RDS ExploitHistory
The RDS exploit on Microsoft IIS webserver is a classic example ofwidely publicized script which lead to attacks on and compromise of
multiple large, medium and small company sites. Although the
advisory & exploits date to July 1998, with updates the following July,
systems installed out of the box are still susceptible - reiterating the
importance of always applying the latest OS and Vendor patches.
Indeed in recent ISS security assessments, systems vulnerable to this
attack have been found.
Overview
The RDS exploit utilizes a combination of inadequate application input
validation, and default installation/ mis-configuration.
The Microsoft Data Access Components (MDAC) contains a
component called the RDS DataFactory. If installed on an IIS 3.0 or 4.0
with sample pages installed, this component may allow an
unauthorized, unauthenticated user to execute arbitrary, privileged
commands on the system.
Rain Forest Puppy analyzed the announcements by Russ Cooper and
Greg Gonzalez and researched how this exploit might be achieved.
There are two RFP RDS exploits:
• msadc.pl
• msadc2.pl
These attempt to initiate a connection to a Data Source Name (DSN) to
execute the commands. The next three steps show the processes
undertaken. Only if the preceding step fails will the following one be
attempted.
• An attempt is made to connect to a known sample page
(btcustomr.mdb).
• Next, the script tries to create a DSN using the makedsn.exe utility.
• Finally, brute force and then dictionary attacks are attempted on
DSN and .mdb files.
No comments:
Post a Comment