Microsoft Security Bulletin MS01-018 - Important
Visual Studio VB T-SQL Object Contains Unchecked Buffer
Published: March 27, 2001 | Updated: June 23, 2003
Originally posted: March 27, 2001
Updated: June 23, 2003
Who should read this bulletin:
Customers running either Visual Studio 6.0 Enterprise or Visual Basic 6.0 Enterprise Edition
Impact of vulnerability:
Run code of attacker's choice.
Customers running either Visual Studio 6.0 Enterprise or Visual Basic 6.0 Enterprise Edition should install this patch.
- Microsoft Visual Studio 6.0 Enterprise Edition
- Microsoft Visual Basic 6.0 Enterprise Edition
The VB T-SQL debugger object that ships with Visual Studio 6.0 or Visual Basic 6.0 Enterprise Edition has an unchecked buffer in the code that processes parameters for one of the object's methods. The object can, by design, be programmatically accessed remotely. If the object were to be referenced by a program that contained specially malformed data within the parameter, either of two outcomes would result. In the less serious case, the attacker could cause the object to fail on the hosting machine. In the more serious case, the attacker could exploit the buffer overrun to run code of the attacker's choice on the hosting machine.
The debugger object (vbsdicli.exe) is installed by default with Visual Studio 6.0 or Visual Basic 6.0 Enterprise Edition and runs in the context of the interactively logged-on user. The attacker could only execute a successful attack if he knew that a user had the component installed and that the user was logged in at the time of the attack.
- If best practices have been followed and ports 137-139 and 445 have been blocked at an organization's router or firewall, this attack could not be executed from the Internet.
- There is no way to determine remotely if a machine has the affected component installed. An attacker would need to successively target machines until he found one that was susceptible.
- The vulnerability could only be exploited if an interactive user were logged on to the target machine at the time of the malicious user's attack.
- Only the Enterprise Edition of Visual Studio 6.0 or Visual Basic 6.0 are affected. Visual Studio 6.0 or Visual Basic 6.0 Professional Edition is not affected.
Vulnerability identifier: CAN-2001-0153
Microsoft tested Visual Studio 6.0 and Visual Basic 6.0 Enterprise Edition. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.
Frequently asked questions
What's the scope of the vulnerability?
This is a buffer overrun vulnerability in an object that ships with Visual Studio 6.0 or Visual Basic 6.0 Enterprise Edition. If an attacker exploited this vulnerability in an attack against an affected computer, he could potentially run arbitrary code on that machine in the context of the interactively logged on user. There are potentially two effects of an attack via this vulnerability. The malicious user could cause the affected object to fail or he could potentially run arbitrary code on the target computer in the context of the interactively logged on user.
What causes the vulnerability?
A DCOM object (VB T-SQL Debugger - vbsdicli.exe) that ships with Visual Studio 6.0 Enterprise has an unchecked buffer in a section of code that processes the parameters for one of the object's methods.
What is DCOM?
A technology for component-based development of software that is network-aware. Using Distributed Component Object Model (DCOM), developers can create network-aware applications using Component Object Model (COM) components. DCOM works under various network transports, including TCP/IP. DCOM is a client/server protocol that provides distributed network services to COM, allowing DCOM-enabled software components to communicate over a network in a similar fashion to the method by which COM components communicate among themselves on a single machine. DCOM client objects make requests for services from DCOM server objects on different machines on the network using a standard set of interfaces. For more information on DCOM please see the following link: http://www.microsoft.com/com/default.mspx,
What is COM?
The Component Object Model (COM) is an object-based software architecture that allows applications to be built from binary software components. COM is the foundation for various Microsoft technologies including OLE, ActiveX, Distributed COM (DCOM), COM+, and Microsoft Transaction Server (MTS). COM is not a programming language, rather it is a specification. The goal of COM is to allow applications to be built using components. These COM components can be created by different vendors, at different times, and using different programming languages. Also, the COM components can run on different machines or different operating systems. For more information please see the following link: http://www.microsoft.com/com/default.mspx,
What's the VB T-SQL object?
