[16272] in bugtraq
Released Patch: Tumbleweed Worldsecure (MMS) BLANK 'sa' account p
daemon@ATHENA.MIT.EDU (Ingo Wupper)
Wed Aug 16 14:11:04 2000
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C0077B.E9FC5958"
Message-ID: <BDD9CE8A22FBD211ABE80000E21A1BFC157EC2@FRANKFURT>
Date: Wed, 16 Aug 2000 14:17:13 +0200
Reply-To: Ingo Wupper <ingo.wupper@VANCO.DE>
From: Ingo Wupper <ingo.wupper@VANCO.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_000_01C0077B.E9FC5958
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C0077B.E9FC5958"
Content-Transfer-Encoding: 7bit
------_=_NextPart_001_01C0077B.E9FC5958
Content-Type: text/plain;
charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Tumbleweed has released a patch for the above problem. Pls find the URL =
in
the eMail below:
=20
Regards
=20
Vanco Euronet GmbH=20
- the human network -=20
Ingo Wupper=20
(Leiter Gesch=E4ftsbereich eSecurity)=20
Tel: +49 6102 785-601=20
Fax: +49 6102 785-556=20
The information contained in this eMail is confidential. It is
intended solely for the addressee. Access to this eMail by anyone else =
is
unauthorized. If you are not the intended recipient, any form of =
disclosure,
reproduction, distribution or any action taken or refrained from in =
reliance
on it is prohibited and may be unlawful. Please notify the sender
immediatly. All statements of opinion or advice directed via this eMail =
to
our clients are subject to the terms and conditions expressed in the
governing VANCO AGB's. The content of this eMail is not
legally binding unless confirmed by letter.=20
-----Urspr=FCngliche Nachricht-----
Von: klaus.stracker@tumbleweed.com =
[mailto:klaus.stracker@tumbleweed.com]
Gesendet: Mittwoch, 16. August 2000 14:24
An: ingo.wupper@vanco.de
Cc: kurt.dawidowitsch@tumbleweed.com
Betreff: Tumbleweed Worldsecure (MMS) BLANK 'sa' account passwordvuln
erability [virus checked]
Hallo Herr Wupper,
=20
Bezueglich Ihrer Mitteilung wurde am letzten Freitag ein Security Patch
freigegeben.
=20
http://thompson.tumbleweed.com/NewKB/bulletin/UPFiles/sa-official.htm
<http://thompson.tumbleweed.com/NewKB/bulletin/UPFiles/sa-official.htm> =
=20
=20
Ich hoffe Ihnen hiermit geholfen zu haben.
=20
=20
Freundliche Gruesse
=20
Klaus Stracker
Tumbleweed Communications
=20
=20
-----Original Message-----
From: Ingo Wupper [mailto:ingo.wupper@vanco.de]
Sent: 11 August 2000 07:44
To: Pat Boswell-Saul
Subject: WG: Tumbleweed Worldsecure (MMS) BLANK 'sa' account =
passwordvuln
erability [virus checked]
Could you pls clarify the comment of Tumbleweed denying this vuln. with =
you
technical staff ?=20
Thx.=20
Best Regards,=20
Vanco Euronet GmbH=20
- the human network -=20
Ingo Wupper=20
(Leiter Gesch=E4ftsbereich eSecurity)=20
Tel: +49 6102 785-601=20
Fax: +49 6102 785-556=20
The information contained in this eMail is confidential. It is
intended solely for the addressee. Access to this eMail by anyone else =
is
unauthorized. If you are not the intended recipient, any form of =
disclosure,
reproduction, distribution or any action taken or refrained from in =
reliance
on it is prohibited and may be unlawful. Please notify the sender
immediatly. All statements of opinion or advice directed via this eMail =
to
our clients are subject to the terms and conditions expressed in the
governing VANCO AGB's. The content of this eMail is not
legally binding unless confirmed by letter.=20
-----Urspr=FCngliche Nachricht-----=20
Von: NT HATER [ mailto:__nt__@ANONYMOUS.TO <mailto:__nt__@ANONYMOUS.TO> =
]=20
Gesendet: Donnerstag, 10. August 2000 18:37=20
An: BUGTRAQ@SECURITYFOCUS.COM=20
Betreff: Tumbleweed Worldsecure (MMS) BLANK 'sa' account password=20
vulnerability [virus checked]=20
