Researchers say they have demonstrated how exploits of Microsoft Jet Database Engine vulnerabilities could lead to remote attacks on Microsoft Internet Information Services and Microsoft SQL Server to gain system privileges. Microsoft says it recently patched the flaws.
Researchers at Palo Alto Networks did not report on whether any exploits using the vulnerabilities were found in the wild. Tao Yan, security researcher with the Palo Alto Networks’ Unit 42 team said its researchers reported around 100 Jet vulnerabilities to Microsoft in 2020, though Microsoft only fixed a small number of them. “It seems that Microsoft’s strategy is to mitigate the whole attack surface instead of fixing each individual vulnerability, one by one,” Yan says.
IIS is a general-purpose web server that runs on Windows, while SQL Server is a relational database management system. Palo Alto Networks described the exploits in a presentation at the recent conference. The exploits take advantage of remote database access supported in Microsoft Jet Database Engine, including Jet Red Database Engine and Access Connectivity Engine, the researchers say. “When misused, the feature allows attackers to execute SQL queries on the fully controlled database file on the remote attacker’s controlled server,” the researchers explain.
“Once the remote legitimate database file is replaced with a malformed database file, executing SQL queries on it could break the code precondition and assumptions in Microsoft Jet/ACE, leading to vulnerabilities in many Jet components. “The typical attack scenarios are SQL injection and ad hoc. In these two scenarios, attackers can execute any SQL queries on the malformed databases in the IIS and SQL server. The resulting Jet vulnerabilities will impact the IIS and SQL server.”
During code development and testing in MS Jet and ACE, developers might not consider the possibility of the database being malformed, so the researchers decided to explore the idea of mutating both SQL queries and database files. It was using that fuzzing strategy that enabled the researchers to discovered the 100 vulnerabilities in MS Jet and ACE. Most of the vulnerabilities could be used to attack IIS and SQL Server under SQL injection and ad hoc scenarios, the researchers say.
Palo Alto Networks says, “any components supporting MS Jet and ACE on Windows could be vulnerable, as long as the component allows users to execute any query on the controllable database with MS Jet and ACE.” Although the patch mitigates the risks, it is not turned on by default – and most Jet vulnerabilities are still not patched, Palo Alto Networks says. “The mitigation for the attack surface in ACE still remains imperfect, and we are working with Microsoft to release a complete patch for both MS Jet and ACE,” Yan told ISMG.
The Microsoft Jet Database Engine, including MS Jet and ACE, is over 20 years old, and a vast majority of the Jet modules have been found to be easily exploitable due to limited exploit mitigations, the researchers note.
The researchers said: “The remote database access feature connects the Jet vulnerabilities with IIS and SQL server components, thereby downgrading their security to the same level as the Jet Database Engine.”
Leave a Reply
Want to join the discussion?Feel free to contribute!