rain forest puppy $B$N5v2D$rF@$F0J2<$rK]Lu$7%]%9%H$7$^$9!#(B
$BK]Lu<T!'(BNobuo Miwa <n-miwa@lac.co.jp> BUGTRAQ-JP moderator

--- Advisory RFP9907 ----------------------------- rfp.labs -----------

$B!!!!!!$"$J$?!"$"$J$?$N%5!<%P!"(BRDS$B!"$=$7$FB?$/$N%9%/%j%W%H%-%G%#$X(B
$B!!!!!!!!!!!!!!!!!!!!!!(B..RDS$B%"%?%C%/$+$i<i$k$K$O(B..

------------------------------ rain forest puppy / rfp@wiretrip.net ---

$BFbMF(B:
        - 1. $BLdBjE@(B
        - 2. $B2r7h:v(B
        - 3. $B$$$m$$$m$J>u67(B
        - 4. msadc.pl$B967b$NH/8+(B
        - 5. $B:G8e$K(B
        - 6. $B;29M(B

-----------------------------------------------------------------------

$B$3$l$rFI$`;~4V$,L5$$$N$G$9$+!)!!$=$N>l9g$O!"0J2<$N%U%!%$%k$r:o=|$7$F(B
$B$/$@$5$$!#!'(B

        ?:\Program Files\Common Files\System\Msadc\msadcs.dll

$B=PMh$k$@$1Aa$/:o=|$7!"LdBj$@$i$1$N(BRDS$B5!G=$rL58z$K$7$F$/$@$5$$!#(B
$B$b$7!"(BRDS$B$r;H$$$?$1$l$P0J2<$r$h$/FI$s$@J}$,$$$$$G$9!#(B

-----------------------------------------------------------------------

----[ 1. $BLdBjE@(B

.gov,.mil $B$=$7$F(B microsoft.com $B$G$5$($b(BWeb$B%5!<%P$KHo32$r<u$1$^$7$?!#$3$l(B
$B$O(BRDS$B$,860x$G$9!#:#!"L@$i$+$J$3$H$O!"(BIIS 4.0$B$O30It$+$i6K$a$F4m81$J>u67$K(B
$B$"$k$H$$$&$3$H$G$9!#$7$+$7!"(BMicrosoft$B$O$R$H$D$G$b$U$?$D$G$b$J$/!";0$D$N(B
$B0c$&%Q%C%A$r%j%j!<%9$7$^$7$?!#99$K!"F1$8%"%I%P%$%6%j$r2?EY$b%j%j!<%9$7$^(B
$B$7$?!#$=$7$F!"L$$@$KLdBj$O2r7h$5$l$F$$$^$;$s!#(B

$B$=$3$G2f!9$OJY6/$7$J$1$l$P$$$1$^$;$s!#BP:v$NJ}K!$O2?DL$j$b9M$($i$l$^$9!#(B
$B;d$,(BRDS$B$K$D$$$F$N(BExplot$B%3!<%I$r=q$$$F$+$i!"99$K$h$/D4$Y$F$_$?$3$H$r!"$3(B
$B$N%"%I%P%$%6%j$rDs6!$9$k$3$H$K$h$C$F!"$_$J$5$s$HCN<1$N6&M-$r$7$?$$$H;W$$(B
$B$^$9!#(B

$BLdBj$O4pK\E*$K$O(B Jet 3.5 $B$,(BVBA$B$N%7%'%k5!G=$r8F$S=P$9$3$H$,=PMh$k$3$H$K$"(B
$B$j$^$9!#!J$3$l$O0J2<$N(BURL$B$K$"$k(BRFP9901: NT ODBC remote vulnerabilities
$B$K=q$+$l$F$$$^$9!#!K(B
        http://www.wiretrip.net/rfp/p/doc.asp?id=3&iface=2

MDAC 1.5$B$,%$%s%9%H!<%k$5$l$?%G%U%)%k%H@_Dj$N(BIIS 4.0$B$,$"$C$?$H$7$^$9!#$3(B
$B$l$K$O!"%j%b!<%H$+$i(BWeb$B$rDL$7$F(BODBC$B$K%"%/%;%9$9$k$?$a$N(BRDS$B$,4^$^$l$F$*$j(B
/msadc/msadcs.dll$B$H$$$&(BDLL$B$rDL$7$F9T$o$l$^$9!#!J$3$l$O!"0J2<$N(BURL$B$K$"$k(B
RFP9902: RDS/IIS vulnerability and exploit$B$K=q$+$l$F$$$^$9!#!K(B

        http://www.wiretrip.net/rfp/p/doc.asp?id=1&iface=2

$B$3$3$GFs$D$NLdBj$,$"$k$3$H$,J,$+$j$^$9!#99$KBh;0$NLdBjE@$,$"$j$^$9!#$=$l(B
$B$O(B(RFP9902$B$K=q$+$l$F$$$k(B)Microsoft$B$N?d>)$7$F$$$kBP:v$r%P%$%Q%9$9$k$3$H$N(B
$B=PMh$k(B VbBusObj $B$H$$$&%5%s%W%k%3%s%]!<%M%s%H$r4^$`!"(BRDS SDK$B%Q%C%1!<%8$K(B
$B$h$C$F%$%s%9%H!<%k$5$l$k%5%s%W%k%Z!<%8$K$"$j$^$9!#(B