I've recently discovered the following vulnerability:=20
Product: Tumbleweed Messaging Management System (MMS) (Formerly =
Worldtalk=20
Worldsecure) http://www.tumbleweed.com/solutions/products/mms_products
<http://www.tumbleweed.com/solutions/products/mms_products> =20
Version: 4.3 - 4.5 (all builds)=20
Description: Product uses Microsoft's MSDE (Database engine) which is a
stripped=20
down version of the Microsoft SQL server 7.0. During the setup stage, =
I was
never asked for the 'sa' account password, which led me to think that=20
application is either generating a random password every time it =
installs or
the=20
password is the same for all installations. Well, after thurther =
research I
discovered that the password is left BLANK !!! This is a huge remotely =
exploitable vulnerability. After I remotely connected to the database =
(with
'sa' account and NO PASSWORD) I was able to delete the databases =
(denial of=20
service, product becomes unusable) and modify the data (customer
certificates,=20
configuration of the product, logs, etc.).=20
Tumbeweed refuses to acknowledge this vulnerability, which caused major
outrage=20
among my customers. Therefore, I have no choice but to go public about =
this
vulnerability.=20
Please feel free to contact me with ANY questions regarding this issue,
although=20
I would like to remain anonymous.=20
Thank you very much.=20
------------------------------------------------------------=20
Hey you! Claim your FREE anonymous email account:=20
Click Here -> http://www.anonymous.to <http://www.anonymous.to> =20
------_=_NextPart_001_01C0077B.E9FC5958
Content-Type: text/html;
charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<TITLE>WG: Tumbleweed Worldsecure (MMS) BLANK 'sa' account password =
vulnerability [virus checked]</TITLE>
<META content=3D"MSHTML 5.00.2920.0" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D427452212-16082000>Tumbleweed has released a patch for the =
above problem.=20
Pls find the URL in the eMail below:</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D427452212-16082000></SPAN></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20
class=3D427452212-16082000>Regards</SPAN></FONT></DIV>
<DIV> </DIV>
<UL>
<P><FONT face=3D"BenguiatGothic Medium" size=3D2> Vanco Euronet =
GmbH</FONT>=20
<BR><FONT face=3D"BenguiatGothic Medium" size=3D2> - the human =
network=20
-</FONT> </P>
<P><FONT face=3D"BenguiatGothic Medium" size=3D2> Ingo =
Wupper</FONT>=20
<BR><FONT face=3D"BenguiatGothic Medium" size=3D2> (Leiter =
Gesch=E4ftsbereich=20
eSecurity)</FONT> <BR><FONT face=3D"BenguiatGothic Medium"=20
size=3D2> Tel: +49 6102 785-601</FONT> <BR><FONT=20
face=3D"BenguiatGothic Medium" size=3D2> Fax: +49 6102 =
785-556</FONT>=20
</P><BR><BR>
<P><FONT face=3DArial size=3D1>The information contained in this =
eMail is=20
confidential. It is intended solely for the addressee. Access =
to this=20
eMail by anyone else is unauthorized. If you are not the intended =
recipient,=20
any form of disclosure, reproduction, distribution or any action =
taken or=20
refrained from in reliance on it is prohibited and may be unlawful. =
Please=20
notify the sender immediatly. All statements of opinion or advice =
directed via=20
this eMail to our clients are subject to the terms and conditions =
expressed in=20
the governing VANCO AGB's. The content of this eMail is =
not</FONT></P>
<P><FONT face=3DArial size=3D1>legally binding unless confirmed by =
letter.</FONT>=20
</P><BR><BR><BR><BR></UL>
<DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT =
face=3DTahoma=20
size=3D2>-----Urspr=FCngliche Nachricht-----<BR><B>Von:</B>=20
klaus.stracker@tumbleweed.com=20
[mailto:klaus.stracker@tumbleweed.com]<BR><B>Gesendet:</B> Mittwoch, =
