BID:17462

Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability

Info

Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability

Bugtraq ID:	17462
Class:	Design Error
CVE:	CVE-2006-0003
Remote:	Yes
Local:	No
Published:	Apr 11 2006 12:00AM
Updated:	May 12 2015 07:49PM
Credit:	Golan Yosef and Stefano Meller are credited with the discovery of this vulnerability.
Vulnerable:	Microsoft Data Access Components (MDAC) 2.8 SP2 + Microsoft Windows 2000 Advanced Server SP4 + Microsoft Windows 2000 Advanced Server SP4 + Microsoft Windows 2000 Advanced Server SP4 + Microsoft Windows 2000 Advanced Server SP3 + Microsoft Windows 2000 Advanced Server SP3 + Microsoft Windows 2000 Advanced Server SP3 + Microsoft Windows 2000 Advanced Server SP2 + Microsoft Windows 2000 Advanced Server SP2 + Microsoft Windows 2000 Advanced Server SP2 + Microsoft Windows 2000 Advanced Server SP1 + Microsoft Windows 2000 Advanced Server SP1 + Microsoft Windows 2000 Advanced Server SP1 + Microsoft Windows 2000 Advanced Server + Microsoft Windows 2000 Advanced Server + Microsoft Windows 2000 Advanced Server + Microsoft Windows 2000 Datacenter Server SP4 + Microsoft Windows 2000 Datacenter Server SP4 + Microsoft Windows 2000 Datacenter Server SP4 + Microsoft Windows 2000 Datacenter Server SP3 + Microsoft Windows 2000 Datacenter Server SP3 + Microsoft Windows 2000 Datacenter Server SP3 + Microsoft Windows 2000 Datacenter Server SP2 + Microsoft Windows 2000 Datacenter Server SP2 + Microsoft Windows 2000 Datacenter Server SP2 + Microsoft Windows 2000 Datacenter Server SP1 + Microsoft Windows 2000 Datacenter Server SP1 + Microsoft Windows 2000 Datacenter Server SP1 + Microsoft Windows 2000 Datacenter Server + Microsoft Windows 2000 Datacenter Server + Microsoft Windows 2000 Datacenter Server + Microsoft Windows 2000 Professional SP4 + Microsoft Windows 2000 Professional SP4 + Microsoft Windows 2000 Professional SP4 + Microsoft Windows 2000 Professional SP3 + Microsoft Windows 2000 Professional SP3 + Microsoft Windows 2000 Professional SP3 + Microsoft Windows 2000 Professional SP2 + Microsoft Windows 2000 Professional SP2 + Microsoft Windows 2000 Professional SP2 + Microsoft Windows 2000 Professional SP1 + Microsoft Windows 2000 Professional SP1 + Microsoft Windows 2000 Professional SP1 + Microsoft Windows 2000 Professional + Microsoft Windows 2000 Professional + Microsoft Windows 2000 Professional + Microsoft Windows 2000 Server SP4 + Microsoft Windows 2000 Server SP4 + Microsoft Windows 2000 Server SP4 + Microsoft Windows 2000 Server SP3 + Microsoft Windows 2000 Server SP3 + Microsoft Windows 2000 Server SP3 + Microsoft Windows 2000 Server SP2 + Microsoft Windows 2000 Server SP2 + Microsoft Windows 2000 Server SP2 + Microsoft Windows 2000 Server SP1 + Microsoft Windows 2000 Server SP1 + Microsoft Windows 2000 Server SP1 + Microsoft Windows 2000 Server + Microsoft Windows 2000 Server + Microsoft Windows 2000 Server + Microsoft Windows