----[ 2. $B2r7h:v(B

$BLdBj$OB?$/$NBP:v$,$"$k$3$H$H!";HMQJ}K!$K$h$C$FB?$/$NAH$_9g$o$;$,$"$k$3$H(B
$B$G$9!#$"$J$?$,(Bwww.microsoft.com$B$=$NB>$+$iF~<j$9$k$3$H$,=PMh$J$+$C$?>l9g(B
$B$N0Y$K(B i386$BMQ$N$_$NA4$F$N=EMW$J%P%$%J%j%U%!%$%k(B($B1Q8lHG$N$_(B)$B$r%_%i!<$7$F(B
$B$*$-$^$7$?!#0J2<$K=PMh$k$@$1>\:Y$K@bL@$r$7$F$$$-$?$$$H;W$$$^$9!#(B

-$BBP:v(B #1: cmd.exe $B$r0\F0$9$k(B (ULG $B$,?d>)$9$kBP:vJ}K!(B)
 http://www.aviary-mag.com/News/Powerful_Exploit/ULG_Fix/ulg_fix.html

$B;DG0$J$,$i$3$NBP:v$K$OLdBj$,$"$j$^$9!#(Bmdac.pl $B$O(B cmd.exe $B$r;HMQ$9$k$h$&(B
$B$K%O!<%I%3!<%G%#%s%0$5$l$F$$$^$9!J>l9g$K$h$C$F$O(Bcommand.com$B!K!#(B

$B!!!!!!!!!!!!!!(BCMD.EXE $B$O(B $B967b%D!<%k$K$OI,?\$G$O$"$j$^$;$s!#(B

$B;d$O!"%3%s%Q%A%S%j%F%#$r;}$?$;$k$?$a$K$3$NJ}K!$O;H$C$F$$$^$9$,!"JL$NJ}K!(B
$B$G967b$r9T$&$3$H$,=PMh$^$9!#$"$J$?<+?H$G;n$9$3$H$,$G$-$^$9!#(Bmdac.pl $B$r(B
'cmd /c'$B$H$$$&J8;zNs$r8F$S=P$;$J$$$h$&$KJT=8$7$F$_$F$/$@$5$$!#$"$J$?$O$=(B
$B$l$G$b!"(B'rdisk'$B$N$h$&$J<B9T%U%!%$%k$r;HMQ$9$k$3$H$,=PMh$^$9!#3P$($F$*$$(B
$B$FM_$7$$$3$H$O!"(Bcmd.exe$B$r;HMQ$7$J$$>l9g$O!"(B'copy'$B$N$h$&$J%3%^%s%I$r;H$&(B
$B$3$H$O=PMh$J$/$J$k$H$$$&$3$H$G$9!#$b$A$m$s!"%U%!%$%k$N%j%@%$%l%/%7%g%s$b(B
$B;H$($J$/$J$j$^$9!#$3$l$i$O!"(Bcmd.exe$B$G$N$_Ds6!$5$l$k5!G=$@$+$i$G$9!#(B

$B99$KCN$i$J$1$l$P$J$i$J$$$3$H$O!"(Bcmd.exe/command.com$B$r0\F0$7$F$7$^$&$3$H(B
$B$O$=$N>l$7$N$.$NBP:v$G$7$+$J$$$H!"$H$$$&$3$H$G$9!#?/F~<T$,0\F0@h$rCN$C$F(B
$B$7$^$($PH`Ey$O$=$l$r;HMQ$9$k$3$H$,=PMh$F$7$^$&$+$i$G$9!#$=$7$F!"(BSystem
$B$+$i$N%"%/%;%9$,=PMh$J$$$h$&$K8"8B$r=q$-49$($F$7$^$&$3$H$b$$$$J}K!$G$O$"(B
$B$j$^$;$s!#4{$K$=$NB>$N%Q%C%A$,$"$k$N$G$=$A$i$r;H$C$?J}$,$$$$$G$9!#(B

-$BBP:v(B #2: MDAC 1.5 $B$+$i(B 2.0 $B$X%"%C%W%0%l!<%I$9$k(B

MDAC 2.0 $B$r(B Jet 3.5 $B$+$i(B Jet 3.52 $B$XJQ99$7$^$9!#$3$l$O!"(BVBA shell() $B$KBP(B
$B$7$9$k967b$K$O8z2L$,$"$j$^$;$s!#$=$7$F!"%G%U%)%k%H$G$O(B RDS $B$OL58z$K$O=P(B
$BMh$^$;$s!#(B

* $B%G%U%)%k%H$N(BJet$B%(%s%8%s$r(B3.52$B$K$9$k$3$H$O!"(Bcustom handler support$B$K(BRDS
* $B$KF?L>%"%/%;%9$r6X;_$5$;$k$?$a$K!"(BMicrosoft.Jet.OLEDB.3.51*$B%W%m%P%$%@(B
* $B$r:n@.$9$k$3$H$r5v2D$7$^$9!#(B

