How to completely protect your site from the threat of RDS attacks

Source: Internet
Author: User
Tags anonymous delete key iis implement modify odbc
Attack


http://www.wiretrip.net/rfp/
Related content:
-1. Problem
-2. Solving method
-3. Situation
-4. All related Resources

If you don't have time to read this article, all you have to do is delete the file:

?:\ Program Files\Common Files\system\msadc\msadcs.dll

The most rapid and thorough cancellation of support for RDS. (But if you really need RDS, then you'd better read it)
----------------------------------------------------------------------
-

----[1. Question
RDS attacks are not a simple problem, although IIS 4.0 has many different security vulnerabilities,
But Microsoft has never released so many patches for the same security vulnerability, and has released three different patches, but there are still problems with RDS.
So what we need is real mastery of what is RDS. And then you'll know how to fix it yourself.
This problem. The problem is fundamentally due to the fact that Jet 3.5 allows for invoking the VBA shell () function.
The function allows you to execute the shell command, and the specific process I would like to give is not described in detail.
The problem now is that IIS 4.0 is installed with MDAC 1.5 by default, and it contains RDS.
This allows remote access to the ODBC component through a browser, with the specific implementation of a bit
In/msadc/msadcs.dll
The specific DLL file that you want to implement. Now you should be able to understand that the problem is actually made up of two parts. There's actually a "third party" that follows the example program component Vbbusobj that accompanies the RDS SDK package installation, which allows you to
Spare those that are already installed in the Microsoft release of the RDS patch.
Detailed solution descriptions are presented below for each of the above three scenarios.

----[2. Solution
The problem is that there are a number of ways to solve them, and they can be used in different combinations.
Try to describe the details here.
-Solution #1: Remove cmd.exe (Ulg recommended Patch method)
Http://www.aviary-mag.com/News/Powerful_Exploit/ULG_Fix/ulg_fix.html

I recommend ULG Solutions, although there are still problems with this approach. Because although mdac.pl is using the
Cmd.exe
To realize the RDS attack, but, you know,
Cmd. EXE is not the only way to implement the RDS attack method


-Solution #2: Upgrading MDAC 1.5 to 2.0

MDAC 2.0 upgrades Jet 3.5 to Jet 3.52. However, there is still a problem with the VBA shell () attack (which happens to be
Conditions for RDS attacks, and is supported by default for use with RDS. In fact, if you remove the RDS system or reinstall it, some of the things you should be aware of are:

* The default jet engine becomes 3.52 (still has a security vulnerability)
* Allow custom processing (can resolve anonymous RDS usage issues)
* Generate microsoft.jet.oledb.3.51* provide
Note This workaround, and its default settings are not very good. You need to modify the registry to restrict customization by using RDS processing. The location in the registry is:
Hkey_local_machine\software\microsoft\datafactory\handlerinfo\

Keyname:handlerrequired
Value:dword:1 (SAFE) or 0 (unsafe)
The recommendation is to change its value to 1. This is actually done using the patch ' Handsafe.exe/.reg ' provided by Microsoft.
Now, you can protect your system from remote RDS attacks, but you still have the possibility of being attacked by ODBC other ways,
Includes Excel, Word, and access Trojan files. So there are some drawbacks to this solution.

-Solution #3: Upgrade your MDAC 1.5 to 2.1

MDAC 2.1 Upgrades Jet 3.5 to the Jet 4.0 engine, which does not have an RDS attack security vulnerability.
But it also confirms an immutable rule that the more secure it is, the worse its compatibility can be,
Because there is too much difference between 3.5 and 4.0, many people are unwilling to upgrade for these compatibility features.
Because many of the programs that are now in use will be completely out of use once they are upgraded. Specific details are:

* The default database engine is Jet 4.0 (without this security vulnerability)
* Support custom processing (you can disable the use of RDS anonymously)

However, custom processing is not used in the default case. You also need to modify the registry as above.

-Solution #4: Upgrade your MDAC 1.5 to 2.0 and then 2.1
Now, if you are a good administrator, you should make sure you upgrade your system all the time. If you are constantly upgrading, you should follow the order of escalation. Although again you need to modify the registry so that
Can ' handlerrequired '
, it also uses 2.1 of Jet 4.0 (no vulnerabilities) as the default database engine. But since you are through
Since 2. 0 upgrades, so you will have microsoft.jet.oledb.3.51.
This means that your application (including RDS) to the database can be logged. And those
The older version of OLE DB is not achievable.
You should remove the old hooks/providers values from the registration form. One method is to delete the following key value entry:
hkey_classes_root\microsoft.jet.oledb.3.51
Hkey_classes_root\microsoft.jet.oledb.3.51errors
However, the problem you still have to face is compatibility performance issues.

