Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-025)
What's this bulletin about?
Microsoft Security Bulletin MS99-025 is a re-release of Microsoft Security Bulletin MS98-004, which was originally issued on July 17, 1998, and discussed a vulnerability in the Microsoft® Data Access Components (MDAC). A visitor to a web site on which both Microsoft Internet Information Server (IIS) and certain versions of MDAC are installed could perform privileged actions on the system. IIS and MDAC 1.5 are installed by default as part of the Windows NT 4 Option Pack.
Microsoft takes security seriously, and is providing this bulletin to remind customers about this vulnerability, to restate the threat, and encourage system administrators to evaluate their systems to determine if their systems have been correctly configured and updated to protect against this vulnerability.
What's the scope of the vulnerability?
This is a privilege elevation attack. On a system with both IIS and MDAC installed, the vulnerability in MDAC could allow an otherwise unauthorized web user to perform privileged actions on the system, including:
| • | Allowing an unauthorized user to execute shell commands on the IIS system as a privileged user. |
| • | On a multi-homed Internet-connected IIS system, using MDAC to tunnel SQL and other ODBC data requests through the public connection to a private back-end network. |
| • | Allowing unauthorized access to secured, non-published files on the IIS system. |
Is this a new issue?
No. It was previously discussed in Microsoft Security Bulletin MS98-004, which documented the vulnerability in MDAC 1.5 and detailed steps that should be taken to eliminate the vulnerability. Customers who followed steps detailed in MS98-004 are not at risk from this vulnerability.
If this is not a new issue, why is Microsoft re-releasing the security bulletin?
There are three reasons:
| • | Microsoft has recently learned that the vulnerability has been used to gain unauthorized access to Internet-connected systems that have not been updated per the instructions in MS98-004. |
| • | Unlike many vulnerabilities, this one is not eliminated simply by upgrading to a subsequent version. When upgrading, customers need to either perform a clean install or set a particular registry key to ensure that they are not vulnerable to the problem. |
| • | If a set of sample pages has been installed on a production server, it can introduce the vulnerability into an otherwise-secured server. |
The intent of re-releasing this bulletin is to serve as a reminder about this vulnerability, to restate the threat, and encourage system administrators to evaluate their systems to determine if their systems have been correctly configured and updated to protect against this vulnerability.
I have a firewall that protects my web server, will it protect me from this vulnerability?
In most cases, a simple packet-filtering firewall will not prevent exposure to this vulnerability. The RDS DataFactory object can be invoked by a web client issuing standard URL requests to an Internet Information Server over port 80 (or any alternate port that you have configured IIS to listen to).
Is this a vulnerability in IIS?
No. The only reason that IIS is discussed with regard to this vulnerability is because IIS provides a means for a hostile user to remotely exploit the vulnerability.
Where does the vulnerability lie?
The vulnerability lies in the Microsoft Data Access Components (MDAC); specifically, in one component of the Remote Data Services in MDAC, the DataFactory object.
MDAC provides key technologies that enable Universal Data Access. Data-driven client/server applications deployed over the Web or a LAN can use these components to easily integrate information from a variety of sources, both relational (SQL) and nonrelational. These components include Microsoft ActiveX® Data Objects (ADO), OLE DB, and Open Database Connectivity (ODBC). MDAC 1.5 ships with the Windows NT 4.0 Option Pack, and is installed during a default installation of the Option Pack.
Remote Data Service (RDS) is a component of MDAC which is installed by default when installing the Microsoft Windows NT 4.0 Option Pack. The goal of the RDS component is to enable controlled Internet access to remote data resources through IIS. A component of RDS, called the DataFactory object, is where the vulnerability is. The DataFactory object is designed as a server-side Automation object that receives client requests. In an Internet implementation, it resides on a Web server and is instantiated by the ADISAPI component. The DataFactory object provides read and write access to specified data sources, but doesn't contain any validation or business rules logic.
What versions of MDAC are affected?
| • | MDAC 1.5 and 2.0 are affected by the vulnerability. |
| • | MDAC 2.1 is affected by the vulnerability when installed as an upgrade from a previous version. |
| • | Clean installations of MDAC 2.1 are only affected if Sample Pages for RDS have been installed. |
What are Sample Pages for RDS?
