Microsoft Security Bulletin MS04-003 - Important

Buffer Overrun in MDAC Function Could Allow Code Execution (832483)

Published: January 13, 2004 | Updated: April 01, 2004

Version: 1.2

Issued: January 13, 2004
Updated: April 1, 2004
Version: 1.2

Summary

Who should read this document:
Customers who are using Microsoft® Windows®

Impact of vulnerability:
Remote code execution

Maximum Severity Rating:
Important

Recommendation:
Customers should install this security update at their earliest opportunity.

Security Update Replacement:
This update replaces the one that is provided in Microsoft Security Bulletin MS03-033.

Caveats:
After installing this update, user who have encrypted their temporary files may receive an error message. This error message is documented and resolution details can be found in Microsoft Knowledge Base Article 836683.

Tested Software and Security Update Download Locations:

Affected Software:

  • Microsoft Data Access Components 2.5 (included with Microsoft Windows 2000)

  • Microsoft Data Access Components 2.6 (included with Microsoft SQL Server 2000)

  • Microsoft Data Access Components 2.7 (included with Microsoft Windows XP)

  • Microsoft Data Access Components 2.8 (included with Microsoft Windows Server 2003)

    Note The same update applies to all these versions of MDAC - Download the Update

  • Microsoft Data Access Components 2.8 (included with Windows Server 2003 64-Bit Edition) - Download the Update

The software listed above has been tested to determine if the versions are affected. Other versions either no longer include security patch support or may not be affected. Please review the Microsoft Support Lifecycle Web site to determine the support lifecycle for your product and version.

General Information

Technical Details

Technical description:

Microsoft Data Access Components (MDAC) is a collection of components that provides the underlying functionality for a number of database operations, such as connecting to remote databases and returning data to a client. When a client system on a network tries to see a list of computers that are running SQL Server and that reside on the network, it sends a broadcast request to all the devices that are on the network. Because of a vulnerability in a specific MDAC component, an attacker could respond to this request with a specially-crafted packet that could cause a buffer overflow.

An attacker who successfully exploited this vulnerability could gain the same level of privileges over the system as the program that initiated the broadcast request. The actions an attacker could carry out would be dependent on the permissions under which the program using MDAC ran. If the program ran with limited privileges, an attacker would be limited accordingly; however, if the program ran under the local system context, the attacker would have the same level of permissions.

Since the original version of MDAC on your system may have changed from updates available on the Microsoft Web site, we recommend using the following tool to determine the version of MDAC you have on your system: Microsoft Knowledge Base article 301202 "HOW TO: Check for MDAC Version" discusses this tool and explains how to use it. Also, Microsoft Knowledge Base article 231943 discusses the release history of the different versions of MDAC.

Mitigating factors:

  • For an attack to be successful an attacker would have to simulate a SQL server that is on the same IP subnet as the target system.
  • When a client system on a network tries to see a list of computers that are running SQL Server and that reside on the network, it sends a broadcast request to all the devices that are on the network. A target system must initiate such a broadcast request to be vulnerable to an attack. An attacker would have no way of launching this first step but would have to wait for anyone to enumerate computers that are running SQL Server on the same subnet. Also, a system is not vulnerable by having these SQL management tools installed.
  • Code executed on the client system would only run under the privileges of the client program that made the broadcast request.

Severity Rating:

Microsoft Data Access Components 2.5 (included with Windows 2000) Important
Microsoft Data Access Components 2.6 (included with SQL Server 2000) Important
Microsoft Data Access Components 2.7 (included with Windows XP) Important
Microsoft Data Access Components 2.8 (included with Windows Server 2003) Important

The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0903

Workarounds

Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability. However, they help block known attack vectors. Workarounds may reduce functionality in some cases; in such cases, the reduction in functionality is identified below.

Block UDP port 1434 from accepting inbound traffic.

Block UDP port 1434 on your system's network interface from accepting inbound traffic. For example, to block network traffic that originates from a Windows 2000-based computer that comes from UDP 1434 to this host, type the following at the command line:

ipsecpol -w REG -p "Block UDP 1434 Filter" -r "Block Inbound UDP 1434 Rule" -f *:1434=0:*:UDP -n BLOCK -x

See Microsoft Knowledge Base article 813878 "How to Block Specific Network Protocols and Ports by Using IPSec" for more information about IPsec and the technology that this workaround uses.

Impact of Workaround: SQL client systems would no longer be able to initiate SQL broadcast requests. For example, tools like SQL Enterprise Manager use broadcast requests to enumerate all SQL Server instances on a subnet. The workaround would also prevent connections to non-default instances of SQL Server. An example of non-default instances of SQL server is additional instances of SQL server that are installed on the same computer.

