MS02-065: Buffer overrun in Microsoft Data Access Components can lead to code execution (329414)

SYMPTOMS

MDAC is a collection of components that provide database connectivity on Windows operating sytems. MDAC is a ubiquitous technology, and it is likely to be present on most Windows systems, including the following:

MDAC is included by default as part of Windows XP, Windows 2000, and Windows Millennium.
MDAC is available for download as a stand-alone technology.
MDAC is either included in or installed by a number of other products and technologies.
- MDAC is included in the Microsoft Windows NT 4.0 Option Pack.
- Some MDAC components are included in Internet Explorer, even if MDAC itself is not installed.

MDAC provides the underlying functionality for a number of database operations, including the ability to connect to remote databases and to return data to a client. The MDAC component Remote Data Services (RDS) provides functionality that supports three-tiered architectures. In three-tiered architectures, a client requests service from a back-end database, and then these requests are intermediated through a Web site that applies business logic.

A security vulnerability is present in the RDS implementation. This vulnerability exists in the RDS data stub. The data stub parses incoming HTTP requests, and then generates RDS commands. A security vulnerability that is caused by an unchecked buffer in the data stub affects versions of MDAC earlier than version 2.7 (the version that was included with Windows XP). If an attacker sends a specially malformed HTTP request to the data stub, data of his or her choice can overrun onto the heap. Heap overruns are typically more difficult to exploit than the more common stack overrun. However, Microsoft has confirmed that in this scenario it is possible to exploit the vulnerability to run the code choice of the attacker on the system of the user.

Both Web servers and Web clients are at risk from the vulnerability.

Web servers are at risk if a vulnerable version of MDAC is installed and running on the server. To exploit the vulnerability against such a Web server, an attacker must establish a connection with the server, and then send a specially malformed HTTP request to it. This action would overrun the buffer with the chosen data of the attacker. The code would run in the security context of the IIS service. By default, the IIS service runs in the LocalSystem context.
Web clients are at risk in almost every scenario. The RDS data stub is included with all the current versions of Internet Explorer, and there is no option to disable it. To exploit the vulnerability against a client, an attacker must host a Web page that sends an HTTP reply to the system of the user when it is opened, and then overruns the buffer with the chosen data of the attacker. This Web page may be hosted on a Web site or sent directly to users as an HTML mail. The code runs in the security context of the user.

This vulnerability is very serious, and Microsoft recommends that all customers whose systems can be affected take appropriate action immediately. To take action, do the following:

Customers who use Windows XP or who installed MDAC 2.7 on their systems are at no risk and do not have to take any action.
Web server administrators who run an affected version of MDAC must install the security patch, disable RDS access through IIS, or upgrade to MDAC 2.7.
Web client users who run an affected version of MDAC must install the security patch immediately on any system that accommodates Web browsing, regardless of any other protective measures. For example, a Web server on which RDS is disabled must have the security patch if the Web server is occasionally used as a Web client.
If this security patch is installed on a Window 2000 SP3 server, SUS (Software Update Service) stops functioning correctly. To work around this problem, and to maintain SUS functionality, and also correct the buffer overrun vulnerability, upgrade to MDAC 2.7

RESOLUTION

Service Pack Information

To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

Hotfix Information

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate the computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to the computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This hotfix may receive additional testing. If the computer is sufficiently at risk, we recommend that you apply this hotfix now.

To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information

The following file is available for download from the Microsoft Download Center:

Download the Q329414 package now

Release Date: November 20, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation Information

This security patch can be installed on Windows 98, Windows 98 Second Edition, Windows Millennium Edition (ME), Windows NT 4.0 Service Pack 6a (SP6a), Windows 2000 SP2, or Windows 2000 SP3. For additional information about Windows 2000 and Windows NT 4.0 service packs, click the following article numbers to view the articles in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

152734 How to Obtain the Latest Windows NT 4.0 Service Pack

Restart your Web server after you apply the security patch. You do not have to restart your Web client. This update supports the following Setup switches:

/?: Displays the list of installation switches.
/Q: Quiet mode.
/T:<full path>: Specifies the temporary working folder.
/C: Extracts files only to the folder when it is used with /T.
/C:<Cmd>: Overrides install command defined by the author.
/N: No restart dialog box.

The following command-line command installs the update without any user intervention:

q329414_mdacall_x86 /C:"dahotfix.exe /q /n" /q:a

Warning Your computer may be vulnerable until you restart it.

File Information

The English version of this has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Note The following installation file names are appended with an MDAC version. The files that are installed appear in the msadc folder without the appended MDAC version in the file name.

   Date         Time   Version      Size     File name
   --------------------------------------------------------
   21-Sep-2002  00:36  2.53.6202.0  856,768  Msadce25.dll
   09-Oct-2002  21:16  2.12.5118.0  135,440  Msadco21.dll
   21-Sep-2002  00:36  2.53.6202.0  430,080  Msadco25.dll
   25-Sep-2002  18:47  2.62.9119.1  147,728  Msadco26.dll
   09-Oct-2002  21:16  2.12.5118.0   49,936  Msadcs21.dll
   21-Sep-2002  00:36  2.53.6202.0  135,168  Msadcs25.dll
   25-Sep-2002  18:47  2.62.9119.1   57,616  Msadcs26.dll
   21-Sep-2002  00:36  2.53.6202.0  615,655  Msdaprst25.dll

For MDAC 2.6, the following files are copied to the Program Files\Common Files\System\msadc folder:

 

   Date         Time   Version      Size     File name
   ----------------------------------------------------
   25-Sep-2002  18:47  2.62.9119.1  147,728  Msadco.dll
   25-Sep-2002  18:47  2.62.9119.1   57,616  Msadcs.dll

For MDAC 2.5, the following files are copied to the Program Files\Common Files\System\msadc folder:


   Date         Time   Version      Size     File name
   ------------------------------------------------------
   21-Sep-2002  00:36  2.53.6202.0  856,768  Msadce.dll
   21-Sep-2002  00:36  2.53.6202.0  430,080  Msadco.dll
   21-Sep-2002  00:36  2.53.6202.0  135,168  Msadcs.dll 
   21-Sep-2002  00:36  2.53.6202.0  615,655  Msdaprst.dll

For MDAC 2.1, the following files are copied to the Program Files\Common Files\System\msadc folder:


   Date         Time   Version      Size     File name
   ----------------------------------------------------
   09-Oct-2002  21:16  2.12.5118.0  135,440  Msadco.dll
   09-Oct-2002  21:16  2.12.5118.0   49,936  Msadcs.dll

Note Because of file dependencies, this update may contain additional files.