Microsoft's JET database engine feature allows the embedding of Visual Basic
for Application in SQL string expressions and the lack of metacharacter filtering
by many web applications may allow remote users to execute commands on the system.
Microsoft's JET database engine (the core of Microsoft Access) allows the
embedding of Visual Basic for Application expressions in SQL strings. VBA expressions
withing two "|" characters within an SQL string will be executed and its result substituted
in the string. The VBA code is evaluated in an expression context. That means you cannot
make use of statements.
The Microsoft JET database engine can be used via the ODBC API. It is commonly
used as a backend for web enabled applications. The fact that it uses the "|" character
to execute VBA code within SQL statements in JET is a largely unknown feature, meaning
that few applications escape user input for this metacharacter. Therefore any script
or application that uses Microsoft's JET ODBC DSN could potentially be exploited.
Microsoft's IIS in particular executes ODBC commands in the context of the System
account. This may allow remote attackers to input VBA code in web enabled applications
that will be executed by IIS as the System user.
The most dangerous VBA command available to an attacker is shell(), which enables
it to run any command in the system.
Microsoft's IIS 4.0 ships with a number of sample scripts that are vulnerable
if used with the JET ODBC driver (e.g. details.idc). It also ships with MSADC which
allows remote uses to execute SQL queries on a DNS via HTTP.
Tests seem to indicate JET 4.0 is not vulnerable to this issue.