The T-SQL debugger is a DCOM object (which can be remotely initiated) integrated with the Data Environment designer. It allows you to interactively debug remote stored procedures written in Microsoft SQL Server's Transact SQL dialect, from within the Visual Basic development environment. The vulnerability described in this bulletin is independent of any access to SQL server and only requires access to a machine with the debugger object installed. For more information please see the following link: http://msdn2.microsoft.com/en-us/library/Aa733643
What's wrong with the VB T-SQL object?
The object contains an unchecked buffer in the code that processes the parameters for one of the object's methods. A remote program could invoke this method so as to cause a buffer overrun. As is often the case with buffer overrun vulnerabilities, either of two outcomes could occur. In the less serious case - in which the buffer was overrun by random data - the object would just produce an error or fail on the target computer. In the more serious case - in which the attacker filled the affected parameter in the object with specially selected data - the functionality of the object could be modified while it was running, in order to make it take something other than its intended action.
What would the first case enable an attacker to do?
If the parameter at issue here were filled with random data, the debugger object would fail. However, the user on the target machine could bypass the error and continue working normally.
What would the second case enable an attacker to do?
If an attacker were able to insert an invalid parameter containing specially chosen data, he could cause his program to take any action he wanted on the target computer when it referenced the debugger object. The only limitation on the actions the program could take would be those associated with the user who was running Visual Studio 6 at the time - if the user had few privileges on the machine, the malicious code might be able to do very little. On the other hand, if the user was an administrator on the machine, the code could do virtually anything.
Who could exploit the vulnerability?
There are a few prerequisites for exploiting this vulnerability:
- The malicious user would need to know the name of the target computer and would need to be on the same intranet as the target computer. If best practices were followed, and ports 137-139, and 445 were blocked at the router or firewall, the vulnerability could not be exploited from the Internet.
- The malicious user would also need to know that a specific user had Visual Studio 6.0 Enterprise installed on a specific machine.
- Finally, a specific user would need to be interactively logged in at the time of the attack.
What security context would the malicious program run under on the target machine?
Since the attack requires a user to be logged in the malicious code would run in the context of that logged in user. If the user on the affected computer was a local user the program would have that user's local privileges on the machine. If the logged on user was a member of a domain then the malicious program would have domain privileges.
What if a user is not logged on at the time of the attack?
If the target computer did not have an interactive logged on user, the attacker would receive an error message if he tried to reference the object on the target machine. An interactive logged on user must be present at the time of attack.
I don't have Visual Studio 6.0 Enterprise or Visual Basic 6.0 Enterprise Edition on my machine. Could I be affected?
No. This problem only affects either Visual Studio 6.0 Enterprise or Visual Basic 6.0 Enterprise Edition.
I run Visual Studio 6.0 or Visual Basic 6.0 Professional Edition. Could I be affected?
No. The debugger only ships with Visual Studio 6.0 or Visual Basic Enterprise Edition.
What does the patch do?
The patch corrects the object to ensure that proper bounds checking takes place on the parameter in question.
Download locations for this patch
Microsoft Visual Studio 6.0 Enterprise or Visual Basic 6.0 Enterprise Edition:
Additional information about this patch
This patch can be installed on systems running either Visual Studio 6.0 Enterprise Edition Service Pack 5 or Visual Basic 6.0 Enterprise Edition.
Inclusion in future service packs:
The fix for this issue will be included in Service Pack 6 of Visual Studio 6.0 Enterprise Edition.
Verifying patch installation: To verify that the patch has been installed, verify that the files listed in the patch manifest in Knowledge Base article Q281297 have been installed on the machine.
Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
- Patches are also available from the WindowsUpdate web site
Microsoft thanks BindView's Razor Team or reporting these issues to us and helping us protect our customers.
- Microsoft Knowledge Base article Q281297 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (March 27, 2001): Bulletin Created.
- V1.1 (June 23, 2003): Updated Windows Update download links.
Built at 2014-04-18T13:49:36Z-07:00