[SECURITY-L] CAIS-Alerta: Vulnerabilidades nos componentes MDAC (832483)
Security Team - UNICAMP
security em unicamp.br
Qua Jan 14 10:13:12 -02 2004
----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----
From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Vulnerabilidades nos componentes MDAC (832483)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Tue, 13 Jan 2004 18:25:31 -0200 (BRDT)
-----BEGIN PGP SIGNED MESSAGE-----
Prezados,
O CAIS esta' repassando o alerta divulgado pela Microsoft, "Microsoft
Security Bulletin MS04-003: Buffer Overrun in MDAC Function Could Allow
Code Execution (832483)", que trata da identificacao de uma
vulnerabilidade nos componentes MDAC, de acesso a base de dados, que pode
ser explorada remotamente permitindo a um atacante a execucao de codigo
arbitrario.
Quando um programa cliente precisa verificar na rede a lista de servidores
de banco de dados SQL disponiveis, ele envia um pacote broadcast
requisitando esta lista para toda a rede local. Um atacante pode entao
construir um pacote de retorno que explora a vulnerabilidade mencionada,
executando codigo malicioso no contexto de seguranca do programa cliente
que originou a requisicao.
Sistemas Afetados:
. Microsoft Data Access Components 2.5 (incluido com Microsoft
Windows 2000)
. Microsoft Data Access Components 2.6 (incluido com Microsoft
SQL Server 2000)
. Microsoft Data Access Components 2.7 (incluido com Microsoft
Windows XP)
. Microsoft Data Access Components 2.8 (incluido com Microsoft
Windows Server 2003)
. Microsoft Data Access Components 2.8 (incluido com Windows
Server 2003 64-Bit)
Correcoes disponiveis:
A correcao consiste na aplicacao do patch recomendado pela Microsoft e
disponivel em:
. Microsoft Data Access Components 2.5
http://www.microsoft.com/downloads/details.aspx?FamilyId=39472EE8-C14A-47B4-BFCC-87988E062D91&displaylang=en
. Microsoft Data Access Components 2.6
http://www.microsoft.com/downloads/details.aspx?FamilyId=39472EE8-C14A-47B4-BFCC-87988E062D91&displaylang=en
. Microsoft Data Access Components 2.7
http://www.microsoft.com/downloads/details.aspx?FamilyId=39472EE8-C14A-47B4-BFCC-87988E062D91&displaylang=en
. Microsoft Data Access Components 2.8 (incluido com Microsoft
Windows Server 2003)
http://www.microsoft.com/downloads/details.aspx?FamilyId=39472EE8-C14A-47B4-BFCC-87988E062D91&displaylang=en
. Microsoft Data Access Components 2.8 (incluido com Windows
Server 2003 64-Bit)
http://www.microsoft.com/downloads/details.aspx?FamilyId=1D93D9E4-2B22-4595-B8C5-643824857EC0&displaylang=en
Maiores informacoes:
http://www.microsoft.com/technet/security/bulletin/MS04-003.asp
Identificadores do CVE: CAN-2003-0903, (http://cve.mitre.org)
O CAIS recomenda aos administradores de plataformas Microsoft que
mantenham seus sistemas e aplicativos sempre atualizados.
Atenciosamente,
################################################################
# CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) #
# Rede Nacional de Ensino e Pesquisa (RNP) #
# #
# cais em cais.rnp.br http://www.cais.rnp.br #
# Tel. 019-37873300 Fax. 019-37873301 #
# Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key #
################################################################
Microsoft Security Bulletin MS04-003
Buffer Overrun in MDAC Function Could Allow Code Execution (832483)
Issued: January 13, 2004
Version: 1.0
Summary
Who should read this document: Customers who are using Microsoft® Windows®
Impact of vulnerability: Remote code execution
Maximum Severity Rating: Important
Recommendation: Customers should install this security update at their
earliest opportunity.
Security Update Replacement: This update replaces the one that is provided
in Microsoft Security Bulletin MS03-033.
