[16214] in bugtraq
Re: Tumbleweed Worldsecure (MMS) BLANK 'sa' account password
daemon@ATHENA.MIT.EDU (Eric Monti)
Sat Aug 12 01:54:49 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Message-ID: <s992bdaa.013@denmac.com>
Date: Thu, 10 Aug 2000 14:35:04 -0500
Reply-To: Eric Monti <ericm@DENMAC.COM>
From: Eric Monti <ericm@DENMAC.COM>
X-To: __nt__@anonymous.to
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
Heh... good to see this out finally. My recent post regarding MSDE made reference to a security product that "I couldnt name'. This was it.
I'm glad it's out of the bag now.
The xp_cmdshell functionality in SQL will allow you full system-level access to the NT server running the product as well.
It sounds like we went through the same thing with Tumbleweed that you did. We brought this to their attention after catching it in an install. We found it because our NT hardening template uses passfilt, which caused the installation to fail since the null password didnt make it through passfilt checks. I will be frank in saying that I am disgusted with Tumbleweed (and WorldTalk before them) for their stance regarding this hole.
Tumbleweed has known about this for a while now, but has made no public announcement. The 'workaround' the proposed to us was to assign an 'sa' password, but that seems to break the product whenever we try it.
Hopefully we will now see some real action out of them.
Thanks 'NT HATER'
Eric Monti
Denmac Systems
ericm@denmac.com
---------- Forwarded message ----------
Date: Thu, 10 Aug 2000 09:36:36 -0700
From: NT HATER <__nt__@ANONYMOUS.TO>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Tumbleweed Worldsecure (MMS) BLANK 'sa' account password vulnerability
I've recently discovered the following vulnerability:
Product: Tumbleweed Messaging Management System (MMS) (Formerly Worldtalk
Worldsecure) http://www.tumbleweed.com/solutions/products/mms_products
Version: 4.3 - 4.5 (all builds)
Description: Product uses Microsoft's MSDE (Database engine) which is a stripped
down version of the Microsoft SQL server 7.0. During the setup stage, I was
never asked for the 'sa' account password, which led me to think that
application is either generating a random password every time it installs or the
password is the same for all installations. Well, after thurther research I
discovered that the password is left BLANK !!! This is a huge remotely
exploitable vulnerability. After I remotely connected to the database (with
'sa' account and NO PASSWORD) I was able to delete the databases (denial of
service, product becomes unusable) and modify the data (customer certificates,
configuration of the product, logs, etc.).
Tumbeweed refuses to acknowledge this vulnerability, which caused major outrage
among my customers. Therefore, I have no choice but to go public about this
vulnerability.
Please feel free to contact me with ANY questions regarding this issue, although
I would like to remain anonymous.
Thank you very much.
------------------------------------------------------------
Hey you! Claim your FREE anonymous email account:
Click Here -> http://www.anonymous.to
