MDAC (Microsoft Data Access Components) is a package used to integrate web and database services.
It includes a component named RDS (Remote Data Services). RDS allows remote access via the
internet to database objects through IIS. Both are included in a default installation of the
Windows NT 4.0 Option Pack, but can be excluded via a custom installation.
RDS includes a component called the DataFactory object, which has a vulnerability that could
allow any web user to:
- Obtain unauthorized access to unpublished files on the IIS server
- Use MDAC to tunnel ODBC requests through to a remote internal or external
location, thereby obtaining access to non-public servers or effectively masking
the source of an attack on another network.
The main risk in this vulnerability is that if the Microsoft JET OLE DB Provider or Microsoft
DataShape Provider are installed, a user could use the shell() VBA command on the server with
System privileges. (See the Microsoft JET Database Engine VBA Vulnerability for more information).
These two vulnerabilities combined can allow an attacker on the Internet to run arbitrary
commands with System level privileges on the target host.