$B$7$+$7!"$3$l$b$3$N$^$^$G$ONI$$J}K!$G$O$"$j$^$;$s!#$"$J$?$O>/$J$/$H$b!"(B
custom handler support$B$rM-8z$K$7$J$1$l$P$$$1$^$;$s!#$3$l$O!"0J2<$N%l%8%9(B
$B%H%j%-!<$G2DG=$G$9!#(B

        HKEY_LOCAL_MACHINE\Software\Microsoft\DataFactory\HandlerInfo\

Keyname: HandlerRequired
Value:   DWORD:1 (safe) or 0 (unsafe)

$B$3$NCM$r#1$K$9$k$Y$-$G$9!#$3$l$O99$K(BMicrosoft$B$+$iDs6!$5$l$F$$$k(BHotfix$B$N(B
'handsafe.exe/.reg'$B$G9T$o$l$F$$$k$3$H$G$9!#$3$l$O!"0J2<$N(BURL$B$K$"$j$^$9!#(B

        http://www.wiretrip.net/rfp/bins/msadc/handsafe.exe

$B<B9T$9$k$H$-$K$O!"(Bhandsafe.rem$B$,;HMQ$5$l$^$9!#(Bhandsafe.reg$B$KL>A0$rJQ99$7(B
$B$F$+$i%@%V%k%/%j%C%/$7$F%l%8%9%H%j$K=q$-9~$`$3$H$,=PMh$^$9!#(B

$B$3$N$h$&$K$7$F(BRDS$B967b$+$iKI8f$7$h$&$H$7$F$b!"(BExcel,Word$B$=$7$F(BAccess$B%U%!(B
$B%$%k$N%H%m%$$NLZGO$r4^$s$@(BODBC$B967b$K$O<eE@$r;}$C$?$^$^$G$9!#$D$^$j!"$3$l(B
$B$@$1$G$O==J,$G$O$J$$!"$H$$$&$3$H$G$9!#(B

-$BBP:v(B #3: MDAC 1.5 $B$r(B 2.1 $B0J9_$K%"%C%W%0%l!<%I$9$k(B

MDAC 2.1$B$r(BJet 3.5 $B$+$i(B $B<eE@$NL5$$(BJet 4.0$B%(%s%8%s$KJQ99$7$^$9!#$7$+$7!"(B
3.5 $B$H(B 4.0 $B$K$O8_49@-$NLdBj$,$"$j$^$9!#B?$/$N%f!<%6$,$3$N8_49@-$NLdBj$K(B
$B$h$C$F%"%C%W%0%l!<%I$r$7$?$,$i$J$$$G$7$g$&!#(B

* $B%G%U%)%k%H$N(B Jet$B%(%s%8%s$r(B $B<eE@$NL5$$(B4.0$B$KJQ99$9$k$3$H$O!"F?L>(BRDS$B$N%"(B
* $B%/%;%9$r6X;_$9$k$?$a$K(B custom handler support $B$r5v2D$7$^$9!#(B

$B$7$+$7$J$,$i!"(Bcustom handler$B$O%G%U%)%k%H$G$OM-8z$K$5$l$F$$$^$;$s!#$"$J$?(B
$B$O!">e5-$N(BHandlerRequired$B%l%8%9%H%j%-!<$NCM$r#1$K%;%C%H$7$J$1$l$P$$$1$^(B
$B$;$s!#$=$N0Y$K$O!"(Bregedit$B$r;HMQ$9$k$+(Bhandsafe.exe/.reg fix$B$r<B9T$7$^$9!#(B

-$BBP:v(B #4: MDAC 1.5 $B$r(B 2.0 $B$+$i(B 2.1 $B$X%"%C%W%0%l!<%I$9$k(B

$B$b$7$"$J$?$,NI$$4IM}<T$G$"$k$J$i!"$"$J$?$O>o$K%=%U%H%&%'%"$r%"%C%W%0%l!<(B
$B%I$7B3$1$F$$$k$G$7$g$&!#$b$7$=$&$7$F$$$k$N$J$i!"A4$F$N%"%C%W%0%l!<%I$NF;(B
$BDx$rDL$C$F$$$k;v$G$7$g$&!#(B2.1 $B$KD>@\%"%C%W%0%l!<%I$9$k$3$H$K$OLdBj$,$"$j(B
$B$^$9!J>e5-$N$h$&$K(B'HandlerRequired'$B%l%8%9%H%j%-!<$rM-8z$K$7$J$1$l$P$$$1(B
$B$^$;$s!K!#(B2.1 $B$O!"%G%U%)%k%H$G$O(B($B<eE@$NL5$$(B)Jet 4.0$B%(%s%8%s$r;HMQ$7$F$$(B
$B$^$9!#$7$+$7$J$,$i!"(B2.0 $B$X$N%"%C%W%0%l!<%I$r9T$o$J$+$C$?>l9g$O!"(B
Microsoft.Jet.OLEDB.3.51$B%W%m%P%$%@$r;HMQ$7$F$$$^$9!#$3$l$O!"(BRDS$B$r4^$a$?(B
$B%"%W%j%1!<%7%g%s$O8E$$(B($B<eE@$N$"$k(B)Jet 3.51$B%(%s%8%s$r8F$S=P$7$F$$$k$3$H$r(B
$B0UL#$7$^$9!#(B