Server 2003 Datacenter Edition + Microsoft Windows Server 2003 Datacenter Edition + Microsoft Windows Server 2003 Datacenter Edition + Microsoft Windows Server 2003 Datacenter Edition Itanium 0 + Microsoft Windows Server 2003 Datacenter Edition Itanium 0 + Microsoft Windows Server 2003 Datacenter Edition Itanium 0 + Microsoft Windows Server 2003 Enterprise Edition + Microsoft Windows Server 2003 Enterprise Edition + Microsoft Windows Server 2003 Enterprise Edition + Microsoft Windows Server 2003 Enterprise Edition Itanium 0 + Microsoft Windows Server 2003 Enterprise Edition Itanium 0 + Microsoft Windows Server 2003 Enterprise Edition Itanium 0 + Microsoft Windows Server 2003 Standard Edition + Microsoft Windows Server 2003 Standard Edition + Microsoft Windows Server 2003 Standard Edition + Microsoft Windows Server 2003 Web Edition + Microsoft Windows Server 2003 Web Edition + Microsoft Windows Server 2003 Web Edition Microsoft Data Access Components (MDAC) 2.8 SP1 + Microsoft Windows 2000 Advanced Server SP4 + Microsoft Windows 2000 Advanced Server SP4 + Microsoft Windows 2000 Advanced Server SP4 + Microsoft Windows 2000 Advanced Server SP4 + Microsoft Windows 2000 Advanced Server SP3 + Microsoft Windows 2000 Advanced Server SP3 + Microsoft Windows 2000 Advanced Server SP3 + Microsoft Windows 2000 Advanced Server SP3 + Microsoft Windows 2000 Advanced Server SP2 + Microsoft Windows 2000 Advanced Server SP2 + Microsoft Windows 2000 Advanced Server SP2 + Microsoft Windows 2000 Advanced Server SP2 + Microsoft Windows 2000 Advanced Server SP1 + Microsoft Windows 2000 Advanced Server SP1 + Microsoft Windows 2000 Advanced Server SP1 + Microsoft Windows 2000 Advanced Server SP1 + Microsoft Windows 2000 Advanced Server + Microsoft Windows 2000 Advanced Server + Microsoft Windows 2000 Advanced Server + Microsoft Windows 2000 Advanced Server + Microsoft Windows 2000 Datacenter Server SP4 + Microsoft Windows 2000 Datacenter Server SP4 + Microsoft Windows 2000 Datacenter Server SP4 + Microsoft Windows 2000 Datacenter Server SP4 + Microsoft Windows 2000 Datacenter Server SP3 + Microsoft Windows 2000 Datacenter Server SP3 + Microsoft Windows 2000 Datacenter Server SP3 + Microsoft Windows 2000 Datacenter Server SP3 + Microsoft Windows 2000 Datacenter Server SP2 + Microsoft Windows 2000 Datacenter Server SP2 + Microsoft Windows 2000 Datacenter Server SP2 + Microsoft Windows 2000 Datacenter Server SP2 + Microsoft Windows 2000 Datacenter Server SP1 + Microsoft Windows 2000 Datacenter Server SP1 + Microsoft Windows 2000 Datacenter Server SP1 + Microsoft Windows 2000 Datacenter Server SP1 + Microsoft Windows 2000 Datacenter Server + Microsoft Windows 2000 Datacenter Server + Microsoft Windows 2000 Datacenter Server + Microsoft Windows 2000 Datacenter Server + Microsoft Windows 2000 Professional SP4 + Microsoft Windows 2000 Professional SP4 + Microsoft Windows 2000 Professional SP4 + Microsoft Windows 2000 Professional