Microsoft Security Bulletin (MS98-004)

[aleph1 () DFW NET (Aleph One)]

Date: Wed, 15 Jul 1998 17:21:35 -0700
From: Microsoft Product Security Response Team <secure () MICROSOFT COM>
To: MICROSOFT_SECURITY () ANNOUNCE MICROSOFT COM
Subject: Microsoft Security Bulletin (MS98-004)

Microsoft Security Bulletin (MS98-004)

------------------------------------------------------------------------

Unauthorized ODBC Data Access with RDS and IIS

Last Revision: July 14, 1998

Summary
=======
Remote Data Service (RDS) is a component of Microsoft Data Access Components
(MDAC), which is  installed by default when Microsoft(r) Internet
Information Server (IIS) 4.0 is installed via the Windows NT(r) Option Pack.
The goal of the RDS component is to enable controlled Internet access to
remote data resources through the Internet Information Server. However,
because the RDS DataFactory (a single component of RDS) allows implicit
remoting of data access requests by default, it can be exploited to allow
unauthorized Internet clients to access OLE DB datasources available to the
server. The implicit remoting function of the RDS 1.5 via the DataFactory
component should be disabled.

The purpose of this bulletin is to inform Microsoft customers of this issue,
its applicability to Microsoft products, and the availability of
countermeasures Microsoft has developed to further secure its customers.

This problem was discovered by the Microsoft development team and documented
in Microsoft Knowledge Base article Q184375 on April 22, 1998.

Issue
=====
A web client connecting to an IIS server can use the RDS DataFactory object
to direct that server to access data using an installed OLE DB provider.
This includes executing SQL calls to ODBC-compliant databases using the ODBC
drivers installed on the server.

For example a web-client could issue a SQL command along with the name or IP
address of a remote SQL server, a SQL account and password, database name,
and a SQL query string. If the request is valid (remote server is reachable
by the IIS server, user account and password are correct, database name is
valid), the query results will be sent via HTTP back to the client. While it
is true that this requires significant inside information, the potential
accessibility of this information should not be underestimated, as
organizations that don't follow good security practices could have blank or
easy to guess passwords on their SQL administrator accounts. The RDS
DataFactory object along with other installed ODBC drivers opens other
possibilities, including possible access to non-published files on the IIS
server.

The vulnerability caused by the DataFactory is even greater if some newer
OLE DB Providers are installed on the server. "Microsoft DataShape Provider"
and "Microsoft JET OLE DB provider" (which ship with MDAC 2.0 in Visual
Studio 98) allow shell commands to be executed. If the DataFactory is
enabled on such a server, Internet clients can use these providers to
execute shell commands, which can potentially bring down the server or
otherwise severely affect its performance.

Affected Software Versions
==========================
 - Microsoft Internet Information Server version 4.0
 - Microsoft Remote Data Services version 1.5
 - Microsoft Visual Studio version 6.0

What Microsoft is Doing
=======================
The Microsoft Product Security Response Team has produced a set of
guidelines and scripts to assist customers in disabling the implicit
remoting functionality of the RDS via the DataFactory object.

Microsoft strongly recommends that all customers using IIS with OLE DB or
ODBC drivers installed should take the actions described below.

What customers should do
========================
If you don't intentionally use the implicit remoting functionality in the
DataFactory object, you should disable it.

Please note that you can still use RDS to invoke Business Objects on the
server, but an administrator must explicitly enable access to these object
by inserting keys for them in the registry. Any pages or applications that
rely on RDS's Datacontrol or DataFactory components will not work after
this.

Removing Implicit DataFactory Functionality:

If the following registry entries are removed from the server hosting IIS,
then the implicit remoting functionality (via DataFactory) of RDS will be
disabled. These keys can be removed using the Registry Editor
(REGEDT32.EXE), or other tools for manipulating the registry.

 - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\
   Parameters\ADCLaunch\RDSServer.DataFactory
 - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\
   Parameters\ADCLaunch\AdvancedDataFactory
 - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\
   Parameters\ADCLaunch\VbBusObj.VbBusObjCls

Note: The three registry keys listed above have been wrapped for ease of
reading.

ASP pages that depend on only ADO for database connectivity will continue to
function. However, the benefits section of the IIS4 sample site, Exploration
Air, may not function correctly after this change is made.

Using the REGDEL.EXE utility to remove DataFactory functionality
================================================================
Note: REGDEL.EXE is a tool available as part of the Windows NT Resource Kit
utilities that can be used to delete registry entries from the command line.


Copy the following text into a .BAT file (e.g. c:\dfremove.bat) and run the
batch file on machines on which you want to remove the RDS components.


------------------------------------------------------------------------

@ECHO OFF
REM Batch file to remove RDS components
REM Make sure that REGDEL.EXE from the Resource Kit is in your PATH
set rkey=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC
REGDEL "%rkey%\Parameters\ADCLaunch\RDSServer.DataFactory"
REGDEL "%rkey%\Parameters\ADCLaunch\AdvancedDataFactory"
REGDEL "%rkey%\Parameters\ADCLaunch\VbBusObj.VbBusObjCls"
Echo RDS Keys Removed

------------------------------------------------------------------------

More Information
================
RDS 2.0, which ships with Microsoft Visual Studio 6.0 allows server
administrators to use customized handlers for requests to RDS Server. Using
the customized handlers, administrators can intercept all requests and
responses to and from the RDS Server. RDS 2.0 also ships a default
customization handler which is driven by information in an INI file,
installed on the server. This default handler can be used to modify SQL and
Connection strings received from the client. RDS 2.0 is part of MDAC 2.0,
which ships with Visual Studio 98.

NOTE: Upgrading to RDS 2.0 will not automatically solve the problem -- you
must configure the RDS according to your security needs. Please refer to RDS
2.0 documentation for details on how to configure the default INI file or
how to write your own customization handler.

Additional References
=====================
Please see the following references for more information related to this
issue.

 - Microsoft Security Bulletin 98-004, Unauthorized File Access with
   RDS and IIS (the web-posted version of this bulletin),
   http://www.microsoft.com/security/bulletins/ms98-004.htm

 - Microsoft Knowledge Base article Q184375, Security Implications of
   RDS 1.5, IIS 4.0, and ODBC,
   http://support.microsoft.com/support/kb/articles/q184/3/75.asp

 - Microsoft Universal Data Access web site,
   http://www.microsoft.com/data

Revisions
=========
 - July 14, 1998: Bulletin Created

For additional security-related information about Microsoft products, please
visit  http://www.microsoft.com/security


------------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF  ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES  OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION  OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,  CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF MICROSOFT CORPORATION OR ITS  SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE  EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING  LIMITATION MAY NOT APPLY.

(c) 1998 Microsoft and/or its suppliers. All rights reserved.
For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp.

          =====================================================
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM
The subject line and message body are not used in processing the request,
and can be anything you like.

For  more  information on  the  Microsoft  Security Notification  Service
please    visit    http://www.microsoft.com/security/bulletin.htm.    For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.