$B$"$J$?$O$3$l$i$N8E$$@_Dj$r:o=|$9$kI,MW$,$"$j$^$9!#$R$H$D$NJ}K!$O!"0J2<$N(B
$B%l%8%9%H%j%-!<$G9T$($^$9!#(B

        HKEY_CLASSES_ROOT\Microsoft.Jet.OLEDB.3.51
        HKEY_CLASSES_ROOT\Microsoft.Jet.OLEDB.3.51Errors

$B$7$+$7$J$,$i!"$"$J$?$O(B 4.0$B%(%s%8%s$N8_49@-$NLdBj$KD>LL$7$?$^$^$G$9!#=>$C(B
$B$F!"$3$l$OAG@2$i$7$$2r7h:v$G$O$"$j$^$;$s!#(B

-$BBP:v(B #5: JetCopkg.exe (MS99-030)$B$r%$%s%9%H!<%k$9$k(B

JetCopkg.exe $B$O(B 'sandbox'$B$KBeI=$5$l$k0BA4$J5!G=$r;}$C$F$$$k!"967b$5$l$J(B
$B$$=$I|$r;\$5$l$?(B Jet 3.5$B%(%s%8%s$G$9!#$3$N0BA4$J5!G=$O!"0J2<$N%l%8%9%H%j(B
$B%-!<$K$h$C$F@)8f$5$l$F$$$^$9!#(B

        HKEY_LOCAL_MACHINE\Software\Microsoft\Jet\3.5\engines\SandboxMode

$B$=$l$>$l$NCM$O0J2<$N0UL#$r;}$A$^$9(B:
0       $BL58z(B
1       $B%"%/%;%9$N$_$rM-8z$K$9$k(B, $B$=$l0J30$OL58z(B
2       $B%"%/%;%9$N$_$rL58z$K$9$k!"$=$l0J30$OM-8z!J%G%U%)%k%H!K(B
3       $BA4$FM-8z(B

(Note 1: '$BM-8z(B'$B$O(B Microsoft Access $B$+$iMxMQ$G$-$k$H$$$&0UL#$G$9(B)

(Note 2: $B$3$l$i$O0J2<$N(BURL$B$KA4$F5-=R$5$l$F$$$^$9(B:
http://support.microsoft.com/support/kb/articles/q239/1/04.asp)

(Note 3: $B$3$N%-!<$K@_Dj$5$l$F$$$k%G%U%)%k%H$N%Q!<%_%C%7%g%s$O0BA4$G$O$"(B
         $B$j$^$;$s!*(B $B$"$J$?$O(B'Authenticated Users'$B$+$i(B'Read Only'$B$KJQ99$9(B
         $B$k$Y$-$G$9!#$3$N%G%U%)%k%H$N@_Dj$K$*$1$k4m81@-$K$D$$$F$O!"(BEric
         Shultze$B$,;d$N%5%$%H$K%]%9$H$7$F$/$l$?0J2<$N(BURL$B$r;2>H2<$5$$!#!K(B

        http://www.wiretrip.net/rfp/p/doc.asp?id=11&iface=2

$B>e5-$NCM$r(B 2 $B$+(B 3 $B$K$7$?>l9g$O0BA4$G$9!#(B

                $B$3$l$OE,@Z$J?d>)$5$l$kJ}K!$G$9!#(B

Jet 3.5$B%(%s%8%s$r;HMQ$7$F$$$k$N$G8_49@-$NLdBj$O$"$j$^$;$s!#$7$+$7!"$3$l(B
$B$O(BRDS$B$rL58z$K$O$7$F$$$^$;$s!#967b<T$O$"$J$?$N%G!<%?%Y!<%9!&%j%=!<%9$KF?(B
$BL>%"%/%;%9$G$-$^$9!#$"$J$?$N%G!<%?$r$a$A$c$/$A$c$K$9$k$3$H$b=PMh$^$9!#$"(B
$B$J$?$OBP:v$,I,MW$G$9!#;d$O(BRDS$B$rL58z$K$9$k$+(B($B2<5-;2>H(B)$B!"(BMDAC 2.0$B$K%"%C%W(B
$B%0%l!<%I$9$k$3$H$r?d>)$7$^$9(B($B$7$+$7!"(BMDAC 2.0$B$r:G=i$K%"%C%W%0%l!<%I$7$F(B
$B$+$i!"<!$K(B JetCopkg $B$r%$%s%9%H!<%k$7$F$/$@$5$$(B)$B!#(BMDAC 2.0 $B$K%"%C%W%0%l!<(B
$B%I$9$k$3$H$K$h$C$F!"F?L>%"%/%;%9$rL58z$K=PMh$k%O%s%I%i$N@)8f$,=PMh$k$h$&(B
$B$K$J$j$^$9!#(B

