[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[port139ml:03657] FYI; Microsoft JET Database Engine 4.0 buffer overflow

To: port139ml@xxxxxxxxxxxxx
Subject: [port139ml:03657] FYI; Microsoft JET Database Engine 4.0 buffer overflow
From: ARAI Yuu <y.arai@xxxxxxxxx>
Date: Mon, 14 Jul 2003 11:29:45 +0900
$B$"$i$$!w%i%C%/$G$9!#(B
(B
(BMicrosoft JET Database Engine 4.0 buffer overflow $B$H$$$&LdBj$,Js9p$5$l$F(B
$B$$$^$9!#(B
(B
(B---
(BFrom: "Cesar" <sqlsec@xxxxxxxxx>
(BDate: Fri Jul 11, 2003  10:49 am
(BSubject: Microsoft JET Database Engine 4.0 buffer overflow
(B
(BADVERTISEMENT
(B
(BSecurity Advisory
(B
(BName: Microsoft JET Database Engine 4.0 buffer overflow.
(BSystem Affected : Microsoft SQL Server 2000, SQL Server 7 & MSDE.
(BAll software using MS Jet Engine Service Pack 6 (and prior?) are be
(Bvulnerable.
(BSeverity : High
(BRemote exploitable : Yes
(BAuthor: Cesar Cerrudo.
(BDate: 07/11/03
(BAdvisory Number: CC070306
(B
(B
(BLegal Notice:
(B
(BThis Advisory is Copyright (c) 2003 Cesar Cerrudo.
(BYou may distribute it unmodified and for free. You may NOT modify it
(Band distribute it or distribute
(Bparts of it without the author's written permission. You may NOT use
(Bit for commercial intentions
(B(this means include it in vulnerabilities databases, vulnerabilities
(Bscanners, any paid service,
(Betc.) without the author's written permission. You are free to use
(BMicrosoft details
(Bfor commercial intentions.
(B
(B
(BDisclaimer:
(B
(BThe information in this advisory is believed to be true though it may
(Bbe false.
(BThe opinions expressed in this advisory are my own and not of any
(Bcompany. The usual standard disclaimer applies, especially the fact
(Bthat Cesar Cerrudo is not liable for any damages caused by direct or
(Bindirect use of the information or functionality provided by this
(Badvisory.
(BCesar Cerrudo bears no responsibility for content or misuse of this
(Badvisory or any derivatives thereof.
(B
(B
(BOverview:
(B
(BMicrosoft JET database engine is a database management system that
(Bretrieves data from and stores data in user and system databases. The
(BMicrosoft Jet database engine can be thought of as a data manager
(Bupon which database systems, such as Microsoft Access, are built.
(B
(BMicrosoft Jet database engine has sophisticated query and
(Boptimization capabilities that are unmatched by other desktop
(Bdatabase engines in its class. These features include updatable
(Bviews, heterogeneous joins, and the ability to work seamlessly with a
(Bwide variety of industry-standard database formats. The Microsoft Jet
(Bquery engine is designed to accept user requests for information
(Bor action in the form of Structured Query Language (SQL) statements.
(BMicrosoft Jet parses, analyzes, and optimizes these queries, and
(Beither returns the resulting information in the form of a Recordset
(Bobject or performs the requested action.
(B
(BAlthough Microsoft Jet borrows many query techniques from
(Bclient/server relational database management systems (DBMSs) such as
(BMicrosoft SQL Server, it remains a file-server database. All queries
(Bare processed on individual workstations running copies of a host
(Bapplication, such as Microsoft Access, or a custom application
(Bcreated by using a tool, such as Microsoft Visual Basic. Microsoft
(BJet doesn't act as a true database server, such as SQL Server, that
(Bprocess data requests independently of the application requesting
(Bdata. However, Microsoft Jet can send queries to SQL Server or other
(BODBC database servers for processing.