Caveats: None
Tested Software and Security Update Download Locations:
Affected Software:
* Microsoft Data Access Components 2.5 (included with Microsoft
Windows 2000)
* Microsoft Data Access Components 2.6 (included with Microsoft SQL
Server 2000)
* Microsoft Data Access Components 2.7 (included with Microsoft
Windows XP)
* Microsoft Data Access Components 2.8 (included with Microsoft Windows
Server 2003)
Note The same update applies to all these versions of MDAC - Download the
Update
* Microsoft Data Access Components 2.8 (included with Windows Server 2003
64-Bit Edition) - Download the Update
The software listed above has been tested to determine if the versions are
affected. Other versions either no longer include security patch support
or may not be affected. Please review the Microsoft Support Lifecycle Web
site to determine the support lifecycle for your product and version.
Technical Details
Technical description:
Microsoft Data Access Components (MDAC) is a collection of components that
provides the underlying functionality for a number of database operations,
such as connecting to remote databases and returning data to a client.
When a client system on a network tries to see a list of computers that
are running SQL Server and that reside on the network, it sends a
broadcast request to all the devices that are on the network. Because of a
vulnerability in a specific MDAC component, an attacker could respond to
this request with a specially-crafted packet that could cause a buffer
overflow.
An attacker who successfully exploited this vulnerability could gain the
same level of privileges over the system as the program that initiated the
broadcast request. The actions an attacker could carry out would be
dependent on the permissions under which the program using MDAC ran. If
the program ran with limited privileges, an attacker would be limited
accordingly; however, if the program ran under the local system context,
the attacker would have the same level of permissions.
Since the original version of MDAC on your system may have changed from
updates available on the Microsoft Web site, we recommend using the
following tool to determine the version of MDAC you have on your system:
Microsoft Knowledge Base article 301202 "HOW TO: Check for MDAC Version"
discusses this tool and explains how to use it. Also, Microsoft Knowledge
Base article 231943 discusses the release history of the different
versions of MDAC.
Mitigating factors:
* For an attack to be successful an attacker would have to simulate a
SQL server that is on the same IP subnet as the target system.
* When a client system on a network tries to see a list of computers
that are running SQL Server and that reside on the network, it sends a
broadcast request to all the devices that are on the network. A target
system must initiate such a broadcast request to be vulnerable to an
attack. An attacker would have no way of launching this first step but
would have to wait for anyone to enumerate computers that are running SQL
Server on the same subnet. Also, a system is not vulnerable by having
these SQL management tools installed.
* Code executed on the client system would only run under the
privileges of the client program that made the broadcast request.
Severity Rating:
Microsoft Data Access Components 2.5 (included with Windows 2000)
Important
Microsoft Data Access Components 2.6 (included with SQL Server 2000)
Important
Microsoft Data Access Components 2.7 (included with Windows XP) Important
Microsoft Data Access Components 2.8 (included with Windows Server 2003)
Important
The above assessment is based on the types of systems that are affected by
the vulnerability, their typical deployment patterns, and the effect that
exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2003-0903
Workarounds
Microsoft has tested the following workarounds. These workarounds will not
correct the underlying vulnerability. However, they help block known
attack vectors. Workarounds may reduce functionality in some cases; in
such cases, the reduction in functionality is identified below.
Block UDP port 1434 from accepting inbound traffic.
Block UDP port 1434 on your system's network interface from accepting
inbound traffic. For example, to block network traffic that originates
from a Windows 2000-based computer that comes from UDP 1434 to this host,
type the following at the command line:
ipsecpol -w REG -p "Block UDP 1434 Filter" -r "Block Inbound UDP 1434
Rule" -f *=0:1434:UDP -n BLOCK -x
See Microsoft Knowledge Base article 813878 "How to Block Specific Network
Protocols and Ports by Using IPSec" for more information about IPsec and
the technology that this workaround uses.
Impact of Workaround: SQL client systems would no longer be able to
initiate SQL broadcast requests. For example, tools like SQL Enterprise
Manager use broadcast requests to enumerate all SQL Server instances on a
subnet. The workaround would also prevent connections to non-default
instances of SQL Server. An example of non-default instances of SQL server
is additional instances of SQL server that are installed on the same
computer.
