Microsoft Security Bulletin MS03-033 - Important
Unchecked Buffer in MDAC Function Could Enable System Compromise (823718)
Published: August 20, 2003
Originally posted: August 20, 2003
Who should read this bulletin:
Customers using Microsoft® Windows®
Impact of vulnerability:
Run code of the attacker's choice
Maximum Severity Rating:
Users should apply the security patch to affected systems.
- Microsoft Data Access Components 2.5
- Microsoft Data Access Components 2.6
- Microsoft Data Access Components 2.7
Not Affected Software:
- Microsoft Data Access Components 2.8
An End User version of the bulletin is available at:
Microsoft Data Access Components (MDAC) is a collection of components that are used to provide database connectivity on Windows platforms. MDAC is a ubiquitous technology, and it is likely to be present on most Windows systems:
- By default, MDAC is included by default as part of Microsoft Windows XP, Windows 2000, Windows Millennium Edition, and Windows Server 2003. (It is worth noting, though, that the version that is installed by Windows Server 2003 does not have this vulnerability).
- MDAC is available for download as a stand-alone technology.
- MDAC is either included in or installed by a number of other products and technologies. For example, MDAC is included in the Microsoft Windows NT® 4.0 Option Pack and in Microsoft SQL Server 2000. Additionally, some MDAC components are present as part of Microsoft Internet Explorer even when MDAC itself is not installed.
MDAC provides the underlying functionality for a number of database operations, such as connecting to remote databases and returning data to a client. When a client system on a network tries to see a list of computers that are running SQL Server and that reside on the network, it sends a broadcast request to all the devices that are on the network. Due to a flaw in a specific MDAC component, an attacker could respond to this request with a specially crafted packet that could cause a buffer overflow.
An attacker who successfully exploited this flaw could gain the same level of privileges over the system as the application that initiated the broadcast request. The actions an attacker could carry out would be dependent on the permissions which the application using MDAC ran under. If the application ran with limited privileges, an attacker would be limited accordingly; however, if the application ran under the local system context, the attacker would have the same level of permissions. This could include creating, modifying, or deleting data on the system, or reconfiguring the system. This could also include reformatting the hard disk or running programs of the attacker's choice.
This bulletin supercedes the patch discussed in MS02-040. Customers should install this patch as it contains both the fix for the vulnerability discussed in bulletin MS02-040 and the patch discussed in this bulletin.
- For an attack to be successful an attacker would need to simulate a SQL server on the same subnet as the target system.
- Code executed on the client system would only run under the privileges of the client application that made the broadcast request.
- MDAC version 2.8 (which is the version included with Windows Server 2003) does not contain the flaw that is addressed by this bulletin.
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2003-0353
Microsoft tested Microsoft Data Access Components 2.5, 2.6, 2.7, and 2.8 to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.
Does this patch include any other security fixes?
Yes - this patch includes the fix for the security vulnerability that is discussed in Microsoft Security Bulletin MS02-040. Customers who want to install the patch for the vulnerability discussed in MS02-040 should install the patch in this security bulletin; it supercedes the patch in MS02-040.
What's the scope of this vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this flaw could gain the same level of privileges over the system as the application which initiated the broadcast request. The actions an attacker could carry out on the system would be dependent on the permissions which the application using MDAC ran under.
If the application ran with limited privileges, an attacker would be limited accordingly; however, if the application runs under the local system context, the attacker would have the same level of permissions. This could include creating, modifying, or deleting data on the system, or reconfiguring it the system. This could also include reformatting the hard disk or running programs of the attacker's choice on it.
What causes the vulnerability?
The vulnerability results because of an unchecked buffer in a specific MDAC component. If an attacker were able to successfully exploit this vulnerability, it could allow them to gain control over the system and take any action that the legitimate process executing MDAC could take.
What is Microsoft Data Access Components?
Microsoft Data Access Components (MDAC) is a collection of components that make it easy for programs to access databases and to change the data within them. Modern databases may take a variety of forms (for example, SQL Server databases, Microsoft Access databases, and XML files) and may be housed in a variety of locations (for example, on the local system or on a remote database server).
MDAC provides a consolidated set of functions for working with these data sources in a consistent manner. (A good discussion of MDAC and the components that it provides is available on MSDN).
What's wrong with the affected MDAC component?
When a client machine is trying to see list of Microsoft SQL Servers residing on the network, it will send a broadcast request to all devices on the network. Due to a flaw in a specific MDAC component, an attacker could respond with a specially crafted packet causing a buffer overflow to occur.
The flaw results because the client does not appropriately validate the data that is contained in the packet.
Do I have MDAC on my system?
It is very likely that you do as MDAC is a ubiquitous technology:
- MDAC installs as part of Windows XP, Windows Millennium Edition, Windows 2000 and Windows Server 2003. (It is worth noting, though, that the version that is installed by Windows Server 2003 does not have this vulnerability.)
- MDAC is available for download from the Microsoft Web site.
- MDAC is installed by many other Microsoft applications. To name just a few cases, it's installed as part of the Windows NT 4.0 Option Pack and by both Microsoft Access and SQL Server.
- Some of the components in MDAC are included in other Microsoft technologies. For instance, Internet Explorer includes some MDAC functions.
A tool is available that can help you determine what version of MDAC is running on your system. Microsoft Knowledge Base article 307255 describes this tool and explains how to use it.
What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to reply to a client system request with a malformed User Datagram Protocol (UDP) packet, which would cause a buffer overrun to occur.
If an attacker were to successfully exploit this vulnerability, they could take any action that they wanted to on the system that the overrun process could take.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by simulating a SQL server that listens on a network for a client system to request an enumeration of all systems on the specific network that are running SQL Server. By replying to that request with a specially crafted packet, an attacker could cause a buffer overrun to occur in a specific MDAC component on the client system.
What does the patch do?
This patch eliminates the vulnerability by validating that the number of bytes that are specified in the reply is of an appropriate value.
Download locations for this patch
Additional information about this patch
This patch can be installed on systems running:
- MDAC 2.5 Service Pack 2
- MDAC 2.5 Service Pack 3
- MDAC 2.6 Service Pack 2
- MDAC 2.7
- MDAC 2.7 Service Pack 1
Inclusion in future service packs:
The fix for this issue will be included in MDAC 2.5 Service Pack 5 and in MDAC 2.7 Service Pack 2.
Reboot needed: Yes
Patch can be uninstalled: No
Superseded patches: This patch supersedes the patch discussed in MS02-040.
Verifying patch installation:
- Microsoft Knowledge Base article 823718 provides a file manifest that can be used to verify the patch installation.
Localized versions of this patch are available at the locations discussed in "Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Microsoft Knowledge Base article 823718 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (August 20, 2003): Bulletin Created.
Built at 2014-04-16T02:39:51Z-07:00