Update to ODBC/RDS vulnerabilities

From: rfpat_private
Date: Tue Sep 21 1999 - 23:07:54 PDT

Next message: Vladimir Dubrovin: "Re: More fun with WWWBoard"

Previous message: Mark Jeftovic: "Re: More fun with WWWBoard"
Next in thread: David LeBlanc: "Re: Update to ODBC/RDS vulnerabilities"
Reply: David LeBlanc: "Re: Update to ODBC/RDS vulnerabilities"
Reply: rfpat_private: "Re: Update to ODBC/RDS vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello all,

It's been a while since I've posted anything, and I promise it will be
short this time. ;)

Microsoft has released a patched Jet ODBC engine that will fix the ODBC
problem as well as Mr. Cuartango's Excel vulnerabilities as well.
Basically, this is a 3.51 engine retrofitted with a 'sandbox' restriction
controlled by the following registry key:

\\HKLM\Software\Microsoft\Jet\3.5\Engines\SandboxMode

Also, as for the RDS problem, they recommended implementing custom
handlers to limit invocation of the RDS component to legit uses.  Custom
handler support is controlled by the following registry key:

\\HKLM\Software\Microsoft\DataFactory\HandlerInfo\handlerRequired

Now, perhaps it's just me, but on three different NT boxes I have, which
are various SP3 and 5 combos on NT4, patches installed as administrator,
the permissions on these registry keys are Everyone -> Special Access,
which includes Set Value.  This basically means domain users can remotely
disable handler and sandbox restrictions by changing the values of these
keys.  Hmmm.  I've tested this, and it worked as expected.

Also, Mnemonix pointed out an interesting aspect which I overlooked for
the RDS vulnerability that really makes it more evil.  The current
limitation to the RDS exploit is that it requires a local file to 'attach'
to, specifically a .mdb.  Well, you can use UNC addresses for this file,
so if you setup a Windows share on the internet, you can request your file
off that, therefore bypassing the need for a local file.  I've tested
this, and it works as well.

I am finishing updates to my RDS exploit program, which I'll probably
release in the next week.  It will implement all of this, plus clean up
the code a bit.

Also, I wanted to point out an ommision of credit in the RDS advisory.
Matthew Astley, who I co-wrote the May 25th advisory with the original
ODBC info, should have been given credit as well for the ODBC/Jet pipe
problem.  Apologies to Matthew.


.rain.forest.puppy.
--------------------------------------------------------------------------
If I had a signoff banner, it would be here.  But I don't, so I'll fake it
--------------------------------------------------------------------------

Next message: Vladimir Dubrovin: "Re: More fun with WWWBoard"
Previous message: Mark Jeftovic: "Re: More fun with WWWBoard"
Next in thread: David LeBlanc: "Re: Update to ODBC/RDS vulnerabilities"
Reply: David LeBlanc: "Re: Update to ODBC/RDS vulnerabilities"
Reply: rfpat_private: "Re: Update to ODBC/RDS vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:04:45 PDT