[16273] in bugtraq
Re: Tumbleweed Worldsecure (MMS) BLANK '
daemon@ATHENA.MIT.EDU (Neil Pike)
Fri Aug 18 01:07:26 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Disposition: inline
Message-Id: <200008161749_MC2-AFFC-F214@compuserve.com>
Date: Wed, 16 Aug 2000 17:48:52 -0400
Reply-To: Neil Pike <NeilPike@COMPUSERVE.COM>
From: Neil Pike <NeilPike@COMPUSERVE.COM>
X-To: Russ <Russ.Cooper@RC.ON.CA>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
Russ,
By default SQL 7 goes into "mixed mode". This means it accepts NT auth or
non-NT auth. If you use a non-NT auto-authed net-lib protocol and don't
demand a "trusted" connection - e.g. use the tcp-ip sockets net-lib - then
you can get in as "sa" and no password.
MSDE is just the "cut-down" run-time engine of SQL Server and so has the
same issue.
The "issue" can be resolved by correct manual setup or correct setting of
the unattend .iss file for MSDE by the vendors.
The install wasn't botched by the user as the Tumbleweed vendors install
MSDE automatically/silently and give you no chance to change the install
type/password. In fact their docs hardly mention the fact that they're
installing it, let alone saying anything about install options, changing
the password etc.
> The part that confuses me about this Tumbleweed vulnerability, and the
part
> I asked "__nt__@ANONYMOUS.TO" (who originally posted this message) and
never
> got answered, was that SQL 7.0 by default assumes you will be using NTLM
for
> SQL Authentication. As such, no SA account is to be used. When configured
> like this the client performs the normal c/r with the SQL box and, if
> authenticated, is allowed access.
>
> Does the stripped down version of SQL 7.0 that Tumbleweed implemented use
> the same authentication basis? Was the installation performed by
> "__nt__@ANONYMOUS.TO" botched by telling it to use normal SA
authentication
> instead?
>
> Cheers,
> Russ - NTBugtraq Editor
>
Neil Pike MVP/MCSE
Protech Computing Ltd