-Solution #5: Install JetCopkg.exe (see Microsoft Release security Bulletin ms99-030)

JetCopkg.exe is a modified Jet 3.5 engine that enhances more security features to prevent attacks.
It is primarily a modification of the following key values in the registry:
Hkey_local_machine\software\microsoft\jet\3.5\engines\sandboxmode
Its value is as follows:
0 forbid everything
1 makes access accessible, but prohibits other
2 disables access, but enables other
3 Enable everything

(Detailed explanations can refer to
http://support.microsoft.com/support/kb/articles/q239/1/04.asp)
It is important to note that the default permission to modify key values is not secure. You must only be able to give permission to the
Account to be able to modify the key value. Otherwise, the key value can cause a lot of security risks. Remember, remember.
All attacks on RDS can be turned down as long as the key value is 2 or 3. So this solution is the best.
And because it still uses the Jet 3.5 engine, you don't have to worry about compatibility performance issues. And at the same time you can still
With RDS, although it is no longer possible to use RDS to attack, the question is whether the anonymous use of RDS or the information in your database will be
Leaked out. So you need to have a deeper programming base for RDS, and I can recommend that you disable RDS or upgrade ODBC to
MDAC 2.0 so you can deny access to anonymous users by allowing only those with permission to use RDS.

-Solution #6: Remove/disable RDS features
This is the method I mentioned at the beginning of this article, delete the following file:
?:\ Program Files\Common Files\system\msadc\msadcs.dll
Is that it provides the calling interface for RDS. Here are some steps to thoroughly clear RDS (if you are sure your site does not need this feature):

* Remove the/MSADC virtual directory from the IIS console
* Delete the following registry key values:
Hkey_local_machine\system\currentcontrolset\services\w3svc\parameters\
ADCLaunch
* Delete the following file directory
?:\ Program Files\Common Files\system\msadc

----[3. Situation
-Situation #1: I do need RDS
First you need to upgrade your system to MDAC 2.0. Remember to install JETCOPKG, or you may upgrade directly to MDAC 2.1.
Make sure you modify the value in the ' handlerrequired ' registry to explain it. And make sure that you've removed all the
Example program for RDS. Also cancels anonymous account access to the/MSADC directory, and uses a custom account for processing.
Detailed steps can refer to:
Http://www.microsoft.com/Data/ado/rds/custhand.htm
If you have a cold in English, you can also refer to my article on how to customize the process of RDS in Joy's ASP essence.

-Situation #2: I still want to use those examples what should I do?
The only way to do this is to prevent anonymous account access to RDS. But in the case of
VBBUSOBJCLS will skip the custom
Access restrictions If the example is installed in the
?:\ Program Files\Common Files\System\MSADC\Samples
, then you should follow the following steps to resolve:
* Delete all the items below this directory
?:\ Progam Files\comman Files\System\MSADC\Samples
* Delete key values in the registry
Hkey_local_machine\system\currentcontrolset\services\w3svc\parameters\
Adclaunch\vbbusobj.vbbusobjcls

----[4. All related Resources

-Official Jet 3.5 upgrade file (i386)
Http://www.wiretrip.net/rfp/bins/msadc/jetcopkg.exe
Http://officeupdate.microsoft.com/isapi/gooffupd.asp?
Target=/downloaditems/jetcopkg.exe


-Microsoft Database Access Home
http://www.microsoft.com/data/

-MDAC 2.1.2.4202.3 (GA) (aka MDAC 2.1 SP2) upgraded version (i386)
Http://www.wiretrip.net/rfp/bins/msadc/mdac_typ.exe
Http://www.microsoft.com/data/download_21242023.htm


-MDAC 2.1.1.3711.11 (GA) (aka MDAC 2.1 SP1) hotfix
Http://www.microsoft.com/data/download/jetODBC.exe

-MDAC 2.1
Http://www.microsoft.com/data/MDAC21info/MDAC21sp2manifest.htm

-MDAC 2.1 Installation FAQ
Http://www.microsoft.com/data/MDAC21info/MDACinstQ.htm

-Security issues in RDS 1.5, IIS 3.0 or 4.0, and ODBC
Http://support.microsoft.com/support/kb/articles/q184/3/75.asp

-RDS Security Bulletin (MS99-004) that does not authorize access to ODBC Data access
Http://www.microsoft.com/security/bulletins/ms98-004.asp

-Security Bulletin ms99-004 (ms99-025)
Http://www.microsoft.com/security/bulletins/ms99-025.asp

-ms99-025 FAQ
Http://www.microsoft.com/security/bulletins/MS99-025faq.asp

-ms99-30: Official ODBC security vulnerability Patch Encyclopedia
Http://www.microsoft.com/security/bulletins/ms99-030.asp

-The jet engine can perform unsafe VBA functions
Http://support.microsoft.com/support/kb/articles/q239/1/04.asp

-How to implement custom manipulation RDS 2.0
Http://www.microsoft.com/Data/ado/rds/custhand.htm

-Security Modification Registry Patches
Http://www.wiretrip.net/rfp/bins/msadc/handsafe.exe
Http://www.microsoft.com/security/bulletins/handsafe.exe

-rfp9901:nt ODBC Remote Access Vulnerability
http://www.wiretrip.net/rfp/p/doc.asp?id=3&iface=2

-Rfp9902:rds/iis 4.0 security vulnerabilities and damage
http://www.wiretrip.net/rfp/p/doc.asp?id=1&iface=2

-RDS Attack (msadc.pl v1 and v2)
http://www.wiretrip.net/rfp/p/doc.asp?id=16&iface=2

-ULG Recommended Patch method
Http://www.aviary-mag.com/News/Powerful_Exploit/ULG_Fix/ulg_fix.html

-CERT Bulletin
Http://www.cert.org/current/current_activity.html#0

-Attrition Bulletin
Http://www.attrition.org/mirror/attrition




Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.