Vulnerabilities > CVE-2002-1142 - Unspecified vulnerability in Microsoft Data Access Components, IE and Internet Explorer

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
microsoft
nessus
exploit available
metasploit
NVD
Published: 2002-11-29
Updated: 2021-07-23

Summary

Heap-based buffer overflow in the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) 2.1 through 2.6, and Internet Explorer 5.01 through 6.0, allows remote attackers to execute code via a malformed HTTP request to the Data Stub.

Vulnerable Configurations

Part Description Count
Application
Microsoft
11

Exploit-Db

descriptionMicrosoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow. CVE-2002-1142. Remote exploit for windows platform
idEDB-ID:19026
last seen2016-02-02
modified2012-06-08
published2012-06-08
reportermetasploit
sourcehttps://www.exploit-db.com/download/19026/
titleMicrosoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow

Metasploit

descriptionThis module can be used to execute arbitrary code on IIS servers that expose the /msadc/msadcs.dll Microsoft Data Access Components (MDAC) Remote Data Service (RDS) DataFactory service. The service is exploitable even when RDS is configured to deny remote connections (handsafe.reg). The service is vulnerable to a heap overflow where the RDS DataStub 'Content-Type' string is overly long. Microsoft Data Access Components (MDAC) 2.1 through 2.6 are known to be vulnerable.
idMSF:EXPLOIT/WINDOWS/IIS/MS02_065_MSADC
last seen2020-05-23
modified2017-11-08
published2012-06-07
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/iis/ms02_065_msadc.rb
titleMS02-065 Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow

Nessus

NASL familyWeb Servers
NASL idMSADCS_OVERFLOW.NASL
descriptionThe remote DLL /msadc/msadcs.dll is accessible by anyone. Several flaws have been found in it in the past. We recommend that you restrict access to MSADC only to trusted hosts.
last seen2020-06-01
modified2020-06-02
plugin id11161
published2002-11-22
reporterThis script is Copyright (C) 2002-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11161
titleMicrosoft Data Access Components RDS Data Stub Remote Overflow
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if(description)
{
 script_id(11161);
 script_version ("1.41");

 script_cve_id("CVE-2002-1142");
 script_bugtraq_id(6214);
 script_xref(name:"MSFT", value:"MS02-065");
 script_xref(name:"MSKB", value:"329414");

 script_name(english:"Microsoft Data Access Components RDS Data Stub Remote Overflow");

 script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by a remote buffer overflow vulnerability." );
 script_set_attribute(attribute:"description", value:
"The remote DLL /msadc/msadcs.dll is accessible by anyone. Several 
flaws have been found in it in the past. We recommend that you restrict 
access to MSADC only to trusted hosts." );
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2002/ms02-065" );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/vulnwatch/2002/q4/60" );
 script_set_attribute(attribute:"solution", value:
"  - Launch the Internet Services Manager
  - Select your web server
  - Right-click on MSADC and select 'Properties'
  - Select the tab 'Directory Security'
  - Click on the 'IP address and domain name restrictions'
    option
  - Make sure that by default, all computers are DENIED access
    to this resource
  - List the computers that should be allowed to use it" );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'MS02-065 Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value: "2002/11/22");
 script_set_attribute(attribute:"vuln_publication_date", value: "2002/11/20");
 script_cvs_date("Date: 2018/11/15 20:50:25");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 script_summary(english:"Determines the presence of msadcs.dll");
 script_category(ACT_MIXED_ATTACK);
 script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.");
 script_family(english:"Web Servers");
 script_dependencie("http_version.nasl", "find_service1.nasl", "no404.nasl");
 script_require_ports("Services/www", 80);
 exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

if(safe_checks() &&  report_paranoia < 2)
  exit(0, "This script only runs in 'Paranoid' mode when safe_checks is set.");


port = get_http_port(default:80);

  w = http_send_recv3(method:"POST", port: port, item:"/msadc/msadcs.dll",
    content_type: "text/plain", exit_on_fail: 1, data: "X");
  z = strcat(w[1], w[2]);
  if(!z) exit(1, "Empty HTTP response on port "+port+".");
  if ("Content-Type: application/x-varg" >!< z) exit(0, "Content-Type received from port "+port+" is not application/x-varg.");

