From: rfp@WIRETRIP.NET Sent: Wednesday, September 22, 1999 2:08 AM To: BUGTRAQ@SECURITYFOCUS.COM Subject: Update to ODBC/RDS vulnerabilities Hello all, It's been a while since I've posted anything, and I promise it will be short this time. ;) Microsoft has released a patched Jet ODBC engine that will fix the ODBC problem as well as Mr. Cuartango's Excel vulnerabilities as well. Basically, this is a 3.51 engine retrofitted with a 'sandbox' restriction controlled by the following registry key: \\HKLM\Software\Microsoft\Jet\3.5\Engines\SandboxMode Also, as for the RDS problem, they recommended implementing custom handlers to limit invocation of the RDS component to legit uses. Custom handler support is controlled by the following registry key: \\HKLM\Software\Microsoft\DataFactory\HandlerInfo\handlerRequired Now, perhaps it's just me, but on three different NT boxes I have, which are various SP3 and 5 combos on NT4, patches installed as administrator, the permissions on these registry keys are Everyone -> Special Access, which includes Set Value. This basically means domain users can remotely disable handler and sandbox restrictions by changing the values of these keys. Hmmm. I've tested this, and it worked as expected. Also, Mnemonix pointed out an interesting aspect which I overlooked for the RDS vulnerability that really makes it more evil. The current limitation to the RDS exploit is that it requires a local file to 'attach' to, specifically a .mdb. Well, you can use UNC addresses for this file, so if you setup a Windows share on the internet, you can request your file off that, therefore bypassing the need for a local file. I've tested this, and it works as well. I am finishing updates to my RDS exploit program, which I'll probably release in the next week. It will implement all of this, plus clean up the code a bit. Also, I wanted to point out an ommision of credit in the RDS advisory. Matthew Astley, who I co-wrote the May 25th advisory with the original ODBC info, should have been given credit as well for the ODBC/Jet pipe problem. Apologies to Matthew. .rain.forest.puppy. -------------------------------------------------------------------------- If I had a signoff banner, it would be here. But I don't, so I'll fake it --------------------------------------------------------------------------