SP4 + Microsoft Windows 2000 Professional SP3 + Microsoft Windows 2000 Professional SP3 + Microsoft Windows 2000 Professional SP3 + Microsoft Windows 2000 Professional SP3 + Microsoft Windows 2000 Professional SP2 + Microsoft Windows 2000 Professional SP2 + Microsoft Windows 2000 Professional SP2 + Microsoft Windows 2000 Professional SP2 + Microsoft Windows 2000 Professional SP1 + Microsoft Windows 2000 Professional SP1 + Microsoft Windows 2000 Professional SP1 + Microsoft Windows 2000 Professional SP1 + Microsoft Windows 2000 Professional + Microsoft Windows 2000 Professional + Microsoft Windows 2000 Professional + Microsoft Windows 2000 Professional + Microsoft Windows 2000 Server SP4 + Microsoft Windows 2000 Server SP4 + Microsoft Windows 2000 Server SP4 + Microsoft Windows 2000 Server SP3 + Microsoft Windows 2000 Server SP3 + Microsoft Windows 2000 Server SP3 + Microsoft Windows 2000 Server SP3 + Microsoft Windows 2000 Server SP2 + Microsoft Windows 2000 Server SP2 + Microsoft Windows 2000 Server SP2 + Microsoft Windows 2000 Server SP2 + Microsoft Windows 2000 Server SP1 + Microsoft Windows 2000 Server SP1 + Microsoft Windows 2000 Server SP1 + Microsoft Windows 2000 Server SP1 + Microsoft Windows 2000 Server + Microsoft Windows 2000 Server + Microsoft Windows 2000 Server + Microsoft Windows 2000 Server + Microsoft Windows Server 2003 Datacenter Edition + Microsoft Windows Server 2003 Datacenter Edition + Microsoft Windows Server 2003 Datacenter Edition + Microsoft Windows Server 2003 Datacenter Edition + Microsoft Windows Server 2003 Datacenter Edition Itanium 0 + Microsoft Windows Server 2003 Datacenter Edition Itanium 0 + Microsoft Windows Server 2003 Datacenter Edition Itanium 0 + Microsoft Windows Server 2003 Datacenter Edition Itanium 0 + Microsoft Windows Server 2003 Enterprise Edition + Microsoft Windows Server 2003 Enterprise Edition + Microsoft Windows Server 2003 Enterprise Edition + Microsoft Windows Server 2003 Enterprise Edition + Microsoft Windows Server 2003 Enterprise Edition Itanium 0 + Microsoft Windows Server 2003 Enterprise Edition Itanium 0 + Microsoft Windows Server 2003 Enterprise Edition Itanium 0 + Microsoft Windows Server 2003 Enterprise Edition Itanium 0 + Microsoft Windows Server 2003 Standard Edition + Microsoft Windows Server 2003 Standard Edition + Microsoft Windows Server 2003 Standard Edition + Microsoft Windows Server 2003 Standard Edition + Microsoft Windows Server 2003 Web Edition + Microsoft Windows Server 2003 Web Edition + Microsoft Windows Server 2003 Web Edition + Microsoft Windows Server 2003 Web Edition + Microsoft Windows XP 64-bit Edition + Microsoft Windows XP 64-bit Edition + Microsoft Windows XP 64-bit Edition + Microsoft Windows XP Home SP2 + Microsoft Windows XP Home SP2 + Microsoft Windows XP Home SP2 + Microsoft Windows XP Home SP1 + Microsoft Windows XP Home SP1 + Microsoft Windows XP Home SP1 + Microsoft Windows XP Media Center Edition SP2 + Microsoft Windows XP Media Center Edition SP2 + Microsoft Windows XP Media Center Edition SP2 + Microsoft Windows XP Media Center Edition SP1 + Microsoft Windows XP Media Center Edition SP1 + Microsoft Windows XP Media Center Edition SP1 + Microsoft Windows XP Professional SP2 + Microsoft Windows XP Professional SP2 + Microsoft Windows XP Professional SP2 + Microsoft Windows XP Professional SP1 + Microsoft Windows XP Professional SP1 + Microsoft Windows XP Professional SP1 + Microsoft Windows XP Tablet PC Edition SP2 + Microsoft Windows XP Tablet PC Edition SP2 + Microsoft Windows XP Tablet PC Edition SP2 + Microsoft Windows XP Tablet PC Edition SP1 + Microsoft Windows XP Tablet PC Edition SP1 + Microsoft Windows XP Tablet PC Edition SP1 Microsoft Data Access Components (MDAC) 2.8 + Microsoft Windows 2000 Advanced Server SP4 + Microsoft Windows 2000 Advanced Server SP4 + Microsoft Windows 2000 Advanced Server SP4 + Microsoft Windows 2000 Advanced Server SP3 + Microsoft Windows 2000 Advanced Server SP3 + Microsoft Windows 2000 Advanced Server SP3 + Microsoft Windows 2000 Advanced Server SP2 + Microsoft Windows 2000 Advanced Server SP2 + Microsoft Windows 2000 Advanced Server SP2 + Microsoft Windows 2000 Advanced Server SP1 + Microsoft Windows 2000 Advanced Server SP1 + Microsoft Windows 2000 Advanced Server SP1 + Microsoft Windows 2000 Advanced Server + Microsoft Windows 2000 Advanced Server + Microsoft Windows 2000 Advanced Server + Microsoft Windows 2000 Datacenter Server SP4 + Microsoft Windows 2000 Datacenter Server SP4 + Microsoft Windows 2000 Datacenter Server SP4 + Microsoft Windows 2000 Datacenter Server SP3 + Microsoft Windows 2000 Datacenter Server SP3 + Microsoft Windows 2000 Datacenter Server SP3 + Microsoft Windows 2000 Datacenter Server SP2 + Microsoft Windows 2000 Datacenter Server SP2 + Microsoft Windows 2000 Datacenter Server SP2 + Microsoft Windows 2000 Datacenter Server SP1 + Microsoft Windows 2000 Datacenter Server SP1 + Microsoft Windows 2000 Datacenter Server SP1 + Microsoft Windows 2000 Datacenter Server + Microsoft Windows 2000 Datacenter Server + Microsoft Windows 2000 Datacenter Server + Microsoft Windows 2000 Professional SP4 + Microsoft Windows 2000 Professional SP4 + Microsoft Windows 2000 Professional SP4 + Microsoft Windows 2000 Professional SP3 + Microsoft Windows 2000 Professional SP3 + Microsoft Windows 2000 Professional SP3 + Microsoft Windows 2000 Professional SP2 + Microsoft Windows 2000 Professional SP2 + Microsoft Windows 2000 Professional SP2 + Microsoft Windows 2000 Professional SP1 + Microsoft Windows 2000 Professional SP1 + Microsoft Windows 2000 Professional SP1 + Microsoft Windows 2000 Professional + Microsoft Windows 2000 Professional + Microsoft Windows 2000 Professional + Microsoft Windows 2000 Server SP4 + Microsoft Windows 2000 Server SP4 + Microsoft Windows 2000 Server SP4 + Microsoft Windows 2000 Server SP3 + Microsoft Windows 2000 Server SP3 + Microsoft Windows 2000 Server SP3 + Microsoft Windows 2000 Server SP2 + Microsoft Windows 2000 Server SP2 + Microsoft Windows 2000 Server SP2 + Microsoft Windows 2000 Server SP1 + Microsoft Windows 2000 Server SP1 + Microsoft Windows 2000 Server SP1 + Microsoft Windows 2000 Server + Microsoft Windows 2000 Server + Microsoft Windows 2000 Server + Microsoft Windows Server 2003 Datacenter Edition + Microsoft Windows Server 2003 Datacenter Edition + Microsoft Windows Server 2003 Datacenter Edition + Microsoft Windows Server 2003 Datacenter Edition Itanium 0 + Microsoft Windows Server 2003 Datacenter Edition Itanium 0 + Microsoft Windows Server 2003 Datacenter Edition Itanium 0 + Microsoft Windows Server 2003 Enterprise Edition + Microsoft Windows Server 2003 Enterprise Edition + Microsoft Windows Server 2003 Enterprise Edition + Microsoft Windows Server 2003 Enterprise Edition Itanium 0 + Microsoft Windows Server 2003 Enterprise Edition Itanium 0 + Microsoft Windows Server 2003 Enterprise Edition Itanium 0 + Microsoft Windows Server 2003 Standard Edition + Microsoft Windows Server 2003 Standard Edition + Microsoft Windows Server 2003 Standard Edition + Microsoft Windows Server 2003 Web Edition + Microsoft Windows Server 2003 Web Edition + Microsoft Windows Server 2003 Web Edition Microsoft Data Access Components (MDAC) 2.7 SP1 Microsoft Data Access Components (MDAC) 2.7 + Microsoft Visual Studio .NET Academic Edition 0 + Microsoft Visual Studio .NET Academic Edition 0 + Microsoft Visual Studio .NET Academic Edition 0 + Microsoft Visual Studio .NET Enterprise Architect Edition + Microsoft Visual Studio .NET Enterprise Architect Edition + Microsoft Visual Studio .NET Enterprise Architect Edition + Microsoft Visual Studio .NET Enterprise Developer Edition + Microsoft Visual Studio .NET Enterprise Developer Edition + Microsoft Visual Studio .NET Enterprise Developer Edition + Microsoft Visual Studio .NET Professional Edition + Microsoft Visual Studio .NET Professional Edition + Microsoft Visual Studio .NET Professional Edition + Microsoft Visual Studio .NET Trial Edition 0 + Microsoft Visual Studio .NET Trial Edition 0 + Microsoft Visual Studio .NET Trial Edition 0 + Microsoft Windows XP 0 + Microsoft Windows XP 0 + Microsoft Windows XP 64-bit Edition + Microsoft Windows XP 64-bit Edition + Microsoft Windows XP 64-bit Edition + Microsoft Windows XP Home + Microsoft Windows XP Home + Microsoft Windows XP Home + Microsoft Windows XP Professional + Microsoft Windows XP Professional + Microsoft Windows XP Professional Microsoft Data Access Components (MDAC) 2.5 SP3 Hitachi HITSENSER5 02-80 Hitachi HITSENSER5 01-10 Hitachi HITSENSER5 01-00 Hitachi DBPARTNER2 Client 01-12 Hitachi DBPARTNER2 Client 01-05 Hitachi DBPARTNER2 Client 01-00 Hitachi DBPARTNER ODBC 01-11 Hitachi DBPARTNER ODBC 01-06 Hitachi DBPARTNER ODBC 01-03 Hitachi DBPARTNER ODBC 01-00 Hitachi DA Broker for ODBC 01-02 Hitachi DA Broker for ODBC 01-00