These are samples provided as part of the Windows NT 4.0 Option Pack and the MDAC 2.0 Software Developers Kit (SDK). They are intended to help customers learn how to use the Remote Data Services, but are not intended to be deployed on production servers. The samples are not installed by default in the Option Pack, but are installed by default in the MDAC 2.0 SDK.
What do I need to do?
You need to do three things:
1. | Determine what version of MDAC you are running, then consult the instructions below to configure it for secure operation. |
2. | Determine whether you need RDS functionality, then consult the instructions below to either disable it or configure it for secure operation. If you don't need it, the safest course of action is to disable it. |
3. | Determine whether you installed the Sample Pages for RDS. If you did, you should remove them. |
How do I determine what version of MDAC I have installed?
You can check the version numbers on specific .dll files associated with MDAC to determine the version installed on your system. The following table summarizes what file versions correspond to which MDAC versions.
| MDAC version | Msdadc.dll | Oledb32.dll | Notes |
MDAC 1.5c | 1.50.3506.0 | N/A |
|
MDAC 2.0 | 2.0.3002.4 | 2.0.1706.0 |
|
MDAC 2.0 SP1 | 2.0.3002.23 | 2.0.1706.0 |
|
MDAC 2.0 SP2 | 2.0.3002.23 | 2.0.1706.0 | Superset: SP1 |
MDAC 2.1.0.3513.2 (SQL) | 2.10.3513.0 | 2.10.3513.0 |
|
MDAC 2.1.1.3711.6 (Internet Explorer 5) | 2.10.3711.2 | 2.10.3711.2 |
|
MDAC 2.1.1.3711.11 (GA) | 2.10.3711.2 | 2.10.3711.9 |
|
Note these version numbers and compare them after an application installation to determine whether MDAC was upgraded. We also encourage you to view the MDAC Release Manifest for more information about MDAC versioning.
I have MDAC 1.5 installed. What should I do?
If you need RDS functionality, you'll need to install MDAC 2.1, then follow the instructions below for securing your MDAC 2.1 installation. If you don't need RDS functionality, you should remove it by following the instructions below under "I don't need the RDS functionality. How do I remove it?".
I have MDAC 2.0 installed. What should I do?
You need to configure MDAC to operate in "safe mode". This provides RDS functionality but eliminates the vulnerability. "Safe mode" is governed by the setting of the following registry value:
Hive | HKEY_LOCAL_MACHINE \SOFTWARE |
Key | Microsoft\DataFactory\HandlerInfo\ |
Name | HandlerRequired |
Type | DWORD |
Value | 0="unsafe mode" |
To make it easier to ensure that the server is configured in "safe mode", we provide a .REG file that when run on a system will set the appropriate registry key automatically. To use this .REG file, do the following:
| • | The file is packaged as a self-extracting .zip file. Click here, then choose to either save or run the self-extracting file. |
| • | Run the self-extracting .zip file to extract the file it contains, which is named HANDSAFE.REM. |
| • | When you are ready to make the registry changes, rename HANDSAFE.REM to HANDSAFE.REG. (We packaged the file with an .REM extension as a safety measure -- .REG files automatically launch when double-clicked.) |
| • | Copy HANDSAFE.REG to each system that requires the registry change. Double Click HANDSAFE.REG to make the change. |
I installed MDAC 2.1 as an upgrade. What should I do?
You need to configure MDAC to operate in "Safe Mode". See "I have MDAC 2.0 installed. What should I do?" for instructions.
I installed MDAC 2.1 as a clean installation. What should I do?
Clean installations of MDAC 2.1 are already configured in "safe mode".
I have MDAC 2.1 installed, but I don't know whether I did a clean install or an upgrade. What should I do?
As long MDAC 2.1 is configured for "safe mode", it doesn't matter how it was installed. The important point is that clean installations of MDAC 2.1 default to "safe mode", and upgrades default to "unsafe mode". If you're not sure how you installed MDAC 2.1, it won't hurt to run HANDSAFE.REG, or to make the registry changes manually.
I don't need RDS functionality. What should I do?