if (safe_checks())
{
    e = "
*** Nessus did not test for any security vulnerability but solely relied
*** on the presence of this resource to issue this warning, so this 
*** might be a false positive."; 
    security_hole(port:port, extra: e);
    exit(0);
}
else
{
 #
 # Okay, it turns out that this method crashes HTTP/1.0
 # support in IIS (not HTTP/1.1)
 # 
 w = http_send_recv3(method:"GET", port: port, item: "/nessus.asp", 
   version: 10, exit_on_fail: 1);
 
 q = raw_string(0x22);
 w = http_send_recv3(method:"POST", port: port,
   item: "/msadc/msadcs.dll/AdvancedDataFactory.Query",
   exit_on_fail: 0,
   content_type: string("application/", crap(32768), ";bob=", q, "bob", q),
   data: "");

 sleep(1);

 w = http_send_recv3(method:"GET", port: port, item: "/nessus.asp", 
   version: 10, exit_on_fail: 0);
 if (isnull(w)) security_hole(port);
 else
   exit(0, "MSDACS on port "+port+" is not affected.");
}

Oval

  • accepted2008-05-05T04:00:18.440-04:00
    classvulnerability
    contributors
    • nameIngrid Skoog
      organizationThe MITRE Corporation
    • nameAndrew Buttner
      organizationThe MITRE Corporation
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJeff Cheng
      organizationOpsware, Inc.
    • nameClifford Farrugia
      organizationGFI Software
    descriptionHeap-based buffer overflow in the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) 2.1 through 2.6, and Internet Explorer 5.01 through 6.0, allows remote attackers to execute code via a malformed HTTP request to the Data Stub.
    familywindows
    idoval:org.mitre.oval:def:2730
    statusaccepted
    submitted2004-08-24T12:00:00.000-04:00
    titleMicrosoft Data Access Components 2.5 Remote Data Services Buffer Overflow
    version9
  • accepted2008-05-05T04:00:19.709-04:00
    classvulnerability
    contributors
    • nameIngrid Skoog
      organizationThe MITRE Corporation
    • nameAndrew Buttner
      organizationThe MITRE Corporation
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJeff Cheng
      organizationOpsware, Inc.
    • nameClifford Farrugia
      organizationGFI Software
    descriptionHeap-based buffer overflow in the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) 2.1 through 2.6, and Internet Explorer 5.01 through 6.0, allows remote attackers to execute code via a malformed HTTP request to the Data Stub.
    familywindows
    idoval:org.mitre.oval:def:294
    statusaccepted
    submitted2004-08-24T12:00:00.000-04:00
    titleMicrosoft Data Access Components 2.6 Remote Data Services Buffer Overflow
    version9
  • accepted2008-05-05T04:00:20.879-04:00
    classvulnerability
    contributors
    • nameIngrid Skoog
      organizationThe MITRE Corporation
    • nameAndrew Buttner
      organizationThe MITRE Corporation
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJeff Cheng
      organizationOpsware, Inc.
    • nameClifford Farrugia
      organizationGFI Software
    descriptionHeap-based buffer overflow in the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) 2.1 through 2.6, and Internet Explorer 5.01 through 6.0, allows remote attackers to execute code via a malformed HTTP request to the Data Stub.
    familywindows
    idoval:org.mitre.oval:def:3573
    statusaccepted
    submitted2004-08-24T12:00:00.000-04:00
    titleMicrosoft Data Access Components 2.1 Remote Data Services Buffer Overflow
    version9

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/113354/ms02_065_msadc.rb.txt
idPACKETSTORM:113354
last seen2016-12-05
published2012-06-07
reporterpatrick
sourcehttps://packetstormsecurity.com/files/113354/Microsoft-IIS-MDAC-msadcs.dll-RDS-DataStub-Content-Type-Overflow.html
titleMicrosoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow

References