Not Vulnerable:

Discussion

Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability

The Microsoft MDAC RDS.Dataspace ActiveX control is vulnerable to remote code execution. An attacker could exploit this issue to execute code in the context of the user visiting a malicious web page.

Exploit / POC

Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability

A Metasploit exploit module is available.

The following exploit code is available; Symantec has not verified it.

CAUTION: Since the exploit code may contain malicious content, handle it carefully.

UPDATE (May 15, 2007): This issue is being exploited in the wild by the MPack hacker tool. Please see the references for more information.

/data/vulnerabilities/exploits/ie_createobject.pm
/data/vulnerabilities/exploits/0day_ie.pdf
/data/vulnerabilities/exploits/exp_changed.htm
/data/vulnerabilities/exploits/IEexploit_original.html
/data/vulnerabilities/exploits/17462July302007.html
/data/vulnerabilities/exploits/17462.py
/data/vulnerabilities/exploits/17462Jan282008.html

Solution / Fix

Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability

Solution:
Windows 95/98/ME users should obtain fixes from the Windows Update website.

Please see the references for more information.

Microsoft Data Access Components (MDAC) 2.7 SP1

Microsoft Security Update for Microsoft Data Access Components 2.7 Service Pack 1 (KB911562)
For Windows 2000 SP 4 and Windows XP SP 1.
http://www.microsoft.com/downloads/details.aspx?familyid=0AA7C8B7-8417 -42D8-8E73-5466C03B8C65&displaylang=en

Microsoft Security Update for Windows XP (KB911562)
For Windows XP SP 1 and SP 2.
http://www.microsoft.com/downloads/details.aspx?familyid=2F9E772C-8122 -4027-A117-E93227B2C79F&displaylang=en

Microsoft Data Access Components (MDAC) 2.8 SP1

Microsoft Security Update for Microsoft Data Access Components 2.8 Service Pack 1 (KB911562)
For Windows 2000 SP 4.
http://www.microsoft.com/downloads/details.aspx?familyid=7358DA31-959C -4E3E-8115-51DC6D441365&displaylang=en

Microsoft Security Update for Windows XP (KB911562)
For Windows XP SP 1 and SP 2.
http://www.microsoft.com/downloads/details.aspx?familyid=2F9E772C-8122 -4027-A117-E93227B2C79F&displaylang=en

Microsoft Data Access Components (MDAC) 2.8 SP2

Microsoft Security Update for Windows Server 2003 (KB911562)
For Windows Server 2003 and Windows Server 2003 SP 1.
http://www.microsoft.com/downloads/details.aspx?familyid=39B29ED4-9B95 -4593-BCB6-4BB03CA5F8F1&displaylang=en

Microsoft Security Update for Windows Server 2003 for Itanium-based Systems (KB911562)
For Windows Server 2003 and Windows Server 2003 Service Pack 1 for Itanium-based Systems.
http://www.microsoft.com/downloads/details.aspx?familyid=4D2FE426-E34E -4192-8A0F-35E440E948E2&displaylang=en

Microsoft Security Update for Windows Server x64 Edition (KB911562)
http://www.microsoft.com/downloads/details.aspx?familyid=E237C2C7-9819 -437B-AB70-298BA62AC285&displaylang=en

Microsoft Security Update for Windows XP x64 Edition (KB911562)
For Windows XP x64 Edition.
http://www.microsoft.com/downloads/details.aspx?familyid=9C8B645D-0F01 -4B79-B6B3-55279BEDB944&displaylang=en

Microsoft Data Access Components (MDAC) 2.8

Microsoft Security Update for Microsoft Data Access Components 2.8 (KB911562)
For Windows 2000 SP 4 and Windows XP SP 1.
http://www.microsoft.com/downloads/details.aspx?familyid=2494B25D-452F -4025-8B67-41A5C840F7E2&displaylang=en

Microsoft Security Update for Windows Server 2003 (KB911562)
For Windows Server 2003 and Windows Server 2003 SP 1.
http://www.microsoft.com/downloads/details.aspx?familyid=39B29ED4-9B95 -4593-BCB6-4BB03CA5F8F1&displaylang=en

Microsoft Security Update for Windows Server 2003 for Itanium-based Systems (KB911562)
For Windows Server 2003 and Windows Server 2003 Service Pack 1 for Itanium-based Systems.
http://www.microsoft.com/downloads/details.aspx?familyid=4D2FE426-E34E -4192-8A0F-35E440E948E2&displaylang=en

Microsoft Data Access Components (MDAC) 2.5 SP3

Microsoft Security Update for Microsoft Data Access Components 2.5 Service Pack 3 (KB911562) - English
For Windows 2000 SP 4.
http://www.microsoft.com/downloads/details.aspx?familyid=1B3E6CB9-1EF2 -4BA1-A2F2-F87B717372FB&displaylang=en

References

Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability

References:

Chinese Weekend Compromise (Trend Micro)
JS_IFRAME.AD (Trend Micro)
Microsoft Security Bulletin MS06-014 (Microsoft)
MPack Uncovered (pdf document) (PandaLabs)
Vulnerability in the MDAC Function Could Allow Remote Code Execution (Hitachi)
Exploit In Internet Explorer ([email protected])