16. August=20
2000 14:24<BR><B>An:</B> ingo.wupper@vanco.de<BR><B>Cc:</B>=20
kurt.dawidowitsch@tumbleweed.com<BR><B>Betreff:</B> Tumbleweed =
Worldsecure (MMS)=20
BLANK 'sa' account passwordvuln erability [virus =
checked]<BR><BR></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3D"Comic Sans MS" size=3D2><SPAN=20
class=3D184592212-16082000>Hallo Herr Wupper,</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3D"Comic Sans MS" size=3D2><SPAN=20
class=3D184592212-16082000></SPAN></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3D"Comic Sans MS" size=3D2><SPAN=20
class=3D184592212-16082000>Bezueglich Ihrer Mitteilung wurde am letzten =
Freitag=20
ein Security Patch freigegeben.</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3D"Comic Sans MS" size=3D2><SPAN=20
class=3D184592212-16082000></SPAN></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3D"Comic Sans MS" size=3D2><SPAN=20
class=3D184592212-16082000><A=20
href=3D"http://thompson.tumbleweed.com/NewKB/bulletin/UPFiles/sa-officia=
l.htm">http://thompson.tumbleweed.com/NewKB/bulletin/UPFiles/sa-official=
.htm</A></SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3D"Comic Sans MS" =
size=3D2></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3D"Comic Sans MS" =
size=3D2></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3D"Comic Sans MS" size=3D2><SPAN=20
class=3D184592212-16082000>Ich hoffe Ihnen hiermit geholfen zu=20
haben.</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3D"Comic Sans MS" size=3D2><SPAN=20
class=3D184592212-16082000></SPAN></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3D"Comic Sans MS" size=3D2><SPAN=20
class=3D184592212-16082000></SPAN></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3D"Comic Sans MS" size=3D2><SPAN=20
class=3D184592212-16082000>Freundliche Gruesse</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3D"Comic Sans MS" =
size=3D2></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3D"Comic Sans MS" size=3D2><SPAN=20
class=3D184592212-16082000>Klaus Stracker</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3D"Comic Sans MS" size=3D2><SPAN=20
class=3D184592212-16082000>Tumbleweed =
Communications</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3D"Comic Sans MS" size=3D2><SPAN=20
class=3D184592212-16082000></SPAN></FONT> </DIV>
<DIV><FONT color=3D#0000ff face=3D"Comic Sans MS" size=3D2><SPAN=20
class=3D184592212-16082000></SPAN></FONT> </DIV>
<DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B> Ingo Wupper=20
[mailto:ingo.wupper@vanco.de]<BR><B>Sent:</B> 11 August 2000 =
07:44<BR><B>To:</B>=20
Pat Boswell-Saul<BR><B>Subject:</B> WG: Tumbleweed Worldsecure (MMS) =
BLANK 'sa'=20
account passwordvuln erability [virus checked]<BR><BR></FONT></DIV>
<P><FONT size=3D2>Could you pls clarify the comment of Tumbleweed =
denying this=20
vuln. with you technical staff ?</FONT> </P>
<P><FONT size=3D2>Thx.</FONT> </P>
<P><FONT size=3D2>Best Regards,</FONT> </P>
<P> <FONT size=3D2> =
Vanco Euronet=20
GmbH</FONT> <BR> <FONT =
size=3D2> -=20
the human network -</FONT> </P>
<P> <FONT size=3D2> Ingo =
Wupper</FONT> <BR> <FONT =
size=3D2>=20
(Leiter Gesch=E4ftsbereich eSecurity)</FONT>=20
<BR> <FONT size=3D2> =
Tel: +49=20
6102 785-601</FONT> =
<BR> <FONT=20
size=3D2> Fax: +49 6102 785-556</FONT> </P><BR><BR>
<P> <FONT size=3D2>The =
information=20
contained in this eMail is confidential. It is intended solely =
for the=20
addressee. Access to this eMail by anyone else is unauthorized. If you =
are not=20
the intended recipient, any form of disclosure, reproduction, =
distribution or=20
any action taken or refrained from in reliance on it is prohibited and =
may be=20
