-----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Unauthorized Access to IIS Servers through ODBC Data Access with RDS Microsoft Security Bulletin (MS99-025) July 26, 1999 23:00 GMT Number J-054 ______________________________________________________________________________ PROBLEM: This vulnerability has been used to gain unauthorized access to Internet-connected systems. This vulnerability was first announced in MS98-004 on July 19, 1998. MS98-004 was then re-released as MS99-025 on July 19, 1999, and followed by a correction on July 20, 1999. PLATFORM: Systems that have Microsoft(r) Internet Information Server 3.0 or 4.0 and Microsoft Data Access Components 1.5. DAMAGE: An unauthorized web user may be able to perform privileged actions. SOLUTION: The solution depends upon your particular situation. Consult the "Summary" section of MS99-025 and its correction for the details. ______________________________________________________________________________ VULNERABILITY Risk is high. This vulnerability is being actively exploited. ASSESSMENT: Patch your systems as soon as possible. ______________________________________________________________________________ [ Start Microsoft Security Bulletin (MS99-025) ] ******************************** Microsoft Security Bulletin (MS99-025) - -------------------------------------- Re-Release: Unauthorized Access to IIS Servers through ODBC Data Access with RDS Originally Released as MS98-004, July 17, 1998 Re-Released as MS99-025, July 19, 1999 Preface ======= This bulletin is a re-release of Microsoft Security Bulletin MS98-004, issued July 17, 1998. It has recently been brought to our attention that this vulnerability has been used to gain unauthorized access to Internet-connected systems that have not been updated as per the instructions in MS98-004. The intent of re-releasing this bulletin is to serve as a reminder about this vulnerability, to restate the threat, and encourage system administrators to evaluate their systems to determine if their systems have been correctly configured and updated to protect against this vulnerability. Summary ======= Microsoft encourages the following actions be taken on systems that have Microsoft(r) Internet Information Server 3.0 or 4.0 and Microsoft Data Access Components 1.5, both of which are installed during a default installation of the Windows NT(r) 4.0 Option pack: - Install the latest version of MDAC (currently MDAC 2.1 SP2). However, simply upgrading from MDAC 1.5 to MDAC 2.0, or MDAC 2.1 is not sufficient. For systems not explicitly utilizing RDS functionality, you should also: - Delete the /msdac virtual directory from the default Web site, or - Apply registry settings that disable the DataFactory object. (See the Q&A for the registry settings to adjust, or to download a .REG file that can make the changes for you.) For systems implicitly utilizing RDS functionality, you should: - Disable Anonymous Access for the /msadc directory in the default Web site, and/or - Create a Custom Handler to control or filter incoming requests. (http://www.microsoft.com/Data/ado/rds/custhand.htm) If you do not complete these steps, unauthorized access as described below may still be possible. Frequently asked questions regarding this vulnerability and updating systems to protect against it can be found at http://www.microsoft.com/security/bulletins/MS99-025faq.asp Issue ===== The RDS DataFactory object, a component of Microsoft Data Access Components (MDAC), exposes unsafe methods. When installed on a system running Internet Information Server 3.0 or 4.0, the DataFactory object may permit an otherwise unauthorized web user to perform privileged actions, including: - Allowing unauthorized users to execute shell commands on the IIS system as a privileged user. - On a multi-homed Internet-connected IIS system, using MDAC to tunnel SQL and other ODBC data requests through the public connection to a private back-end network. - Allowing unauthorized accessing to secured, non-published files on the IIS system. Affected Software Versions ========================== - Microsoft Internet Information Server 3.0 or 4.0 that have or have had Microsoft Data Access Components 1.5 installed on it. NOTE: IIS can be installed as part of other Microsoft products like Microsoft BackOffice and Microsoft Site Server. NOTE: MDAC 1.5 is installed during a default installation of the Windows NT 4.0 Option Pack. Patch Availability ================== Newer versions of Microsoft Data Access Components (MDAC versions 2.0 and 2.1) resolve these known vulnerabilities. However, a system that had MDAC 1.5 installed on it, and then upgraded to MDAC 2.0 or MDAC 2.1 must still take actions to disable the DataFactory object. (See the Q&A for the registry settings to adjust, or to download a .REG file that can make the changes for you.) Current versions of Microsoft Data Access Components can be downloaded from the following web site: - Microsoft Data Access