Unauthorized ODBC Data Access with RDS and IIS

Remote Data Service (RDS) is a component of Microsoft® Data Access Components (MDAC). The RDS DataFactory (a single component of RDS) allows implicit remoting of data access requests by default, it can be exploited to allow unauthorized Internet clients to access OLE database (DB) datasources available to the server

Issue

A Web client connecting to a Windows NT IIS server can use the RDS DataFactory object to direct that server to access data using an installed OLE DB provider. This includes executing SQL Server™ calls to ODBC-compliant databases using the ODBC drivers installed on the server.

For example a Web-client could issue a SQL command along with the name or Internet Protocol (IP) address of a remote SQL Server system, a SQL account and password, database name, and a SQL query string. If the request is valid (the remote server is reachable by the Windows NT IIS server, the user account and password are correct, and the database name is valid), the query results will be sent through HTTP back to the client. Although it is true that this requires significant inside information, the potential accessibility of this information should not be underestimated; organizations that don't practice good computing practices could have blank or easy-to-guess passwords on their SQL administrator accounts. The RDS DataFactory object along with other installed ODBC drivers opens other possibilities, including possible access to non-published files on the Windows NT IIS server.

The risk of security vulnerability caused by the DataFactory is even greater if newer OLE DB Providers are installed on the server. "Microsoft DataShape Provider" and "Microsoft JET OLE DB provider" (which ship with MDAC 2.0 in Visual Studio™ 98) allow shell commands to be executed. If the DataFactory is enabled on such a server, Internet clients can use these providers to execute shell commands, which can potentially bring down the server or otherwise severely affect its performance.

Affected Products

• IIS 4.0 and Remote Data Services (RDS) 1.5

Solution

If you don't intentionally use the implicit remoting functionality in the DataFactory object, you should disable it.

Please note that you can still use RDS to invoke Business Objects on the server, but an administrator must explicitly enable access to these object by inserting keys for them in the registry. Any pages or applications that rely on RDS's Datacontrol or DataFactory components will not work after this access.

Removing Implicit DataFactory Functionality:

If the following registry entries are removed from the server hosting Windows NT Server's IIS, then the implicit remoting functionality (through DataFactory) of RDS will be disabled. These keys can be removed using the Registry Editor, or other tools for manipulating the registry.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\
Parameters\ADCLaunch\RDSServer.DataFactory]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\
Parameters\ADCLaunch\AdvancedDataFactory]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\
Parameters\ADCLaunch\VbBusObj.VbBusObjCls]

Note: These registry keys have been wrapped for easy viewing.

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: July 17, 1998

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<