Frequently Asked Questions
What is the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully
exploited this vulnerability could gain the same level of privileges over
the system as the program that initiated the broadcast request. The
actions that an attacker could carry out on the system would depend on the
permissions of the user account under which the program using MDAC ran.
If the program ran with limited privileges, an attacker would be limited
accordingly. However, if the program ran under the context of Local
System, the attacker could gain the same level of permissions.
What causes the vulnerability?
The vulnerability results because of an unchecked buffer in a specific
MDAC component. If an attacker were able to successfully exploit this
vulnerability, it could allow them to gain control over the system and
take any action that the legitimate process executing MDAC could take.
What is Microsoft Data Access Components?
Microsoft Data Access Components (MDAC) is a collection of components that
make it easy for programs to access databases and to change the data
within them. Modern databases may take a variety of forms (for example,
SQL Server databases, Microsoft Access databases, and XML files) and may
be housed in a variety of locations (for example, on the local system or
on a remote database server).
MDAC provides a consolidated set of functions for working with these data
sources in a consistent manner. A good discussion of MDAC and the
components that it provides is available on MSDN.
Do I have MDAC on my system?
It is very likely that you do because MDAC is a ubiquitous technology:
* MDAC installs as part of Windows 2000, SQL Server 2000, Windows XP,
and Windows Server 2003.
* MDAC is available for download from the Microsoft Web site.
* MDAC is installed by many other Microsoft programs. To name just a
few cases, it is installed as part of the Microsoft Windows NT 4.0 Option
Pack, Microsoft Access, and SQL Server.
A tool is available that can help you determine what version of MDAC is
running on your system. Microsoft Knowledge Base article 301202 "HOW TO:
Check for MDAC Version" describes this tool and explains how to use it.
Also, Microsoft Knowledge Base article 231943 discusses the release
history of the different versions of MDAC.
Why did Microsoft Windows Update offer me a language version of the
security update that is different than I expected?
It is recommended, but not necessary, to install the language version of
this update that follows the MDAC language that the customer has
installed. Customers download this security update by using Windows
Update, and subsequently by using Microsoft Software Update Services
(SUS), based on the language version of Windows that a customer has.
A customer could have a more recent version of MDAC installed, which is
localized into a language other than the language of the instance of
Windows. For example, if a customer installs a Spanish language instance
of SQL Server installed on an English instance of Windows, the customer
may have a Spanish language version of MDAC installed. This is a supported
configuration for which we would recommend the Spanish language update.
Certain log entries note the disparity. If the customer prefers the
Spanish update, they should install the security update by using the
download links that are at the beginning of this security bulletin.
Note: While the installation of this security update is in English, the
security update in itself is localized and Windows Update will offer
customers an update that match the language version of Windows they have.
What might an attacker use the vulnerability to do?
This vulnerability could enable an attacker to reply to a client system
request with a malformed User Datagram Protocol (UDP) packet, which would
cause a buffer overrun to occur. If an attacker were to successfully
exploit this vulnerability, they could take any action that they wanted to
on the system that the overrun process could take.
How could an attacker exploit this vulnerability?
An attacker could exploit this vulnerability by simulating a server
running SQL Server that listens on a network for a client system to
request an enumeration of all systems on the specific network that are
running SQL Server. By replying to that request with a specially-crafted
packet, an attacker could cause a buffer overrun to occur in a specific
MDAC component on the client system.
What does the update do?
This security update removes the vulnerability by validating that the
number of bytes that are specified in the reply is of an appropriate
value.
Security Update Information
Installation platforms and Prerequisites:
For information about the specific security update for your platform,
click the appropriate link:
Microsoft Data Access Components (all versions)
Prerequisites
This security update requires that you have any one of the following MDAC
versions installed:
* MDAC 2.5 Service Pack 2
* MDAC 2.5 Service Pack 3
* MDAC 2.6 Service Pack 2
* MDAC 2.7
* MDAC 2.7 Service Pack 1
* MDAC 2.7 Service Pack 1 Refresh
* MDAC 2.8
Inclusion in future service packs:
The fix for this issue will be included in MDAC 2.8 Service Pack 1.
