Microsoft Windows NT IIS MDAC RDS远程命令执行漏洞(MS99-025)

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105493 漏洞类型 权限许可和访问控制
发布时间 1999-07-19 更新时间 2006-02-20
CVE编号 CVE-1999-1011 CNNVD-ID CNNVD-199907-021
漏洞平台 Windows CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/19425
https://cxsecurity.com/issue/WLB-2012060085
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199907-021
|漏洞详情
MDAC(MicrosoftDataAccessComponents)是一个把Web和数据库结合起来的软件包。它包含了一个叫RDS(RemoteDataServices)的组件。RDS可以使用户通过IIS访问数据库,RDS与IIS都是默认安装的。RDS中的一个组件DataFactory存在漏洞可以使Web服务用户获取IIS服务器上非公开的文件,远程攻击者也可以使用MDAC转发ODBC请求使之能访问到非公开的服务器。如果服务器上安装了MicrosoftJETOLEDBProvider或MicrosoftDataShapeProvider攻击者可以使用shell()VBA调用在系统上以System权限执行任意命令,具体细节可以参看MicrosoftJETDatabaseEngineVBA相关的漏洞,与当前这个漏洞结合使用可以使攻击者以System的权限在系统上执行任意命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/529/info
 
MDAC (Microsoft Data Access Components) is a package used to integrate web and database services. It includes a component named RDS (Remote Data Services). RDS allows remote access via the internet to database objects through IIS. Both are included in a default installation of the Windows NT 4.0 Option Pack, but can be excluded via a custom installation.
 
RDS includes a component called the DataFactory object, which has a vulnerability that could allow any web user to:
--Obtain unauthorized access to unpublished files on the IIS server
--Use MDAC to tunnel ODBC requests through to a remote internal or external location, thereby obtaining access to non-public servers or effectively masking the source of an attack on another network.
 
The main risk in this vulnerability is the following:
--If the Microsoft JET OLE DB Provider or Microsoft DataShape Provider are installed, a user could use the shell() VBA command on the server with System privileges. (See the Microsoft JET Database Engine VBA Vulnerability for more information). These two vulnerabilities combined can allow an attacker on the Internet to run arbitrary commands with System level privileges on the target host. 


--RDSExploit information:
RDS EXPLOITER For Win98/NT
 
 
How it Works:
 
        The Intent of RDS Exploit is Deliver Shell comands into the machine or Retrive some DATA from a ODBC valid conection.
      
1. Seting ODBC Conection:
First of all you will need to know some valid DSN, the UID (User ID) and Password.  Put the information about the conection into "Connection Properties":
Data Source: The DSN Conection Name (it MUST be a registered DSN)
User ID: Login (it can be null sometimes)
Password: Password (it can be null sometimes)Â Â 
Mode: The way you want to open the Table (Read Only or Read and Write)
 
You must follow the order above and don't forget the ; to separate the options
 It can be for instance a line like this:
"Data Source=AdvWorks;User ID=;Password=;Mode=Read|Write;"
  
2. SQL Comands:
Put into the "SQL Parameters" box the command line you want to deliver for example:
"SELECT * FROM Products"

3. Host:
 You MUST Enter the host like this http://server  DON'T FORGET HTTP:// or it'll not work.
 
After all done, just click in the button "Retrieve Data" and see what happens =)
  


https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/19425.zip
|参考资料

来源:MS
名称:MS99-025
链接:http://www.microsoft.com/technet/security/bulletin/ms99-025.asp
来源:OSVDB
名称:272
链接:http://www.osvdb.org/272
来源:MS
名称:MS98-004
链接:http://www.microsoft.com/technet/security/bulletin/ms98-004.asp
来源:BID
名称:529
链接:http://www.ciac.org/ciac/bulletins/j-054.shtml
来源:NSFOCUS
名称:3822
链接:http://www.nsfocus.net/vulndb/3822