Re: [PEN-TEST] RDS exploit simulation (fwd)

[rain forest puppy <rfp () WIRETRIP NET>]

---------- Forwarded message ----------
Date: Mon, 18 Sep 2000 19:31:30 -0500 (CDT)
From: rain forest puppy <rfp () wiretrip net>
To: pen-test () securityfocus com
Subject: Re: RDS exploit simulation

Okey dokey, this is actually a revelevant topic, since I've received a lot
of email on it.  I'm working on a RDS-FAQ, but in the meantime:

You are vulnerable if you have MDAC 1.5 installed.  MDAC 2.0 is *kinda*
vulnerable, but for all intents and purposes, not via vanilla msadcs.dll.
MDAC > 2.0 is not vulnerable.

Now, keep in mind:
- Installing MS SQL 7.0 installs MDAC 2.x
- Installing Office 2000 installs MDAC 2.x
- Installing IE 5.x installs MDAC 2.x (I believe)
- Installing almost any MS server product made after Jan 2000 usually
        installs MDAC 2.x.
- Windows 2000 is not vulnerable.  IIS 5.0 is not vulnerable.


For the differences between MDAC 1.5, 2.0, and 2.1+, please see RFP9907:
"You, your servers, RDS, and thousands of script kiddies" at
http://www.wiretrip.net/rfp/p/doc.asp?id=29&iface=2

Slightly dated, as there are newer copies of MDAC (I believe 2.5 is now
out), but it will discuss what is vulnerable vs. what is not.

As for me, I use NT Server 4.0 (regular or enterprise), install SP3,
install IE 4.01 (comes on NT Option Pack 4), and then IIS 4.0.  Now the
newer Option Packs might be retrofitted, but the original releases had the
vulnerable MDAC.

Just keep in mind there are a *LOT* of applications nowadays that package
updated DB components with them that may patch the vulnerability when
installed.  You can always look at the version of the msjet.dll in winnt
directory...any 4.x is not vulnerable.  The jetcopkg installs 3.5X (don't
remember the value), MDAC 2.0 installs 3.52, and MDAC 1.5 installs 3.50.
The 3.x line (apart from the patched jetcopkg.exe) is vulnerable.

- rfp