Download Site (http://www.microsoft.com/data/download.htm) More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin MS99-025: Frequently Asked Questions, http://www.microsoft.com/security/bulletins/MS99-025faq.asp - Microsoft Knowledge Base (KB) article Q184375, Security Implications of RDS 1.5, IIS, and ODBC, http://support.microsoft.com/support/kb/articles/q184/3/75.asp - Microsoft Universal Data Access Download Page, http://www.microsoft.com/data/download.htm - Installing MDAC Q&A, http://www.microsoft.com/data/MDAC21info/MDACinstQ.htm - Microsoft Security Advisor web site, http://www.microsoft.com/security/default.asp - IIS Security Checklist, http://www.microsoft.com/security/products/iis/CheckList.asp Obtaining Support on this Issue =============================== Microsoft Data Access Components (MDAC) is a fully supported set of technologies. If you require technical assistance with this issue, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see http://support.microsoft.com/support/contact/default.asp. Acknowledgments =============== Microsoft acknowledges Greg Gonzalez of ITE (http://www.infotechent.net) for bringing additional information regarding this vulnerability to our attention. Microsoft also acknowledges Russ Cooper (NTBugTraq) for his assistance around this issue. Revisions ========= - July 19, 1999: Bulletin Created as re-release of MS98-004. - ------------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1999 Microsoft Corporation. All rights reserved. Terms of Use. ******************************************************************* [ End Microsoft Security Bulletin (MS99-025) (Correction follows) ] [ Start of correction to Microsoft Security Bulletin (MS99-025) ] ******************************** Microsoft Security Bulletin MS99-025 (http://www.microsoft.com/security/bulletins/MS99-025.asp), which was released on July 19, 1999, discussed a vulnerability associated with Internet Information Server and Microsoft Data Access Components. The Frequently Asked Questions (FAQ) page for this bulletin (http://www.microsoft.com/security/bulletins/MS99-025faq.asp) provided instructions on how to manually change the registry in order to protect vulnerable systems, and also provided an automated method for making the changes. However, we have discovered that the automated method is incorrect. If you manually changed the registry entries as discussed in the bulletin, you do not need to take any further action. All of the information in the bulletin and FAQ regarding registry keys is correct. However, if you downloaded HANDUNSF.REG and used it to automatically change the registry, you should download the corrected file and run it on all affected systems. The corrected file is named HANDSAFE.REG, in order to make it easy to tell that you are using the right file. The file can be downloaded from the FAQ page; the link to the file is contained in the answer to "I have MDAC 2.x installed, what should I do?". Even if you are not affected by this error, we recommend that you review the FAQ page again. We have made a number of changes to the original version of the FAQ, in order to provide a clearer description of the security vulnerability and the steps that customers should take. We regret the error and any inconvenience that it has caused. We are taking steps to ensure that the problem will not happen again. Sincerely, The Microsoft Product Security Team ******************************************************************* [ End of correction to Microsoft Security Bulletin (MS99-025) ] ______________________________________________________________________________ CIAC wishes to acknowledge Microsoft for the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), use one of the following methods to contact CIAC: 1. Call the CIAC voice number 925-422-8193 and leave a message, or 2. Call 888-449-8369 to send a Sky Page to the CIAC duty person or 3. Send e-mail to 4498369@skytel.com, or 4. Call 800-201-9288 for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 3. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov: subscribe list-name e.g., subscribe ciac-bulletin You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) J-044: Tru64/Digital UNIX (dtlogin) Security Vulnerability J-045: Vulnerability in statd exposes vulnerability in automountd J-046: HP-UX VVOS NES Vulnerability J-047: The ExploreZip Worm J-048: Malformed HTR Request Vulnerability J-049: Windows NT, Two Denial-of-Service Vulnerabilities J-050: HP-UX Visualize Conference Vulnerability J-051: Calendar Manager Service Buffer Overflow Vulnerability J-052: SGI arrayd default security configuration J-053: HP Current Directory Vulnerability -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBN5xsY7nzJzdsy3QZAQET9gQAkK0fGDIMXvBlevog5Cf00xq83Cny8udL kDItephrBFJJMgLGXHAmu43cFSS9RSeCQ0kct8T08hIP7kYPmdudMQZJnfQRCNbC oxkFSSfE3gPf7SvyDbFlE6tHw1JUHrKDI6gO+/Ys8ib51ymxJrXaGLfT8wJWBBY4 fETz/6fXLpc= =Olt2 -----END PGP SIGNATURE-----