(B
(B
(BDetails:
(B
(BMicrosoft Jet Database Engine provides support for many databases
(Btypes such as *.mdb(MS Access), *.xls(MS Excel), *.txt (text files),
(B*.dbf (dBase), etc.
(BMicrosoft Jet Database Engine allows the use of Visual Basic for
(BAplicaciones (VBA) functions and SQL agregated functions in SQL
(Bstatements, when a SQL query is executed and a long function name is
(Bsupplied a unicode stack based overflow occurrs:
(B
(B
(BSelect XXX...()
(B
(B(XXX... more than 276 chars)
(B
(B
(BMicrosoft SQL Server allows to access remote data from an OLE DB data
(Bsource using OpenRowset(), Opendatasource(), Openquery() and Linked
(BServers. When querying remote data sources using JET 4.0 OLE DB
(Bprovider and a long function name is specified a unicode stack based
(Boverflow occurrs:
(B
(B
(Bselect * from openrowset
(B('microsoft.jet.oledb.4.0','c:\anydatabase.mdb';'admin';'','select
(BXXX...()')
(B
(Bor
(B
(Bselect * from Openquery(SomeJet40LinkedServer,'Select XXX...()')
(B
(Betc.
(B
(B(XXX... more than 276 chars)
(B
(B
(BWhen the vulnerability is exploited to run arbitrary code on SQL
(BServer, the code will run in the context of the SQL Server service
(Baccount. On latest SQL Server versions Microsoft Jet OLE DB provider
(Bis disabled by default, but it's not uncommon to find servers with
(Bthe provider enabled or with a linked server to a supported Microsoft
(BJet database.
(B
(B
(BThis vulnerability can be exploited to run arbitrary code. It can be
(Bexploited using SQL Injection most probably against MS Access
(Bdatabases or SQL Server, also (Web) applcations that allow users to
(Bsubmit arbitrary SQL queries values are vulnerable.
(BOn SQL Server if Microsoft Jet OLE DB provider has been enabled or
(Bthere is a Linkded Server to a Microsoft Jet supported database any
(BSQL Server user will be able to exploit this vulnerability.
(BTries and explotation of this vulnerability in web applications using
(BActive Server Pages (ASP) with Microsoft Jet Engine, could cause IIS
(B5.0 (not tested in other IIS versions but they may have the same
(Bbehaviour) to stop processing Active Server Pages (ASP).
(B
(B
(B
(BWorkaround:
(B
(BOn SQL Server make sure you have Microsoft Jet OLE DB provider
(Bdisabled.
(B
(BCheck the value DisallowAdhocAccess under key:
(BHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL
(BServer\InstanceNameHere\Providers\Microsoft.Jet.OLEDB.4.0
(B
(Bvalue must not exist or be 1.
(B
(B
(BVendor Status:
(B
(BMicrosoft was contacted and they release a fix on MS Jet 4.0 Service
(BPack 7.
(B
(B
(BPatch Available :
(B
(BImportant Note: THE FIX IS NOT INCLUDED IN CRITICAL UPDATES
(B
(BGo to http://windowsupdate.microsoft.com
(BThe link for the Jet 4.0 SP7 download is listed under Recommended
(BUpdates as 282010: Recommended Update
(Bfor Microsoft Jet 4.0 Service Pack 7 (SP7)
(B
(B-----------------------------------------------
(BARAI Yuu <y.arai@xxxxxxxxx>
(BChief Researcher / LAC Computer Security Laboratory
(Bhttp://www.lac.co.jp/security/
Prev by Date: [port139ml:03656] Re: 7/19 NT-Committee2$B4X@>JY6/2q(B
Next by Date: [port139ml:03658] Re: $BG'=Q#1%2(B$B%C%H!
Previous by thread: [port139ml:03650] Re: LogCaster$BL5NA%;%_%J!<$G(BVISUACT$B%G%b(B
Next by thread: [port139ml:03661] $B6[5^;~
Index(es):
- Date
- Thread