[15746] in bugtraq
Re: MSDE / Re: Default Password Database
daemon@ATHENA.MIT.EDU (Microsoft Security Response Center)
Wed Jul 12 13:46:31 2000
Mime-Version: 1.0
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=SHA1; boundary="----=_NextPart_000_0016_01BFEB4C.F70253F0"
Message-Id: <B9D1827FDF66D111925800805F3102E31D9D073D@RED-MSG-57>
Date: Tue, 11 Jul 2000 15:30:38 -0700
Reply-To: Microsoft Security Response Center <secure@MICROSOFT.COM>
From: Microsoft Security Response Center <secure@MICROSOFT.COM>
X-To: Eric Monti <ericm@DENMAC.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_0016_01BFEB4C.F70253F0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNED MESSAGE-----
Hello Eric,
MSDE and SQL Server can be thought of as the same for the purposes of
our security patches. In some of the security bulletins we
specifically
mention MSDE (MS00-014), in others we have not included it.
We've fixed the sa blank login configuration by default in SQL Server
2000. However, the only way MSDE could have admin rights to the
machine
is if the person who installs it (or scripts the install) chose to
select to run the services as LocalSystem, and chose to run in
"mixed"
security mode instead of Windows NT Integrated.
If you have other specific questions please feel free to email us.
Regards,
Secure@Microsoft.com
- -----Original Message-----
From: Eric Monti [mailto:ericm@DENMAC.COM]
Sent: Monday, July 10, 2000 1:08 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: MSDE / Re: Default Password Database
An addition for your excellent database, Eric -- and something for
the
other folks on bugtraq to chew on:
Microsoft Data Engine (A toned down version of MS SQL server)
installs
with a blank password for 'sa'. Since the 'MSDE' listens on the
standard
MSSQL 1433/tcp SQL port, you can log in remotely with this. It also
works with named pipes on NT but not on Win9x.
This MSDE is now distributed as part of Office 2000 (for Access 2000)
and in 'redistributable' form as msdex86.exe for use in 3rd party
applications.
MSDE is incorporated in several MS and 3rd party packages. Some that
I
know of include Visio 2000, Visual Studio 6.0, and well.. Access
2000. I
know of at least one 3rd party application -- a "security" product
that
I cannot name (sorry...)-- that also uses it. There probably are
others.
All of the applications I/my colleague have tested with it have had
tcp/1433 (ms-sql port) listening while the engine is running (in some
cases, always) and have been subject to the default login hole. After
logging in remotely, a simple "xp_cmdshell" extended stored procedure
call (yes it is included) yields access to the underlying NT server
in
seconds (as SYSTEM if I recall). Xp_cmdshell was not tested with
Win9x.
Also, we've noticed that many of the recent MS-SQL
holes/advisories/fixes that have been coming out recently have made
no
mention of MSDE and to my knowledge the fixes have not been
incorporated
into it by MS.
A bit more info on MSDE is available at (mostly "feature-fluff"):
http://www.microsoft.com/technet/office/trmsde1.asp
http://www.devx.com/upload/free/features/vbpj/1999/10oct99/rd1099/rd10
99
.asp
None of the documentation I've read have made any mention of the
default
password or need to change it, although ironically the first link
above
gives a warning in the form of a code example that uses:
"Server=cabxli;Uid=SA;Pwd=;"
If anyone knows of other applications that use the MSDE, we'd be
interested in finding out what they are to try working around the
default password issue if possible when running across them, and
avoid
them if
not.
Much credit goes to my colleague Alex Nikonchuk for identifying and
researching this.
Eric Monti
Denmac Systems
ericm@denmac.com | monti@ushost.com
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQEVAwUBOWugDY0ZSRQxA/UrAQENVwf+JUNV1XAnrJABBwLcYIqfud+4vvzgIBRf
NngCoXjGIA6ALSXB0JjTeHS0EL13cBmUs5w2u1dQPxkUyMAvFUXdC8FEiPbOrPnw
YmgHDnWhAHzf8Jgu9EUi8FZguh6hq5xDRN+a2ubcL3/rzsMaDgONGHVsMoTnWaq3
