Bugtraq mailing list archives

Update to ODBC/RDS vulnerabilities

From: rfp () WIRETRIP NET (rfp () WIRETRIP NET)
Date: Wed, 22 Sep 1999 01:07:54 -0500


Hello all,

It's been a while since I've posted anything, and I promise it will be
short this time. ;)

Microsoft has released a patched Jet ODBC engine that will fix the ODBC
problem as well as Mr. Cuartango's Excel vulnerabilities as well.
Basically, this is a 3.51 engine retrofitted with a 'sandbox' restriction
controlled by the following registry key:

\\HKLM\Software\Microsoft\Jet\3.5\Engines\SandboxMode

Also, as for the RDS problem, they recommended implementing custom
handlers to limit invocation of the RDS component to legit uses.  Custom
handler support is controlled by the following registry key:

\\HKLM\Software\Microsoft\DataFactory\HandlerInfo\handlerRequired

Now, perhaps it's just me, but on three different NT boxes I have, which
are various SP3 and 5 combos on NT4, patches installed as administrator,
the permissions on these registry keys are Everyone -> Special Access,
which includes Set Value.  This basically means domain users can remotely
disable handler and sandbox restrictions by changing the values of these
keys.  Hmmm.  I've tested this, and it worked as expected.

Also, Mnemonix pointed out an interesting aspect which I overlooked for
the RDS vulnerability that really makes it more evil.  The current
limitation to the RDS exploit is that it requires a local file to 'attach'
to, specifically a .mdb.  Well, you can use UNC addresses for this file,
so if you setup a Windows share on the internet, you can request your file
off that, therefore bypassing the need for a local file.  I've tested
this, and it works as well.

I am finishing updates to my RDS exploit program, which I'll probably
release in the next week.  It will implement all of this, plus clean up
the code a bit.

Also, I wanted to point out an ommision of credit in the RDS advisory.
Matthew Astley, who I co-wrote the May 25th advisory with the original
ODBC info, should have been given credit as well for the ODBC/Jet pipe
problem.  Apologies to Matthew.

.rain.forest.puppy.
--------------------------------------------------------------------------
If I had a signoff banner, it would be here.  But I don't, so I'll fake it
--------------------------------------------------------------------------

Current thread:

NAI Security Advisory - Windows IP source routing Security Research Labs (Sep 20)
- Re: NAI Security Advisory - Windows IP source routing Holger Heimann (Sep 21)
  - Update to ODBC/RDS vulnerabilities rfp () WIRETRIP NET (Sep 21)
  - Re: NAI Security Advisory - Windows IP source routing Ronan Waide (Sep 22)
  - Yet another major Hotmail security hole - injecting JavaScript using "javas&#67ript:" Georgi Guninski (Sep 22)
- <Possible follow-ups>
- Re: NAI Security Advisory - Windows IP source routing Eric D. Williams (Sep 22)