Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] RDS exploit simulation

From: bacano <bacano () ESOTERICA PT>
Date: Tue, 31 Oct 2000 23:52:13 -0000
Actually MDAC 2.6 RTM (2.60.6526.3) and MDAC 2.6 SDK are out. The news is
that MDAC version 2.6 does not include Microsoft Jet, Microsoft Jet OLE DB
Provider, and the ODBC Desktop Database Drivers
(http://support.microsoft.com/support/kb/articles/Q271/9/08.ASP)

Installing MS SQL 2000 installs MDAC 2.6

[  ]'s bacano

----- Original Message -----
From: "rain forest puppy" <rfp () WIRETRIP NET>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Tuesday, September 19, 2000 12:31 AM
Subject: Re: [PEN-TEST] RDS exploit simulation



Okey dokey, this is actually a revelevant topic, since I've received a lot
of email on it.  I'm working on a RDS-FAQ, but in the meantime:

You are vulnerable if you have MDAC 1.5 installed.  MDAC 2.0 is *kinda*
vulnerable, but for all intents and purposes, not via msadcs.dll.  MDAC

2.0 is not vulnerable.


Now, keep in mind:
- Installing MS SQL 7.0 installs MDAC 2.x
- Installing Office 2000 installs MDAC 2.x
- Installing IE 5.x installs MDAC 2.x
- Installing almost any MS server product after 2000 usually installs MDAC
2.x.
- Windows 2000 is not vulnerable.  IIS 5.0 is not vulnerable.


For the differences between MDAC 1.5, 2.0, and 2.1+, please see RFP9907:
"You, your servers, RDS, and thousands of script kiddies" at
http://www.wiretrip.net/rfp/p/doc.asp?id=29&iface=2

Slightly dated, as there are newer copies of MDAC (I believe 2.5 is now
out), but it will discuss what is vulnerable vs. what is not.

As for me, I use NT Server 4.0 regular or enterprise, install SP3, install
IE 4.01 (comes on NT Option Pack 4), and then IIS 4.0.  Now the newer
Option Packs might be retrofitted, but the original releases had the
vulnerable MDAC.

Just keep in mind there are a *LOT* of applications nowadays that package
updated DB components with them that may patch the vulnerability when
installed.  You can always look at the version of the msjet.dll in winnt
directory...any 4.x is not vulnerable.  The jetcopkg installs 3.5X (don't
remember the value), MDAC 2.0 installs 3.52, and MDAC 1.5 installs 3.50.
The 3.x line (apart from the patched jetcopkg.exe) is vulnerable.

- rfp
Previous By Date Next
Previous By Thread Next

Current thread: