MCI Telecommunications internetMCI Security Group Report Title: iMCI MIIGS Security Alert Report Name: Unauthorized ODBC Data Access with RDS and IIS Report Number: iMCISE:IMCIMS:071598:01:P1R1 Report Date: 07/15/98 Report Format: Formal Report Classification: MCI Informational Report Reference: http://www.security.mci.net Report Distribution: iMCI Security, MCI Internal Internet Gateway Security (MIIGS), MCI Emergency Alert LiSt (MEALS) (names on file) -------------------------------------------------------------------------- Microsoft Security Bulletin (MS98-004) ------------------------------------------------------------------------ Unauthorized ODBC Data Access with RDS and IIS Last Revision: July 14, 1998 Summary ======= Remote Data Service (RDS) is a component of Microsoft Data Access Components (MDAC), which is installed by default when Microsoft(r) Internet Information Server (IIS) 4.0 is installed via the Windows NT(r) Option Pack. The goal of the RDS component is to enable controlled Internet access to remote data resources through the Internet Information Server. However, because the RDS DataFactory (a single component of RDS) allows implicit remoting of data access requests by default, it can be exploited to allow unauthorized Internet clients to access OLE DB datasources available to the server. The implicit remoting function of the RDS 1.5 via the DataFactory component should be disabled. The purpose of this bulletin is to inform Microsoft customers of this issue, its applicability to Microsoft products, and the availability of countermeasures Microsoft has developed to further secure its customers. This problem was discovered by the Microsoft development team and documented in Microsoft Knowledge Base article Q184375 on April 22, 1998. Issue ===== A web client connecting to an IIS server can use the RDS DataFactory object to direct that server to access data using an installed OLE DB provider. This includes executing SQL calls to ODBC-compliant databases using the ODBC drivers installed on the server. For example a web-client could issue a SQL command along with the name or IP address of a remote SQL server, a SQL account and password, database name, and a SQL query string. If the request is valid (remote server is reachable by the IIS server, user account and password are correct, database name is valid), the query results will be sent via HTTP back to the client. While it is true that this requires significant inside information, the potential accessibility of this information should not be underestimated, as organizations that don't follow good security practices could have blank or easy to guess passwords on their SQL administrator accounts. The RDS DataFactory object along with other installed ODBC drivers opens other possibilities, including possible access to non-published files on the IIS server. The vulnerability caused by the DataFactory is even greater if some newer OLE DB Providers are installed on the server. "Microsoft DataShape Provider" and "Microsoft JET OLE DB provider" (which ship with MDAC 2.0 in Visual Studio 98) allow shell commands to be executed. If the DataFactory is enabled on such a server, Internet clients can use these providers to execute shell commands, which can potentially bring down the server or otherwise severely affect its performance. Affected Software Versions ========================== - Microsoft Internet Information Server version 4.0 - Microsoft Remote Data Services version 1.5 - Microsoft Visual Studio version 6.0 What Microsoft is Doing ======================= The Microsoft Product Security Response Team has produced a set of guidelines and scripts to assist customers in disabling the implicit remoting functionality of the RDS via the DataFactory object. Microsoft strongly recommends that all customers using IIS with OLE DB or ODBC drivers installed should take the actions described below. What customers should do ======================== If you don't intentionally use the implicit remoting functionality in the DataFactory object, you should disable it. Please note that you can still use RDS to invoke Business Objects on the server, but an administrator must explicitly enable access to these object by inserting keys for them in the registry. Any pages or applications that rely on RDS's Datacontrol or DataFactory components will not work after this. Removing Implicit DataFactory Functionality: If the following registry entries are removed from the server hosting IIS, then the implicit remoting functionality (via DataFactory) of RDS will be disabled. These keys can be removed using the Registry Editor (REGEDT32.EXE), or other tools for manipulating the registry. - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\ Parameters\ADCLaunch\RDSServer.DataFactory - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\ Parameters\ADCLaunch\AdvancedDataFactory - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\ Parameters\ADCLaunch\VbBusObj.VbBusObjCls Note: The three registry keys listed above have been wrapped for ease of reading. ASP pages that depend on only ADO for database connectivity will continue to function. However, the benefits section of the IIS4 sample site, Exploration Air, may not function correctly after this change is made. Using the REGDEL.EXE utility to remove DataFactory functionality ================================================================ Note: REGDEL.EXE is a tool available as part of the Windows NT Resource Kit utilities that can be used to delete registry entries from the command line. Copy the following text into a .BAT file (e.g. c:\dfremove.bat) and run the batch file on machines on which you want to remove the RDS components. ------------------------------------------------------------------------ @ECHO OFF REM Batch file to remove RDS components REM Make sure that REGDEL.EXE from the Resource Kit is in your PATH set rkey=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC REGDEL "%rkey%\Parameters\ADCLaunch\RDSServer.DataFactory" REGDEL "%rkey%\Parameters\ADCLaunch\AdvancedDataFactory" REGDEL "%rkey%\Parameters\ADCLaunch\VbBusObj.VbBusObjCls" Echo RDS Keys Removed ------------------------------------------------------------------------ More Information ================ RDS 2.0, which ships with Microsoft Visual Studio 6.0 allows server administrators to use customized handlers for requests to RDS Server. Using the customized handlers, administrators can intercept all requests and responses to and from the RDS Server. RDS 2.0 also ships a default customization handler which is driven by information in an INI file, installed on the server. This default handler can be used to modify SQL and Connection strings received from the client. RDS 2.0 is part of MDAC 2.0, which ships with Visual Studio 98. NOTE: Upgrading to RDS 2.0 will not automatically solve the problem -- you must configure the RDS according to your security needs. Please refer to RDS 2.0 documentation for details on how to configure the default INI file or how to write your own customization handler. Additional References ===================== Please see the following references for more information related to this issue. - Microsoft Security Bulletin 98-004, Unauthorized File Access with RDS and IIS (the web-posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms98-004.htm - Microsoft Knowledge Base article Q184375, Security Implications of RDS 1.5, IIS 4.0, and ODBC, http://support.microsoft.com/support/kb/articles/q184/3/75.asp - Microsoft Universal Data Access web site, http://www.microsoft.com/data Revisions ========= - July 14, 1998: Bulletin Created For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security ------------------------------------------------------------------------ THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1998 Microsoft and/or its suppliers. All rights reserved. For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp. ===================================================== You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/bulletin.htm. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.