certain versions of IE allow for crafted HTTP Response packets to overrun
internal components allowing for arbitrary code to be executed on the
client system.

DETAILS

Detailed Description:
The RDS interface is provided through the file msadcs.dll. To exploit this
vulnerability a user would send an IIS server a POST request to msadcs.dll
and supply an abnormally long string for the Content-Type parameter; it
would then overwrite various portions of heap memory. By overwriting
certain function pointers within memory (e.g.: unhandled exception
filter), it is possible to kill the current thread of IIS or even execute
arbitrary code within the remote process before terminating the thread.

In addition to the server-side aspect, the vulnerability also affects the
RDS DataSpace object for string handling responses within Internet
Explorer and may be used to exploit clients via a malicious web server. If
a user were to browse a malicious site, the malicious web server could
craft a remote call to force a new session that would bring the client
back to the website via the new session. At this point, the server's
malformed and malicious HTTP response would cause a buffer overrun within
IE that could allow for the server to run unauthenticated arbitrary code
on the client system before killing the IE thread.

Vendor Response:
Microsoft has released a fix for these vulnerabilities which modifies the
string handling code within the DataSpace object of RDS. The fix is
available at: <http://windowsupdate.microsoft.com>
http://windowsupdate.microsoft.com

Foundstone would like to thank Microsoft Security Response Center for
their prompt handling of this vulnerability.

Solution:
Foundstone recommends reviewing the Microsoft Security Bulletin and
immediately applying the Microsoft patch. The Microsoft Security Bulletin
can be viewed at the following location.
<http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329414>
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329414

ADDITIONAL INFORMATION

The original advisory can be downloaded by going to:
 
<http://www.foundstone.com/knowledge/randd-advisories-display.html?id=337>
http://www.foundstone.com/knowledge/randd-advisories-display.html?id=337

The information has been provided by <mailto:labs@foundstone.com> Barnaby
Jack of Foundstone.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Next message: support@securiteam.com: "[NT] Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution"
• Previous message: support@securiteam.com: "[NT] Predictable Directory Structure Allows Theft of Netscape Preferences File"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]