-$BBP:v(B #6: RDS $B$N:o=|(B/$BL58z(B

$B$3$l$O!">e5-$N(BJetCopkg$B$HJ;$;$F9T$&>l9g$K0lHVNI$$J}K!$G$9!#$b$7$"$J$?$,2?(B
$B$i$+$NM}M3(B(Y2K$BBP:v$N0Y$N%7%9%F%`JQ996X;_(B)$B$G%7%9%F%`$rJQ99$9$k$h$&$J%$%s(B
$B%9%H!<%k$,=PMh$J$$>l9g$O!"$"$J$?$O(BRDS$B$rL58z$K$9$k$3$H$K$h$C$F!">/$J$/$H(B
$B$b%j%b!<%H$+$i$N967b$N4m81@-$r8:$i$9$3$H$,=PMh$^$9!#$"$J$?$O$3$l$r9S$C$](B
$B$$$d$jJ}$G$9$,!"0J2<$N%U%!%$%k$r:o=|$9$k$3$H$K$h$C$F2DG=$K$J$j$^$9!#(B

        ?:\Program Files\Common Files\System\Msadc\msadcs.dll

$B$3$l$O!"(BRDS$B%$%s%?!<%U%'!<%9$rDs6!$9$k(BDLL$B$G$9!#$7$+$7!"0J2<$N$h$&$J<j=g$G(B
$B$-$A$s$HBP:v$r9T$&$3$H$rA&$a$^$9!#(B

* IIS$B$K$h$C$F%^%C%T%s%0$5$l$F$$$k(B /msadc$B2>A[%G%#%l%/%H%j$r:o=|$7$^$9!#$3(B
$B!!$l$r9T$&$?$a$K!"(BMicrosoft Management Console/Internet Service Manager
$B!!$r3+$$$F0J2<$NA`:n$r9T$C$F$/$@$5$$!#(B
                * 'Internet Information Server'$B$rA*Br(B
                * $BE,@Z$J%7%9%F%`$rA*Br(B
                * 'Default Web Site'$B$rA*Br(B
                * 'msadc'$B$rA*Br(B
                * 'Del' key$B$r2!$9$+!"(B'delete icon'$B$r%/%j%C%/(B
                * 'Are you sure?' 'Yes.'

* $B0J2<$N%l%8%9%H%j%-!<$r:o=|$7$^$9!#(B

        HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W3SVC
                \Parameters\ADCLaunch

        (Note: $B8+$d$9$/$9$k$?$a$K@^$jJV$7$F$$$^$9(B)

* $B0J2<$N%U%)%k%@$K4^$^$l$kA4$F$N%U%!%$%k$H%5%V%G%#%l%/%H%j$r:o=|$7$^$9!#(B

        ?:\Program Files\Common Files\System\Msadc

----[ 3. $B$$$m$$$m$J>u67(B

-$B>u67(B #1: RDS$B$,I,MW$G$9!*(B

$B$*$d$*$d!"$3$N$h$&$J@<$rJ9$/$3$H$O;DG0$J$3$H$G$9!#$G$bBg>fIW!"2DG=$G$9!#(B
$B$"$J$?$O!">/$J$/$H$b(B MDAC 2.0 $B$K%"%C%W%0%l!<%I$9$kI,MW$,$"$j$^$9!#$b$7!"(B
$B$"$J$?$,!"(Bbackwards-compatibility$B$NLdBj$rJz$($F$$$k$N$G$"$l$P!"(BMDAC 2.0
$B$r(BJetCopkg$B$H6&$K;HMQ$7$F$/$@$5$$!#$=$&$G$J$$$J$i!"(BMDAC 2.1$B$K$5$C$5$H(B
$B%"%C%W%0%l!<%I$9$k$Y$-$G$9!#(B

'HandlerRequired'$B%l%8%9%H%j%-!<$,M-8z$K$J$C$F$$$k$3$H$r3NG'$7$F2<$5$$!#(B
$B$^$?!"(BRDS$B$N%5%s%W%k$,:o=|$5$l$F$$$k$3$H$b3NG'$7$F2<$5$$!#(BMicrosoft$B$O99$K(B
MMC$B0J2<$N%G%U%)%k%H(BWeb$B%5%$%H$N(B /msadc$B%G%#%l%/%H%j$NF?L>%"%/%;%9$rL58z$K(B
$B$9$k$3$H$b?d>)$7$F$$$^$9!#$3$l$K$O(B custom handler $B$r;HMQ$9$k$3$H$K$J$j$^(B
$B$9!#$3$l$i$N>pJs$O!"0J2<$N(BURL$B$K$"$j$^$9!#(B

        http://www.microsoft.com/Data/ado/rds/custhand.htm

-$B>u67(B #2: $B%5%s%W%k%U%!%$%k$N:o=|0J30$N%7%9%F%`$N99?7$r6X;_$5$l$F$$$^$9!#(B

                             $B=EMW$J>pJs$G$9(B

custom handlers$B$r;H$&$3$H$O(B RDS$BA4BN$r;HMQITG=$K$9$k$3$HL5$7$K(B RDS $B$X$NF?(B
$BL>%"%/%;%9$rKI$0M#0l$NJ}K!$G$9!#$7$+$7!"(BRDS$B$N%5%s%W%k$,0J2<$K$"$l$P!"(B

