Unauthorized ODBC Access via RDS and IIS
According to the notice issued by Microsoft, "a web client connecting to an IIS server can use the RDS DataFactory object (installed with NT Option Pack) to direct that server to access data using an installed OLE DB provider. This includes executing SQL calls to ODBC-compliant databases using the ODBC drivers installed on the server."
"A web-client could issue a SQL command along with the name or IP address of a remote SQL server, a SQL account and password, database name, and a SQL query string. If the request is valid (remote server is reachable by the IIS server, user account and password are correct, database name is valid), the query results will be sent via HTTP back to the client. While it is true that this requires significant inside information, the potential accessibility of this information should not be underestimated..."
The problem is compounded by using other software, such as Microsoft DataShape Provider and Microsoft JET OLE DB provider (included with MDAC 2.0 in Visual Studio 98) because they allow shell commands to be executed -- we"re certain you get this gist of this implication...SOLUTION
Consider disabling the implicit remoting functionality in the DataFactory object -- it"s dangerous. To do so, remove the following Registry keys:
Additionally, the NT Resource Kit includes the utility DELREG.EXE which can be used to remove the above mentioned keys.
Reference Microsoft"s Knowledge Base article Q184375, for security implications of RDS 1.5, IIS 4.0, and ODBC.
To learn more about NT Security concerns, subscribe to NTSDCredits
- Originally reported on Microsoft"s Security site
Posted on The NT Shop on July 15, 1998