Installation Information
This update supports the following Setup switches:
/? Displays the list of installation switches.
/Q Uses Quiet mode.
/T:<full path> Specifies the temporary working folder.
/C Extracts files only to the folder when it is used with /T.
/C:<Cmd> Overrides the Install command that author defines.
/N Does not restart the dialog box.
Deployment Information
For example, the following command-line command installs the security
update without any user intervention and suppresses a restart:
<LAN>_Q832483_MDAC_X86.EXE /C:"dahotfix.exe /q /n" /q
English, for example, <LAN> is ENU.
The /q switch that is specified for Dahotfix.exe is for a silent install.
The /n switch suppresses the restart. The trailing /q switch is to also
suppress the end-user license agreement (EULA) pop-up window.
Restart Requirement
You must restart your computer after you apply this security update.
Removal Information
This security update cannot be removed after it has been installed.
File Information
The English version of this fix has the file attributes (or later) that
are listed in the following table. The dates and times for these files are
listed in coordinated universal time (UTC). When you view the file
information, it is converted to local time. To find the difference between
UTC and local time, use the Time Zone tab in the Date and Time tool in
Control Panel.
MDAC 2.5 Service Pack 2:
Date Time Version Size File Name
29-Oct-2003 02:20 3.520.6101.0 212,992 Odbc32.dll
28-Oct-2003 21:44 3.70.11.46 24,848 Odbcbcp.dll
28-Oct-2003 00:06 3.520.6101.0 102,672 Odbccp32.dll
28-Oct-2003 21:44 3.70.11.46 524,560 Sqlsrv32.dll
MDAC 2.5 Service Pack 3:
Date Time Version Size File Name
29-Oct-2003 02:24 3.520.6301.0 212,992 Odbc32.dll
28-Oct-2003 21:44 3.70.11.46 24,848 Odbcbcp.dll
28-Oct-2003 01:08 3.520.6301.0 102,672 Odbccp32.dll
28-Oct-2003 21:44 3.70.11.46 524,560 Sqlsrv32.dll
MDAC 2.6 Service Pack 2:
Date Time Version Size File Name
28-Oct-2003 17:22 2000.80.747.0 86,588 Dbnetlib.dll
29-Oct-2003 02:35 3.520.7502.0 417,792 Odbc32.dll
28-Oct-2003 17:22 2000.80.747.0 29,252 Odbcbcp.dll
29-Oct-2003 02:34 3.520.7502.0 217,088 Odbccp32.dll
28-Oct-2003 17:22 2000.80.747.0 479,800 Sqloledb.dll
28-Oct-2003 17:22 2000.80.747.0 455,236 Sqlsrv32.dll
MDAC 2.7
Date Time Version Size File Name
28-Oct-2003 05:09 2000.81.9002.0 61,440 Dbnetlib.dll
28-Oct-2003 05:05 3.520.9002.0 204,800 Odbc32.dll
28-Oct-2003 05:10 2000.81.9002.0 24,576 Odbcbcp.dll
28-Oct-2003 05:09 3.520.9002.0 94,208 Odbccp32.dll
28-Oct-2003 05:06 2.70.9002.0 413,696 Oledb32.dll
28-Oct-2003 05:09 2000.81.9002.0 450,560 Sqloledb.dll
28-Oct-2003 05:09 2000.81.9002.0 356,352 Sqlsrv32.dll
MDAC 2.7 Service Pack 1 or MDAC 2.7 Service Pack 1 Refresh:
Date Time Version Size File Name
28-Oct-2003 04:12 2000.81.9042.0 61,440 Dbnetlib.dll
28-Oct-2003 04:09 2.71.9042.0 126,976 Msdart.dll
28-Oct-2003 04:09 3.520.9042.0 204,800 Odbc32.dll
28-Oct-2003 04:13 2000.81.9042.0 24,576 Odbcbcp.dll
28-Oct-2003 04:13 3.520.9042.0 98,304 Odbccp32.dll
28-Oct-2003 04:10 2.71.9042.0 417,792 Oledb32.dll
28-Oct-2003 04:12 2000.81.9042.0 471,040 Sqloledb.dll
28-Oct-2003 04:12 2000.81.9042.0 385,024 Sqlsrv32.dll
MDAC 2.8:
Date Time Version Size File Name
12-Dec-2003 23:40 2000.85.1025.0 24,576 Odbcbcp.dll
19-Nov-2003 00:38 2000.85.1025.0 401,408 Sqlsrv32.dll
MDAC 2.8 for Windows Server 2003 64-Bit Edition:
Date Time Version Size File Name
15-Dec-2003 18:51 2000.85.1025.0 49,152 Odbcbcp.dll
15-Dec-2003 18:52 2000.85.1025.0 978,944 Sqlsrv32.dll
Verifying Update Installation
To verify that the security update is installed on your computer, check
the file manifests that are listed in this bulletin and make sure that you
have the correct versions of the files.