Regardless of the version of MDAC you're using, you can disable RDS functionality by doing the following:
1. | Delete the /msadc virtual directory from the default Web site | ||||||
2. | Remove the following registry keys from the server hosting IIS:
|
Actually, performing either of the above steps will disable RDS functionality. However, we've listed both steps for completeness.
I do need RDS functionality. What should I do?
The DataFactory object provides powerful capabilities that web developers can use to build applications which access a rich variety of data sources. Best practices for applications that use RDS functionality include:
| • | Ensure that you have installed the latest version of MDAC on your system, and configured it to run in "safe mode". |
| • | Ensure that the Sample Pages for RDS are not installed. |
| • | If anonymous users should not be able to use RDS, disable Anonymous Access for the /msadc directory in the default Web site. |
| • | If you want to only allow specific database requests, you can create a custom handler to control or filter incoming requests. Information on how to do this is available at http://msdn2.microsoft.com/en-us/library/ms811713.aspx |
I installed the Sample Pages for RDS. What should I do?
The sample pages are not intended for use on production servers. In particular, the VbBusObj object, which is installed as part of the sample pages, provides an additional means of exploiting the same vulnerability. At minimum, you should ensure that the VbBusObj object is removed by doing the following:
| • | Delete %systemdrive%\program files\common files\system\msadc\samples\selector\middle_tier\vbbusobj\vbbusobj.dll |
| • | Remove the registry key HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/W3SVC/ |
However, the best practice is to remove the samples altogether. To do this, delete the contents of %systemdrive%\program files\common files\system\msadc\samples and all subfolders.
I don't know whether I installed the sample pages or not. What should I do?
If the folder %systemdrive%\program files\common files\system\msadc\samples exists, the sample files are installed, and you should remove that folder and all subfolders.
I installed the default installation of the Windows NT 4.0 Option Pack, am I affected?
Yes. The default installation of the Windows NT 4.0 Option Pack installs Microsoft Internet Information Server 4.0 and Microsoft Data Access Components 1.5, which is a vulnerable configuration.
Can I install the Windows NT 4.0 Option Pack without installing MDAC 1.5?
Yes. You can perform a custom installation of the Windows NT 4.0 Option Pack, and specify that the MDAC components should not be installed.
I installed the Windows NT 4.0 Option Pack, and then installed Windows NT 4.0 Service Pack 4 or 5, am I still affected?
Unless you have taken the steps indicated above (and in MS98-004), your system is still vulnerable. Service Packs 4 and 5 do not automatically update the MDAC components, nor do they automatically disable the DataFactory object.
Is there something I can watch for in the logs to help determine if someone is trying to use this vulnerabilty to gain access to my system?
Since exploiting this vulnerability requires a standard HTTP "POST" to the MDAC DataFactory object, you might be able to detect that someone has attempted to use this vulnerability against your system by reviewing the IIS logs for "POST" entries to /msadc/msadcs.dll.
Since the DataFactory object is a standard programmable interface, POST requests could be generated as part of the normal functioning of a custom-built web application. However, IIS does not use this functionality by default. So, unless you have built a custom application that uses the DataFactory object, a "POST /msadc/msadcs.dll" log entry indicates a good chance that someone has attempted to use this vulnerability against your system.
However, it is important to realize that if someone has gained privileged access to your system by exploiting this vulnerability, it may be possible for them to alter the IIS data logs.
I have some questions about installing MDAC 2.0 or 2.1, where can I find more information?
Information about the Microsoft Data Access Components can be found on the Microsoft Universal Data Access web site at http://www.microsoft.com/data. Questions specific to installing MDAC can be found on the MDAC Installation FAQ, http://msdn2.microsoft.com/data/aa937703.aspx.
Where can I get the latest version of MDAC?
You can download the latest versions of MDAC from the Microsoft Universal Data Access download site, http://msdn2.microsoft.com/data/default.aspx
Where can I learn more about securing an Internet-based IIS server?
A good resource for securing a system running Internet Information Server 4.0 is the Microsoft Internet Information Server 4.0 Security Checklist, http://www.microsoft.com/technet/security/chklist/iischk.mspx.
Where can I learn more about best practices for my network?
The Microsoft Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Data Access Components (MDAC) is a fully supported set of technologies. If you require technical assistance with this issue, please contact Microsoft Technical Support. Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