        ?:\Program Files\Common Files\System\Msadc\Samples

VbBusObj$B$r4^$`%5%s%W%k%U%!%$%k$O(Bcustom handlers$B$r%P%$%Q%9$7$F;HMQ$9$k$3(B
$B$H$,=PMh$F$7$^$&$N$G$9!*!!=>$C$F!"$3$N$h$&$J%5%s%W%k%U%!%$%k$,>&MQ$N%5!<(B
$B%P$KB8:_$7$F$$$$M}M3$O$I$3$K$bL5$$$N$G$9!#$=$7$F!"$=$l$O:o=|$5$l$k$Y$-$G(B
$B$9!#<j=g$O0J2<$NDL$j$G$9!#(B

* $B0J2<$N%G%#%l%/%H%j0J2<$rA4$F:o=|$7$^$9!#(B

        ?:\Progam Files\Comman Files\System\Msadc\Samples

* $B0J2<$N%l%8%9%H%j%-!<$r:o=|$7$^$9!#(B

        HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W3SVC
                \Parameters\ADCLaunch\VbBusObj.VbBusObjCls

$B$3$l$K$h$j!"(BVbBusObj$B$O:o=|$5$l$^$9!#$=$7$F!"$"$J$?$N(Bcustom handlers$B$,%P(B
$B%$%Q%9$5$l$k$3$H$rKI$.$^$9!#(B

----[ 4. msadc.pl$B967b$NH/8+(B

msadc.pl$B$N(Bversion 1$B$H(B2$B$K$h$k967b$rH/8+$9$k$3$H$O:$Fq$G$O$"$j$^$;$s!#$3$N(B
$B967b$O:#$G$b9T$o$l$F$$$k$H;W$$$^$9$,!";DG0$J$,$i!"2~B$$bMF0W$J$N$G!"$=$N(B
$B>l9g$O8!CN$O:$Fq$@$H;W$$$^$9!#;d$,$=$l$r=q$$$?$H$-$K$O!"<eE@$rK=$/$3$H$K(B
$B@lG0$7$F$$$^$7$?!#(B

msadc.pl $B$O!":G=i$K!"%?!<%2%C%H%5!<%P$N(B/msadc/msadcs.dll $B$r(BGET$B$7$h$&$H$7(B
$B$^$9!#$b$7!"$=$l$,B8:_$9$k>l9g$K$O$=$l$,9T$o$l!"B8:_$7$J$$>l9g$K$O%(%i!<(B
$B%a%C%;!<%8$H6&$K=*N;$7$^$9!#$3$N:G=i$N(BGET$B$O!"$=$NEY$K$"$J$?$N%5!<%P$N%m(B
$B%0$K;D$k$G$7$g$&!#$7$+$7!"$3$N(BGET$B$r(BHEAD$B$d(BPOST$B$KJQ99$9$k$h$&$J%9%-%k$r;}(B
$B$C$?967b<T$b$$$k$G$7$g$&!#$5$i$K!"(Bhex-encoding$B$7$?(BURL$B$N$h$&$K:/@W$N;D$j(B
$B$K$/$$967b$r9T$&$3$H$b=PMh$k$G$7$g$&!#$7$+$7!"$=$l$G$b%m%0$K$O;D$j$^$9!#(B
$BBg;v$J;v$O!"(Bmsadcs.dll $B$r%Q%i%a!<%?L5$7$G8F$S=P$9$H$$$&$3$H$O!"C/$+$,8+(B
$B$F$O$$$k$,(B($B$^$@(B)$B;H$C$F$O$$$J$$$3$H$r0UL#$7$^$9!#(BRDS $B$H$$$&$b$N$O!"C/$b8+(B
$B$F$$$k$@$1!"$H$$$&$3$H$OL5$/!"@5$7$$%f!<%6$O$9$0$K$=$l$rMxMQ$7$^$9!#=>$C(B
$B$F!"%Q%i%a!<%?L5$7$G8F$S=P$7$F8+$F$$$k$@$1$H$$$&$N$O!V2x$7$$!W$H$$$&$3$H(B
$B$K$J$j$^$9!#(B

$B$b$7!"(Bmsadcs.dll$B$,B8:_$9$l$P(B($B$=$l$O%l%9%]%s%9$+$iJ,$+$j$^$9(B)$B!"%3%^%s%I$r(B
$BAv$i$;$k$h$&$KMW5a$7$^$9!#%G%U%)%k%H$G$O!"(Bmsadc.pl $B$O(B 'cmd /c' $B$+(B
'command /c' ($B8_49@-$N$?$a$K(B)$B$r<B9T$5$;$h$&$H$7$^$9!#$3$l$O!"(Bcmd.exe $B$+(B
command.com $B$NB8:_$K0MB8$7$F$$$k$3$H$r0UL#$7$^$9!#$7$+$7$J$,$i!"$=$N$I$A(B
$B$i$G$b$J$$$b$N$r8F$S=P$9$3$H$b=PMh$k$N$G$9!#(B