Frequently Asked Questions

What is the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could gain the same level of privileges over the system as the program that initiated the broadcast request. The actions that an attacker could carry out on the system would depend on the permissions of the user account under which the program using MDAC ran. If the program ran with limited privileges, an attacker would be limited accordingly. However, if the program ran under the context of Local System, the attacker could gain the same level of permissions.

What causes the vulnerability?
The vulnerability results because of an unchecked buffer in a specific MDAC component. If an attacker were able to successfully exploit this vulnerability, it could allow them to gain control over the system and take any action that the legitimate process executing MDAC could take.

What is Microsoft Data Access Components?
Microsoft Data Access Components (MDAC) is a collection of components that make it easy for programs to access databases and to change the data within them. Modern databases may take a variety of forms (for example, SQL Server databases, Microsoft Access databases, and XML files) and may be housed in a variety of locations (for example, on the local system or on a remote database server). MDAC provides a consolidated set of functions for working with these data sources in a consistent manner. A good discussion of MDAC and the components that it provides is available on MSDN.

Do I have MDAC on my system?
It is very likely that you do because MDAC is a ubiquitous technology:

  • MDAC installs as part of Windows 2000, SQL Server 2000, Windows XP, and Windows Server 2003.
  • MDAC is available for download from the Microsoft Web site.
  • MDAC is installed by many other Microsoft programs. To name just a few cases, it is installed as part of the Microsoft Windows NT 4.0 Option Pack, Microsoft Access, and SQL Server.

A tool is available that can help you determine what version of MDAC is running on your system. Microsoft Knowledge Base article 301202 "HOW TO: Check for MDAC Version" describes this tool and explains how to use it. Also, Microsoft Knowledge Base article 231943 discusses the release history of the different versions of MDAC.

Why did Microsoft Windows Update offer me a language version of the security update that is different than I expected?
It is recommended, but not necessary, to install the language version of this update that follows the MDAC language that the customer has installed. Customers download this security update by using Windows Update, and subsequently by using Microsoft Software Update Services (SUS), based on the language version of Windows that a customer has. A customer could have a more recent version of MDAC installed, which is localized into a language other than the language of the instance of Windows. For example, if a customer installs a Spanish language instance of SQL Server installed on an English instance of Windows, the customer may have a Spanish language version of MDAC installed. This is a supported configuration for which we would recommend the Spanish language update. Certain log entries note the disparity. If the customer prefers the Spanish update, they should install the security update by using the download links that are at the beginning of this security bulletin.

Note: While the installation of this security update is in English, the security update in itself is localized and Windows Update will offer customers an update that match the language version of Windows they have.

What might an attacker use the vulnerability to do?
This vulnerability could enable an attacker to reply to a client system request with a malformed User Datagram Protocol (UDP) packet, which would cause a buffer overrun to occur. If an attacker were to successfully exploit this vulnerability, they could take any action that they wanted to on the system that the overrun process could take.

How could an attacker exploit this vulnerability?
An attacker could exploit this vulnerability by simulating a server running SQL Server that listens on a network for a client system to request an enumeration of all systems on the specific network that are running SQL Server. By replying to that request with a specially-crafted packet, an attacker could cause a buffer overrun to occur in a specific MDAC component on the client system.

What does the update do?
This security update removes the vulnerability by validating that the number of bytes that are specified in the reply is of an appropriate value.

Security Update Information

Installation platforms and Prerequisites:

For information about the specific security update for your platform, click the appropriate link:

Microsoft Data Access Components (all versions)

Prerequisites

This security update requires that you have any one of the following MDAC versions installed:

Inclusion in future service packs:

The fix for this issue will be included in MDAC 2.8 Service Pack 1.

Installation Information

This update supports the following Setup switches:

/?                       Displays the list of installation switches.

/Q                      Uses Quiet mode.

/T:<full path>  Specifies the temporary working folder.

/C                       Extracts files only to the folder when it is used with /T.

/C:<Cmd>         Overrides the Install command that author defines.

/N                       Does not restart the dialog box.

Deployment Information

For example, the following command-line command installs the security update without any user intervention and suppresses a restart:

<LAN>_Q832483_MDAC_X86.EXE /C:"dahotfix.exe /q /n" /q:a

English, for example, <LAN> is ENU.

The /q switch that is specified for Dahotfix.exe is for a silent install. The /n switch suppresses the restart. The trailing /q:a switch is to also suppress the end-user license agreement (EULA) pop-up window.

Restart Requirement

You must restart your computer after you apply this security update.

