• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Microsoft JET Database Engine VBA Vulnerability

Severity: HIGH

Description:

Microsoft's JET database engine feature allows the embedding of Visual Basic for Application in SQL string expressions and the lack of metacharacter filtering by many web applications may allow remote users to execute commands on the system.

Microsoft's JET database engine (the core of Microsoft Access) allows the embedding of Visual Basic for Application expressions in SQL strings. VBA expressions withing two "|" characters within an SQL string will be executed and its result substituted in the string. The VBA code is evaluated in an expression context. That means you cannot make use of statements.

The Microsoft JET database engine can be used via the ODBC API. It is commonly used as a backend for web enabled applications. The fact that it uses the "|" character to execute VBA code within SQL statements in JET is a largely unknown feature, meaning that few applications escape user input for this metacharacter. Therefore any script or application that uses Microsoft's JET ODBC DSN could potentially be exploited.

Microsoft's IIS in particular executes ODBC commands in the context of the System account. This may allow remote attackers to input VBA code in web enabled applications that will be executed by IIS as the System user.

The most dangerous VBA command available to an attacker is shell(), which enables it to run any command in the system.

Microsoft's IIS 4.0 ships with a number of sample scripts that are vulnerable if used with the JET ODBC driver (e.g. details.idc). It also ships with MSADC which allows remote uses to execute SQL queries on a DNS via HTTP.

Tests seem to indicate JET 4.0 is not vulnerable to this issue.

Affected Products:

• Cisco Building Broadband Service Manager 5.0.0
• Cisco Call Manager 1.0.0
• Cisco Call Manager 2.0.0
• Cisco Call Manager 3.0.0
• Cisco ICS 7750 0.0.0
• Cisco IP/VC 3540 Video Rate Matching Module 0.0.0
• Cisco Unity Server 2.0.0
• Cisco Unity Server 2.2.0
• Cisco Unity Server 2.3.0
• Cisco Unity Server 2.4.0
• Cisco uOne 1.0.0
• Cisco uOne 2.0.0
• Cisco uOne 3.0.0
• Cisco uOne 4.0.0
• Microsoft Access 95 0.0.0
• Microsoft Access 97
• Microsoft BackOffice 4.0.0
• Microsoft BackOffice 4.5.0
• Microsoft Excel 95 0.0.0
• Microsoft Excel 97 0.0.0
• Microsoft IIS 4.0.0
• Microsoft JET 3.5.0
• Microsoft JET 3.51.0
• Microsoft Windows NT 4.0 Option Pack

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.