Microsoft JET database engine is a database management system that retrieves data from and stores data in user and system databases. The Microsoft Jet database engine can be thought of as a data manager upon which database systems, such as Microsoft Access, are built.
Microsoft Jet database engine has sophisticated query and optimization capabilities that are unmatched by other desktop database engines in its class. These features include updatable views, heterogeneous joins, and the ability to work seamlessly with a wide variety of industry-standard database formats. The Microsoft Jet query engine is designed to accept user requests for information or action in the form of Structured Query Language (SQL) statements. Microsoft Jet parses, analyzes, and optimizes these queries, and either returns the resulting information in the form of a Recordset object or performs the requested action.
Although Microsoft Jet borrows many query techniques from client/server relational database management systems (DBMSs) such as Microsoft SQL Server, it remains a file-server database. All queries are processed on individual workstations running copies of a host application, such as Microsoft Access, or a custom application created by using a tool, such as Microsoft Visual Basic. Microsoft Jet does not act as a true database server, such as SQL Server, that process data requests independently of the application requesting data. However, Microsoft Jet can send queries to SQL Server or other ODBC database servers for processing.
Microsoft Jet Database Engine provides support for many databases types such as *.mdb(MS Access), *.xls(MS Excel), *.txt (text files), *.dbf (dBase), etc. Microsoft Jet Database Engine allows the use of Visual Basic for Applications (VBA) functions and SQL aggregated functions in SQL statements, when a SQL query is executed and a long function name is supplied a Unicode stack based overflow occurs.
Credit:
The information has been provided by Cesar.
Vulnerable systems:
* Microsoft SQL Server 2000
* SQL Server version 7
* MSDE
* All software using MS Jet Engine Service Pack 6
Example: Select XXX...()
(XXX... more than 276 chars)
Microsoft SQL Server allows to access remote data from an OLE DB data source using OpenRowset(), Opendatasource(), Openquery() and Linked Servers. When querying remote data sources using JET 4.0 OLE DB provider and a long function name is specified a Unicode stack based overflow occurs: select * from openrowset('microsoft.jet.oledb.4.0','c:\anydatabase.mdb';'admin';'','select XXX...()')
Alternatively, select * from Openquery(SomeJet40LinkedServer,'Select XXX...()')
(XXX... more than 276 chars)
When the vulnerability is exploited to run arbitrary code on SQL Server, the code will run in the context of the SQL Server service account. On the latest SQL Server, the Microsoft Jet OLE DB provider is disabled by default, but it is not uncommon to find servers with the provider enabled or with a linked server to a supported Microsoft Jet database.
Workaround:
On SQL Server make sure you have Microsoft Jet OLE DB provider disabled.
Check the value DisallowAdhocAccess under key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\InstanceNameHere\Providers\Microsoft.Jet.OLEDB.4.0
Value must not exist or be set to 1.
Vendor Status:
Microsoft was contacted and they release a fix in MS Jet 4.0 Service Pack 7.
Patch Availability:
Under the http://windowsupdate.microsoft.com web page, there is a link for the Jet 4.0 SP7 (under Recommended Updates as 282010: Recommended Update for Microsoft Jet 4.0 Service Pack 7 (SP7))