unlawful. Please notify the sender immediatly. All statements of =
opinion or=20
advice directed via this eMail to our clients are subject to the terms =
and=20
conditions expressed in the governing VANCO AGB's. The content of this =
eMail is=20
not</FONT></P>
<P> <FONT size=3D2>legally =
binding=20
unless confirmed by letter.</FONT> </P><BR><BR><BR><BR><BR><BR>
<P><FONT size=3D2>-----Urspr=FCngliche Nachricht-----</FONT> <BR><FONT =
size=3D2>Von:=20
NT HATER [<A=20
href=3D"mailto:__nt__@ANONYMOUS.TO">mailto:__nt__@ANONYMOUS.TO</A>]</FON=
T>=20
<BR><FONT size=3D2>Gesendet: Donnerstag, 10. August 2000 18:37</FONT> =
<BR><FONT=20
size=3D2>An: BUGTRAQ@SECURITYFOCUS.COM</FONT> <BR><FONT =
size=3D2>Betreff: Tumbleweed=20
Worldsecure (MMS) BLANK 'sa' account password</FONT> <BR><FONT=20
size=3D2>vulnerability [virus checked]</FONT> </P><BR>
<P><FONT size=3D2>I've recently discovered the following =
vulnerability:</FONT>=20
<BR><FONT size=3D2>Product: Tumbleweed Messaging Management System =
(MMS) (Formerly=20
Worldtalk</FONT> <BR><FONT size=3D2>Worldsecure) <A=20
href=3D"http://www.tumbleweed.com/solutions/products/mms_products"=20
target=3D_blank>http://www.tumbleweed.com/solutions/products/mms_product=
s</A></FONT>=20
<BR><FONT size=3D2>Version: 4.3 - 4.5 (all builds)</FONT> <BR><FONT=20
size=3D2>Description: Product uses Microsoft's MSDE (Database engine) =
which is a=20
stripped</FONT> <BR><FONT size=3D2>down version of the Microsoft SQL =
server=20
7.0. During the setup stage, I was</FONT> <BR><FONT =
size=3D2>never asked for=20
the 'sa' account password, which led me to think that</FONT> <BR><FONT=20
size=3D2>application is either generating a random password every time =
it installs=20
or the</FONT> <BR><FONT size=3D2>password is the same for all =
installations. =20
Well, after thurther research I</FONT> <BR><FONT size=3D2>discovered =
that the=20
password is left BLANK !!! This is a huge remotely</FONT> =
<BR><FONT=20
size=3D2>exploitable vulnerability. After I remotely connected to =
the=20
database (with</FONT> <BR><FONT size=3D2>'sa' account and NO PASSWORD) =
I was able=20
to delete the databases (denial of</FONT> <BR><FONT size=3D2>service, =
product=20
becomes unusable) and modify the data (customer certificates,</FONT> =
<BR><FONT=20
size=3D2>configuration of the product, logs, etc.).</FONT> </P>
<P><FONT size=3D2>Tumbeweed refuses to acknowledge this vulnerability, =
which=20
caused major outrage</FONT> <BR><FONT size=3D2>among my =
customers. =20
Therefore, I have no choice but to go public about this</FONT> =
<BR><FONT=20
size=3D2>vulnerability.</FONT> </P>
<P><FONT size=3D2>Please feel free to contact me with ANY questions =
regarding this=20
issue, although</FONT> <BR><FONT size=3D2>I would like to remain =
anonymous.</FONT>=20
</P>
<P><FONT size=3D2>Thank you very much.</FONT> </P>
<P><FONT=20
size=3D2>------------------------------------------------------------</F=
ONT>=20
<BR><FONT size=3D2>Hey you! Claim your FREE anonymous email =
account:</FONT>=20
<BR><FONT size=3D2>Click Here -> <A href=3D"http://www.anonymous.to" =
target=3D_blank>http://www.anonymous.to</A></FONT> </P>
<P><FONT color=3D#000000 face=3DArial =
size=3D2></FONT></P></BODY></HTML>
------_=_NextPart_001_01C0077B.E9FC5958--
------_=_NextPart_000_01C0077B.E9FC5958
Content-Type: application/octet-stream;
name="Ingo Wupper.vcf"
Content-Disposition: attachment;
filename="Ingo Wupper.vcf"
Content-Transfer-Encoding: 7bit
------_=_NextPart_000_01C0077B.E9FC5958
Content-Type: application/octet-stream;
name="Ingo Wupper.vcf"
Content-Disposition: attachment;
filename="Ingo Wupper.vcf"
Content-Transfer-Encoding: 7bit
------_=_NextPart_000_01C0077B.E9FC5958--