$B0J2<$N%9%/%j%W%H$O(B RDS$B$NMW5a$r$7$^$9!#0J2<$N(BURL$B$N$I$l$+$K(BPOST$BMW5a$r9T$$(B
$B$^$9!#(B

  $BDL>o$NMW5a(B:
        /msadc/msadcs.dll/ActiveDataFactory.Query

  custom handlers$B$r%P%$%Q%9$5$;$k$?$a$N(BVbBusObj:
        /msadc/msadcs.dll/VbBusObj.VbBusObjCls.GetRecordset

  NetBIOS$BL>$rMW5a$9$k(BVbBusObj:
        /msadc/msadcs.dll/VbBusObj.VbBusObjCls.GetMachineName

$B8=:_!"$b$7$"$J$?$,(B $B9gM}E*$JL\E*$G(BRDS$B$rMxMQ$7$F$$$k$J$i!"(B
ActiveDataFactory.Query URL$B$rMxMQ$7$F$$$k$G$7$g$&!#$7$+$7!"(BVbBusObj$B$OIT(B
$BMW$J$O$:$G$9!#=>$C$F>e5-$NFs$D$N(BURL$B$O967b$H8+$J$7$F$$$$$O$:$G$9!#$7$+$7(B
'VbBusObj'$B$r(Bgrep$BEy$G8!:w$9$k$3$H$O@5$7$$H/8+J}K!$G$O$"$j$^$;$s!#Nc$($P!"(B
$B0J2<$N$h$&$K(Bhex-encode$B=PMh$k$+$i$G$9!#(B

        /%6Dsadc/%6Dsadcs.dll/V%62BusO%62j.V%62BusO%62jCls.GetRecordset

        ($B$3$l$O$[$s$N0lNc$G$9(B)

$B$3$l$G$OJ8;zNs8!:w$9$k$3$H$O=PMh$^$;$s$M!#=>$C$F!"J8;zNs8!:w$OLr$KN)$A(B
$B$^$;$s!#(B

$B99$KFs$D$N$3$H$rIU$12C$($F$*$-$?$$$H;W$$$^$9!#(B

* $B%G%U%)%k%H$N(Bmsadc.pl$B%9%/%j%W%H$O(B'ACTIVEDATA'$B$r(BUser-Agen$B$K;HMQ$7$F$$$^(B
$B$9!#$3$l$O$3$N%9%/%j%W%H$K$h$k967b$rG'<1$9$k=u$1$K$J$k$H;W$$$^$9$,!"DL>o(B
$B$N(BRDS$B%3%s%H%m!<%k$b$3$N(BUser-Agent$B$r;HMQ$7$^$9!#=>$C$F!"DL>o$N%H%i%U%#%C(B
$B%/$NCf$+$i$3$l$rC5$7=P$9$N$O:$Fq$G$7$g$&!#(B

* $B%G%U%)%k%H$N(Bmsadc.pl$B%9%/%j%W%H$O(BMIME$B$N%;%Q%l!<%?$K(B
'!ADM!ROX!YOUR!WORLD!'$B$r;HMQ$7$F$$$^$9!#$7$+$7!"$3$l$O%m%0$K$O;D$5$l$^$;(B
$B$s$,!"$$$/$D$+$N?/F~8!CN%7%9%F%`$G$O$3$l$r%-!<%o!<%I$K8!CN$9$k$3$H$,2DG=(B
$B$G$9!#(B

$B%G%U%)%k%H$G$O(Bmsadc.pl$B%9%/%j%W%H$O%5!<%P$G8+$D$+$C$?%m!<%+%k$N(B .MDB$B%U%!(B
$B%$%k$rMxMQ$7$h$&$H$7$^$9!#$b$7$=$l$,8+$D$+$C$?$J$i!"(B.MDB$B%U%!%$%k$K(B'AZZ'
$B$H$$$&L>A0$N%F!<%V%k$r:n@.$9$k$G$7$g$&!#$=$N%F!<%V%k$O967b$N8e$G$b>C$7$^(B
$B$;$s!#$7$+$7!"(Bmsadc.pl$B$N(Bversion 2 $B$G$O(B'AZZ'$B%F!<%V%k$r:n$i$J$$%/%(%j$bMx(B
$BMQ$9$k$3$H$,=PMh$^$9!#$=$7$F!"%m!<%+%k$N(B.MDB$B$5$($bMxMQ$7$J$$$3$H$,2DG=$K(B
$B$J$C$F$$$^$9(B(UNC$B$r%5%]!<%H$7$F$$$^$9(B)$B!#(B

