Bugtraq mailing list archives
Re: KSR[T] Advisory #10: mSQL ServerStats
From: dhg () KSRT ORG (Dave G.)
Date: Mon, 15 Feb 1999 16:37:31 -0500
On Mon, 15 Feb 1999, John W. Temples wrote:
On Mon, 15 Feb 1999, Dave G. wrote:Compromise: If host based access control is disabled, a remote attacker can use the user names listed in the connection table to access databases. If host based access control is enabled, a remote attacker could launch a more complex attack (like DNS cache poisoning) to access mSQL databases.This is hardly news; mSQL's access control is extremely weak. ServerStats probably makes it easier to get into an mSQL database, but if remote access is enabled, you simply need to know an authorized username (say, "root") to log into the database -- there are no passwords.
I disagree. This is news :-) There is no probably about this. If you can issue a ServerStats request on an mSQL server that is in use, you _will_ find all of the authentication credentials necessary to access mSQL databases. Your post basically pointed out that if you have the authentication credentials or can guess them, you can access mSQL databases. Ours states that you _can_ get them right from the server. Your post ( http://geek-girl.com/bugtraq/1997_3/0460.html ), discusses three things: 1) default configuration is insecure 2) User based authentication is insufficient ( especially on multi-user machines) 3) Host based authentication does one way DNS lookups based on IP address which is trivial to bypass.
And you don't even need a username to perform DoS attacks, since mSQL is a single-threaded server -- just telnet to mSQL's port and sit there. As far as I can see, the only thing that's changed since I posted about this in September, 1997, is that remote access is now disabled by default.
The advisory never states you need a user name for a denial of service attack. And while it does show that other pieces of information could be used to assist in a DOS attack, they aren't necessary to launch one. Dave G. <daveg () ksrt org> http://www.ksrt.org
Current thread:
- KSR[T] Advisory #10: mSQL ServerStats Dave G. (Feb 15)
- Re: KSR[T] Advisory #10: mSQL ServerStats John W. Temples (Feb 15)
- Re: KSR[T] Advisory #10: mSQL ServerStats Dave G. (Feb 15)
- Re: KSR[T] Advisory #10: mSQL ServerStats John W. Temples (Feb 15)
- Re: KSR[T] Advisory #10: mSQL ServerStats Dave G. (Feb 15)
- [SECURITY] New versions of cfengine fixes symlink attack Wichert Akkerman (Feb 15)
- Re: KSR[T] Advisory #10: mSQL ServerStats John W. Temples (Feb 15)