What's the scope of the vulnerability?
This is a buffer overrun vulnerability in an object that ships with Visual Studio 6.0 or Visual Basic 6.0 Enterprise Edition. If an attacker exploited this vulnerability in an attack against an affected computer, he could potentially run arbitrary code on that machine in the context of the interactively logged on user. There are potentially two effects of an attack via this vulnerability. The malicious user could cause the affected object to fail or he could potentially run arbitrary code on the target computer in the context of the interactively logged on user.
What causes the vulnerability?
A DCOM object (VB T-SQL Debugger - vbsdicli.exe) that ships with Visual Studio 6.0 Enterprise has an unchecked buffer in a section of code that processes the parameters for one of the object's methods.
What is DCOM?
A technology for component-based development of software that is network-aware. Using Distributed Component Object Model (DCOM), developers can create network-aware applications using Component Object Model (COM) components. DCOM works under various network transports, including TCP/IP.
DCOM is a client/server protocol that provides distributed network services to COM, allowing DCOM-enabled software components to communicate over a network in a similar fashion to the method by which COM components communicate among themselves on a single machine. DCOM client objects make requests for services from DCOM server objects on different machines on the network using a standard set of interfaces.
For more information on DCOM please see the following link:
http://www.microsoft.com/com/default.mspx,
What is COM?
The Component Object Model (COM) is an object-based software architecture that allows applications to be built from binary software components. COM is the foundation for various Microsoft technologies including OLE, ActiveX, Distributed COM (DCOM), COM+, and Microsoft Transaction Server (MTS).
COM is not a programming language, rather it is a specification. The goal of COM is to allow applications to be built using components. These COM components can be created by different vendors, at different times, and using different programming languages. Also, the COM components can run on different machines or different operating systems.
For more information please see the following link:
http://www.microsoft.com/com/default.mspx,
What's the VB T-SQL object?
The T-SQL debugger is a DCOM object (which can be remotely initiated) integrated with the Data Environment designer. It allows you to interactively debug remote stored procedures written in Microsoft SQL Server's Transact SQL dialect, from within the Visual Basic development environment.
The vulnerability described in this bulletin is independent of any access to SQL server and only requires access to a machine with the debugger object installed.
For more information please see the following link:
http://msdn2.microsoft.com/en-us/library/Aa733643
What's wrong with the VB T-SQL object?
The object contains an unchecked buffer in the code that processes the parameters for one of the object's methods. A remote program could invoke this method so as to cause a buffer overrun.
As is often the case with buffer overrun vulnerabilities, either of two outcomes could occur. In the less serious case - in which the buffer was overrun by random data - the object would just produce an error or fail on the target computer. In the more serious case - in which the attacker filled the affected parameter in the object with specially selected data - the functionality of the object could be modified while it was running, in order to make it take something other than its intended action.
What would the first case enable an attacker to do?
If the parameter at issue here were filled with random data, the debugger object would fail. However, the user on the target machine could bypass the error and continue working normally.
What would the second case enable an attacker to do?
If an attacker were able to insert an invalid parameter containing specially chosen data, he could cause his program to take any action he wanted on the target computer when it referenced the debugger object. The only limitation on the actions the program could take would be those associated with the user who was running Visual Studio 6 at the time - if the user had few privileges on the machine, the malicious code might be able to do very little. On the other hand, if the user was an administrator on the machine, the code could do virtually anything.
Who could exploit the vulnerability?
There are a few prerequisites for exploiting this vulnerability:
| • | The malicious user would need to know the name of the target computer and would need to be on the same intranet as the target computer. If best practices were followed, and ports 137-139, and 445 were blocked at the router or firewall, the vulnerability could not be exploited from the Internet. |
| • | The malicious user would also need to know that a specific user had Visual Studio 6.0 Enterprise installed on a specific machine. |
| • | Finally, a specific user would need to be interactively logged in at the time of the attack. |
What security context would the malicious program run under on the target machine?
Since the attack requires a user to be logged in the malicious code would run in the context of that logged in user. If the user on the affected computer was a local user the program would have that user's local privileges on the machine. If the logged on user was a member of a domain then the malicious program would have domain privileges.
What if a user is not logged on at the time of the attack?
If the target computer did not have an interactive logged on user, the attacker would receive an error message if he tried to reference the object on the target machine. An interactive logged on user must be present at the time of attack.
I don't have Visual Studio 6.0 Enterprise or Visual Basic 6.0 Enterprise Edition on my machine. Could I be affected?
No. This problem only affects either Visual Studio 6.0 Enterprise or Visual Basic 6.0 Enterprise Edition.
I run Visual Studio 6.0 or Visual Basic 6.0 Professional Edition. Could I be affected?
No. The debugger only ships with Visual Studio 6.0 or Visual Basic Enterprise Edition.
What does the patch do?
The patch corrects the object to ensure that proper bounds checking takes place on the parameter in question.
