Unauthorized ODBC Access

Unauthorized ODBC Access via RDS and IIS
Reported by Microsoft on their security Web

VERSIONS AFFECTED

• Microsoft Internet Information Server version 4.0
• Microsoft Remote Data Services version 1.5
• Microsoft Visual Studio version 6.0

DESCRIPTION

According to the notice issued by Microsoft, "a web client connecting to an IIS server can use the RDS DataFactory object (installed with NT Option Pack) to direct that server to access data using an installed OLE DB provider. This includes executing SQL calls to ODBC-compliant databases using the ODBC drivers installed on the server."

EXAMPLE

"A web-client could issue a SQL command along with the name or IP address of a remote SQL server, a SQL account and password, database name, and a SQL query string. If the request is valid (remote server is reachable by the IIS server, user account and password are correct, database name is valid), the query results will be sent via HTTP back to the client. While it is true that this requires significant inside information, the potential accessibility of this information should not be underestimated..."

The problem is compounded by using other software, such as Microsoft DataShape Provider and Microsoft JET OLE DB provider (included with MDAC 2.0 in Visual Studio 98) because they allow shell commands to be executed -- we"re certain you get this gist of this implication...

Additionally, the NT Resource Kit includes the utility DELREG.EXE which can be used to remove the above mentioned keys.

Posted on The NT Shop on July 15, 1998