----[ 5. $B:G8e$K(B

$B$3$N%"%I%P%$%6%j$r!"$"$J$?J}$N0Y$KLk$b?2$J$$$G=q$$$F$$$?$H$-$K!"B>$N=EMW(B
$B$J$3$H$r=q$/$?$a$K$=$l$rCfCG$7$J$1$l$P$J$i$J$/$J$j$^$7$?!#(B

$B$"$J$?$,(BRDS$B$K$h$C$F967b$5$l$?$3$H$rCN$k:G$bNI$$J}K!$O!"0J2<$N(BURL$B$K<($5$l(B
$B$F$$$^$9!#(B

        http://www.wiretrip.net/rfp/

$B$=$s$J$KFq$7$$$3$H$G$O$"$j$^$;$s!#:GDc8B!">e5-$N%U%!%$%k$r:o=|$9$l$P$"$J(B
$B$?$O!"$^$"$^$"0BA4$G$9!#$3$l$G(BWeb$B%5%$%H$r%a%A%c%/%A%c$K$5$l$k?4G[$O$J$/(B
$B$J$j$^$9!#(B

$B?J$s$G%Q%C%A$r=<$F$^$7$g$&!#(B

.rain.forest.puppy$B$h$j(B

PS.$B;d$,IaDL$N?M4V$G$9!#=>$C$F!"$3$N%I%-%e%a%s%H$K$b4V0c$$$,$"$k$+$b$7$l(B
$B$^$;$s!#$7$+$7!"$b$&Hh$l$^$7$?!#$3$N$3$H$+$i3+J|$5$l$?$$$N$G$9!#4V0c$$$,(B
$B$"$C$F$b5v$7$F$/$@$5$$!#(B

$BLu<TCm!K;d$NK]Lu$KCWL?E*$J4V0c$$$,$"$C$?>l9g$K$OO"Mm$7$F$/$@$5$$!#(B

----[ 6. $B;29M(B


- Office 97/Jet 3.5 update binary (i386)
  http://www.wiretrip.net/rfp/bins/msadc/jetcopkg.exe
  http://officeupdate.microsoft.com/isapi/gooffupd.asp?TARGET=/downloaditems/JetCopkg.exe


- Microsoft Universal Data Access homepage
  http://www.microsoft.com/data/


- MDAC 2.1.2.4202.3 (GA) (aka MDAC 2.1 sp2) update (i386)
  http://www.wiretrip.net/rfp/bins/msadc/mdac_typ.exe
  http://www.microsoft.com/data/download_21242023.htm


- MDAC 2.1.1.3711.11 (GA) (aka MDAC 2.1 sp1) hotfix
  http://www.microsoft.com/data/download/jetODBC.exe


- MDAC 2.1 release manifest
  http://www.microsoft.com/data/MDAC21info/MDAC21sp2manifest.htm


- MDAC 2.1 installation FAQ
  http://www.microsoft.com/data/MDAC21info/MDACinstQ.htm


- Security Implications of RDS 1.5, IIS 3.0 or 4.0, and ODBC
  http://support.microsoft.com/support/kb/articles/q184/3/75.asp


- Unauthorized ODBC Data Access with IIS and RDS (MS99-004)
  http://www.microsoft.com/security/bulletins/ms98-004.asp


- Re-release of MS99-004 (MS99-025)
  http://www.microsoft.com/security/bulletins/ms99-025.asp


- MS99-025 FAQ (best explanation of problem by Microsoft)
  http://www.microsoft.com/security/bulletins/MS99-025faq.asp


- MS99-30: Patch available for Office ODBC Vulnerabilities
  http://www.microsoft.com/security/bulletins/ms99-030.asp


- Jet Expression Can Execute Unsafe VBA Functions
  http://support.microsoft.com/support/kb/articles/q239/1/04.asp


- Implementing Custom Handlers in RDS 2.0
  http://www.microsoft.com/Data/ado/rds/custhand.htm


- Handsafe registry patch (enables handlers)
  http://www.wiretrip.net/rfp/bins/msadc/handsafe.exe
  http://www.microsoft.com/security/bulletins/handsafe.exe


- RFP9901: NT ODBC remote compromise
  http://www.wiretrip.net/rfp/p/doc.asp?id=3&iface=2


- RFP9902: RDS/IIS 4.0 vulnerability and exploit
  http://www.wiretrip.net/rfp/p/doc.asp?id=1&iface=2


- RDS exploit (msadc.pl v1 and v2)
  http://www.wiretrip.net/rfp/p/doc.asp?id=16&iface=2


- ULG recommended fix on OSALL
  http://www.aviary-mag.com/News/Powerful_Exploit/ULG_Fix/ulg_fix.html


- CERT blurb
  http://www.cert.org/current/current_activity.html#0


- Attrition mirror of defaced websites (patch or you'll be on it!)
  http://www.attrition.org/mirror/attrition/


--- rain forest puppy / rfp@wiretrip.net ----------- ADM / wiretrip ---

       Patch your system before flipper and fuqnut get to you...

--- Advisory RFP9907 ----------------------------- rfp.labs -----------