Removal Information

This security update cannot be removed after it has been installed.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

MDAC 2.5 Service Pack 2:

Date Time Version Size File Name
29-Oct-2003 02:20 3.520.6101.0 212,992 Odbc32.dll
28-Oct-2003 21:44 3.70.11.46 24,848 Odbcbcp.dll
28-Oct-2003 00:06 3.520.6101.0 102,672 Odbccp32.dll
28-Oct-2003 21:44 3.70.11.46 524,560 Sqlsrv32.dll

MDAC 2.5 Service Pack 3:

Date Time Version Size File Name
29-Oct-2003 02:24 3.520.6301.0 212,992 Odbc32.dll
28-Oct-2003 21:44 3.70.11.46 24,848 Odbcbcp.dll
28-Oct-2003 01:08 3.520.6301.0 102,672 Odbccp32.dll
28-Oct-2003 21:44 3.70.11.46 524,560 Sqlsrv32.dll

MDAC 2.6 Service Pack 2:

Date Time Version Size File Name
28-Oct-2003 17:22 2000.80.747.0 86,588 Dbnetlib.dll
29-Oct-2003 02:35 3.520.7502.0 417,792 Odbc32.dll
28-Oct-2003 17:22 2000.80.747.0 29,252 Odbcbcp.dll
29-Oct-2003 02:34 3.520.7502.0 217,088 Odbccp32.dll
28-Oct-2003 17:22 2000.80.747.0 479,800 Sqloledb.dll
28-Oct-2003 17:22 2000.80.747.0 455,236 Sqlsrv32.dll

MDAC 2.7

Date Time Version Size File Name
28-Oct-2003 05:09 2000.81.9002.0 61,440 Dbnetlib.dll
28-Oct-2003 05:05 3.520.9002.0 204,800 Odbc32.dll
28-Oct-2003 05:10 2000.81.9002.0 24,576 Odbcbcp.dll
28-Oct-2003 05:09 3.520.9002.0 94,208 Odbccp32.dll
28-Oct-2003 05:06 2.70.9002.0 413,696 Oledb32.dll
28-Oct-2003 05:09 2000.81.9002.0 450,560 Sqloledb.dll
28-Oct-2003 05:09 2000.81.9002.0 356,352 Sqlsrv32.dll

MDAC 2.7 Service Pack 1 or MDAC 2.7 Service Pack 1 Refresh:

Date Time Version Size File Name
28-Oct-2003 04:12 2000.81.9042.0 61,440 Dbnetlib.dll
28-Oct-2003 04:09 2.71.9042.0 126,976 Msdart.dll
28-Oct-2003 04:09 3.520.9042.0 204,800 Odbc32.dll
28-Oct-2003 04:13 2000.81.9042.0 24,576 Odbcbcp.dll
28-Oct-2003 04:13 3.520.9042.0 98,304 Odbccp32.dll
28-Oct-2003 04:10 2.71.9042.0 417,792 Oledb32.dll
28-Oct-2003 04:12 2000.81.9042.0 471,040 Sqloledb.dll
28-Oct-2003 04:12 2000.81.9042.0 385,024 Sqlsrv32.dll

MDAC 2.8:

Date Time Version Size File Name
12-Dec-2003 23:40 2000.85.1025.0 24,576 Odbcbcp.dll
19-Nov-2003 00:38 2000.85.1025.0 401,408 Sqlsrv32.dll

MDAC 2.8 for Windows Server 2003 64-Bit Edition:

Date Time Version Size File Name
15-Dec-2003 18:51 2000.85.1025.0 49,152 Odbcbcp.dll
15-Dec-2003 18:52 2000.85.1025.0 978,944 Sqlsrv32.dll

Verifying Update Installation

To verify that the security update is installed on your computer, check the file manifests that are listed in this bulletin and make sure that you have the correct versions of the files.

You may also be able to verify that this security update is installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\DataAccess\Q832483

For the Microsoft Data Access Components 2.8 that shipped in Windows Server 2003 64-Bit Edition you can verify that this security update is installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB832483

Note These registry keys may not be not created correctly if an administrator or an OEM integrates or slipstreams the 832483 security update into the Windows installation source files.

Other Information

Obtaining other security updates:

Updates for other security issues are available from the following locations:

  • Security updates are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Updates for consumer platforms are available from the WindowsUpdate Web site.

Support:

  • Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY for customers in the U.S. and Canada. There is no charge for support calls that are associated with security updates.
  • International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. Information on how to contact Microsoft support is available at the International Support Web Site.

Security Resources:

Software Update Services (SUS):

Microsoft Software Update Services (SUS) enables administrators to quickly and reliably deploy the latest critical updates and security updates to Windows® 2000 and Windows Server™ 2003-based servers, as well as to desktop computers running Windows 2000 Professional or Windows XP Professional.

For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.

Systems Management Server (SMS):

Systems Management Server can provide assistance deploying this security update. For information about Systems Management Server visit the SMS Web Site.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 January 13, 2004: Bulletin published
  • V1.1 January 30, 2004: Updated the IPSEC policy in the Workarounds section, updated the command line install string under the Deployment Information section.
  • V1.2 April 1, 2004: Updated caveats section with advice for customers who have encrypted their temporary files.

Built at 2014-04-18T13:49:36Z-07:00