[16323] in bugtraq
Re: MS-SQL 'sa' user exploit code
daemon@ATHENA.MIT.EDU (Jon Keeter)
Mon Aug 21 16:02:45 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000820155453.20191.qmail@web4602.mail.yahoo.com>
Date: Sun, 20 Aug 2000 08:54:52 -0700
Reply-To: keeter@lighthousecs.com
From: Jon Keeter <jonkeeter@YAHOO.COM>
X-To: Neil Pike <NeilPike@COMPUSERVE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Not defending Microsoft, but a lot of Oracle
databases I see also still have the default
SYSTEM and SYS passwords, namely 'manager', and
'change_on_install'.
Also, Oracle password files are rarely used,
usually because they aren't set up on the initial
install, and if OS Authentication is used,
compromise of the user 'oracle' account or 'dba'
group, leads to the ability to use the svrmgrl
command to connect to the database with the
"connect internal" command and no password.
In addition, a lot of batch programs, especially
commercial job scheduling systems that run PL/SQL
packages or just connect to Oracle, use sqlplus
and the username/password connect string on the
command line, easily viewable by anybody with an
account on the machine while the process is
running.
--- Neil Pike <NeilPike@COMPUSERVE.COM> wrote:
> This is "fixed" in SQL 2000, where the default
> is NT integrated security
> and you have to manually override this and
> confirm you want a "standard"
> login, and confirm again if you want it to have
> a blank password...
>
> But anyone who leaves the default in SQL 7 or
> below deserves all they get!
>
> > It has come to light that it is now common
> knowledge that MS-SQL has a
> blank
> > 'sa' password by default. This seems to
> affect a _lot_ of servers on the
> > internet.
>
> Neil Pike MVP/MCSE
> Protech Computing Ltd
>
>
=====
-
Jon Keeter
Sr. UNIX Consultant
Lighthouse Computer Services, Inc
888-542-8030 x123
PGP ID: 0x0D3723CD
__________________________________________________
Do You Yahoo!?
Yahoo! Mail � Free email you can access from anywhere!
http://mail.yahoo.com/
