Re: Tumbleweed Worldsecure (MMS) BLANK 'sa' account passwordvulnerability

[Mark Tinberg <mtinberg () securepipe com>]

I would strongly disagree, just putting something like this in the
documentation
is not enough, you must force a reasonable account password (hopefully
using
something like crack to make sure it isn't trivially breakable) at
install-time.
Anything less is just asking for trouble, not even the best
administrators
remember everything, everytime, let alone the schmoe who just clicks on
the installer
and thinks everything is going to be allright.  I don't know whether
access to
the sa account is really required for this piece of software but if not
then then
it should be set to a random password at install time, at least this
will stall/prevent
remote abuse.

Oh, and just because somebody else, even a high profile company like
Oracle,
makes this mistake too doesn't make it the right way to do things.

"A. Trent Foley" wrote:
> I'm not so sure I would call this a "vulnerability".  So long as the
> installation instructions have you change the password prior to putting the
> machine in to production, I wouldn't blame this on either Microsoft or
> Tumbleweed.  After all, even Oracle Enterprise (as well as all other
> Oracle's I've ever dealt with) gives the sys and system users well-known
> passwords at install time.  It is up to a competent administrator to change
> those passwords or else risk the inevitable.
>
> A. Trent Foley
>
> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of NT
> HATER
> Sent: Thursday, August 10, 2000 11:37 AM
> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: Tumbleweed Worldsecure (MMS) BLANK 'sa' account password
> vulnerability
>
> I've recently discovered the following vulnerability:
> Product: Tumbleweed Messaging Management System (MMS) (Formerly Worldtalk
> Worldsecure) http://www.tumbleweed.com/solutions/products/mms_products
> Version: 4.3 - 4.5 (all builds)
> Description: Product uses Microsoft's MSDE (Database engine) which is a
> stripped
> down version of the Microsoft SQL server 7.0.  During the setup stage, I was
> never asked for the 'sa' account password, which led me to think that
> application is either generating a random password every time it installs or
> the
> password is the same for all installations.  Well, after thurther research I
> discovered that the password is left BLANK !!!  This is a huge remotely
> exploitable vulnerability.  After I remotely connected to the database (with
> 'sa' account and NO PASSWORD) I was able to delete the databases (denial of
> service, product becomes unusable) and modify the data (customer
> certificates,
> configuration of the product, logs, etc.).
>
> Tumbeweed refuses to acknowledge this vulnerability, which caused major
> outrage
> among my customers.  Therefore, I have no choice but to go public about this
> vulnerability.
>
> Please feel free to contact me with ANY questions regarding this issue,
> although
> I would like to remain anonymous.
>
> Thank you very much.

--
Mark Tinberg <MTinberg () securepipe com>
Network Security Engineer, SecurePipe Communications LLC.
Remember:  Wherever you go, there you are!