yhf6fMBy4EU9jQJjStkOtYkqeELhUwI5FjTrex/WwT2Q6EKMTsgx5Zt/BlNS8m/r
vg5ut6BfAWpmD8s1Gtwhp3xitNVBPv7WHziBEE1MA1fYbvIJhAs3H9Vt8N4jD4uE
Z1wLowBtrytKWYUt7/Ju8BdS9NzggYhc0xeA0va6BfOKcDqmbJtA3Q==
=UEDP
-----END PGP SIGNATURE-----
------=_NextPart_000_0016_01BFEB4C.F70253F0
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIH9DCCA2Yw
ggLPoAMCAQICEA2LT+6q0hhb9HVqnSnhf/swDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5
IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk4MDUxMjAwMDAwMFoXDTA4MDUxMjIzNTk1OVow
gcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3
b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29ycC4gQnkg
UmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIEluZGl2aWR1
YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBALtaRIoEFrtV/QN6ii2UTxV4NrgNSrJvnFS/vOh3Kp258Gi7ldkxQXB6gUu5SBNWLccI
4YRCq8CikqtEXKpC8IIOAukv+8I7u77JJwpdtrA2QjO1blSIT4dKvxna+RXoD4e2HOPMxpqOf2ok
kuP84GW6p7F+78nbN2rISsgJBuSZAgMBAAGjgbQwgbEwEQYJYIZIAYb4QgEBBAQDAgEGMDUGA1Ud
HwQuMCwwKqAooCaGJGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTEuMS4xLmNybDBHBgNVHSAE
QDA+MDwGC2CGSAGG+EUBBwEBMC0wKwYIKwYBBQUHAgEWH3d3dy52ZXJpc2lnbi5jb20vcmVwb3Np
dG9yeS9SUEEwDwYDVR0TBAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQECBQADgYEA
QnwO34x5TKy/COxNVS9QiaDFXk4uXpUym3mtZRELHEpSxNWoMSGO3hCbbAjFB+YDuefINHgJCfK8
BkL4WoyD0YreqiL12eMh0s9ljAYzsM0gsjPNCr0+4Z3BNalksKelJFvp8WjrE8R8N/SUZA2axb0z
F++DM6A+5ao+rthzH60wggSGMIID76ADAgECAhAFW6O2XDQrpbsyUnX/rOAiMA0GCSqGSIb3DQEB
BAUAMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3Qg
TmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAu
IEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRp
dmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMB4XDTk5MTIzMDAwMDAwMFoX
DTAwMTIyOTIzNTk1OVowggEqMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVy
aVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5
L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMVUGVyc29uYSBOb3Qg
VmFsaWRhdGVkMTQwMgYDVQQLEytEaWdpdGFsIElEIENsYXNzIDEgLSBNaWNyb3NvZnQgRnVsbCBT
ZXJ2aWNlMSswKQYDVQQDFCJNaWNyb3NvZnQgU2VjdXJpdHkgUmVzcG9uc2UgQ2VudGVyMSMwIQYJ
KoZIhvcNAQkBFhRzZWN1cmVAbWljcm9zb2Z0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAuafK0KY7jxRWX/ii7REot/dZP/KDsOsziDseqHVDBX7pX9HJUpryp/Lm3Hznkf+J9LkxobwZ
zDtMz/4OsSqA8BSM2P+QzWNlZme8CyMab38A4wU0gHcOd7etKyc7PD5gduhYGyevQWPq57Ed8YPh
1KJPgSL2Euhkx1M5sEHaJxECAwEAAaOCAQYwggECMAkGA1UdEwQCMAAwgawGA1UdIASBpDCBoTCB
ngYLYIZIAYb4RQEHAQEwgY4wKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9D
UFMwYgYIKwYBBQUHAgIwVjAVFg5WZXJpU2lnbiwgSW5jLjADAgEBGj1WZXJpU2lnbidzIENQUyBp
bmNvcnAuIGJ5IHJlZmVyZW5jZSBsaWFiLiBsdGQuIChjKTk3IFZlcmlTaWduMBEGCWCGSAGG+EIB
AQQEAwIHgDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLnZlcmlzaWduLmNvbS9jbGFzczEu
Y3JsMA0GCSqGSIb3DQEBBAUAA4GBADmfkDIvEguiQBuI/YXWT22bRzz7CdKPIO4NsjeiARnEJIrs
Urbh/kH2L9T+v6NeLp94JNQhBZjb49mvXndQIe624TPo3YbEuM3WbyHr1OwEM32OmRTX4un3kJbH
l4Lyg9JEiL4csPbFLuL77oGDeMLYmCURRwwlCpuC9vgrNqV7MYIDODCCAzQCAQEwgeEwgcwxFzAV
BgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYw
RAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29ycC4gQnkgUmVmLixM
SUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIEluZGl2aWR1YWwgU3Vi
c2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQCEAVbo7ZcNCuluzJSdf+s4CIwCQYFKw4DAhoF
AKCCAawwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDAwNzExMjIz
MDM4WjAjBgkqhkiG9w0BCQQxFgQUzDp8QwTvQSicna0IMFn4x1dbcwswWAYJKoZIhvcNAQkPMUsw
STAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwBwYF
Kw4DAhowCgYIKoZIhvcNAgUwgfIGCSsGAQQBgjcQBDGB5DCB4TCBzDEXMBUGA1UEChMOVmVyaVNp
Z24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52
ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgx
SDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNv
bmEgTm90IFZhbGlkYXRlZAIQBVujtlw0K6W7MlJ1/6zgIjANBgkqhkiG9w0BAQEFAASBgB+dF1q+
d4I5cz4LgwS+S1iVBlvIjLLf6tOVMeOa4dvOHO3t6lowU/z053twAALRfgjkDCRCviiMBILk/80X
qdjv3IJ+eoPTRWXgS6fsBIVdkNbHMCgJUDdkz7ui/5j2LUFkv/dr4HHfa5pf1PScKgBXgw5N0e0X
T3Yhyrl1RQsJAAAAAAAA
------=_NextPart_000_0016_01BFEB4C.F70253F0--