You may also be able to verify that this security update is installed by
reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\DataAccess\Q832483
For the Microsoft Data Access Components 2.8 that shipped in Windows
Server 2003 64-Bit Edition you can verify that this security update is
installed by reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\HotFix\KB832483
Note These registry keys may not be not created correctly if an
administrator or an OEM integrates or slipstreams the 832483 security
update into the Windows installation source files.
Obtaining other security updates:
Updates for other security issues are available from the following
locations:
* Security updates are available from the Microsoft Download Center,
and can be most easily found by doing a keyword search for
"security_patch".
* Updates for consumer platforms are available from the WindowsUpdate
Web site.
Support:
* Technical support is available from Microsoft Product Support
Services at 1-866-PCSAFETY for customers in the U.S. and Canada. There is
no charge for support calls that are associated with security updates.
* International customers can get support from their local Microsoft
subsidiaries. There is no charge for support associated with security
updates. Information on how to contact Microsoft support is available at
the International Support Web Site.
Security Resources:
* The Microsoft TechNet Security Web Site provides additional
information about security in Microsoft products.
* Microsoft Software Update Services
* Microsoft Baseline Security Analyzer (MBSA): Please view Knowledge
Base Article 306460 for list of security updates that have detection
limitations with the MBSA tool.
* Windows Update
* Windows Update Catalog: Please view Knowledge Base Article 323166
for more information on the Windows Update Catalog.
* Office Update
Software Update Services (SUS):
Microsoft Software Update Services (SUS) enables administrators to quickly
and reliably deploy the latest critical updates and security updates to
Windows® 2000 and Windows Server? 2003-based servers, as well as to
desktop computers running Windows 2000 Professional or Windows XP
Professional.
For information about how to deploy this security update with Software
Update Services, visit the Software Update Services Web site.
Systems Management Server (SMS):
Systems Management Server can provide assistance deploying this security
update. For information about Systems Management Server visit the SMS Web
Site.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as
is" without warranty of any kind. Microsoft disclaims all warranties,
either express or implied, including the warranties of merchantability and
fitness for a particular purpose. In no event shall Microsoft Corporation
or its suppliers be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages, even if Microsoft Corporation or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion
or limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.
Revisions:
* V1.0 January 13, 2004: Bulletin published
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBQARUQ+kli63F4U8VAQG6sQQAqxWRs89Y/F7GsQLkB09NFQFpkXvAZC2X
Hz1MyZ/ScWAxELe3/4aJkSgEOeBfh9Skk7zq05tGR4mQCPBg/qggLTz/G6ZyGVOq
Hja/a48yPLU5YDM7ds8O9q9QyOh1RKG+hiiRTdJCvk9VeQFXUHEcXvIMC8UggoY9
n2m++v6UmWs=
=z0hQ
-----END PGP SIGNATURE-----
----- End forwarded message -----
Mais detalhes sobre a lista de discussão SECURITY-L