Bugtraq mailing list archives
Re: MS-SQL 'sa' user exploit code
From: Microsoft Security Response Center <secure () MICROSOFT COM>
Date: Thu, 17 Aug 2000 17:11:36 -0700
-----BEGIN PGP SIGNED MESSAGE----- Microsoft is committed to protecting customer's information and, having investigated the issue, would like to address the recent SQL Server thread. Code previously posted to Bugtraq demonstrates the level of access that an unauthenticated user could obtain should they locate an Internet connected SQL Server configured to operate using Mixed Mode Authentication with a blank sa password. The code does not exploit a vulnerability. Rather, it uses the normal SQL authentication process to gain access to the machine, for cases in which the password is a known value -- namely, blank. SQL Server 7.0 and earlier may be configured to run with Mixed Mode Authentication. An sa account is created, having full rights to the SQL environment. Users must manually configure a strong password for this account. Following any or all of the below best practices would negate the impact of the posted blank sa password checking tool. 1) Microsoft recommended best practices dictate running SQL Servers with Integrated Authentication (utilizing NT credentials) rather than Mixed Mode Authentication. To determine which mode your SQL Server is using, open SQL Enterprise Manager, select Server Properties for the server in question, and review the information on the Security tab. Details about running in Integrated Mode can be found in the following whitepaper: http://www.microsoft.com/technet/SQL/Technote/secure.asp 2) If you must run in Mixed Mode, assign a complex password to the sa account. Passwords should be selected and managed in accordance with your company's password composition and maintenance policy. Blank passwords may be changed from the SQL query window with the following syntax: exec sp_password null, 'complexpwd', sa 3) Block inbound traffic to the SQL port (tcp 1433) at your Internet connected border devices (routers/firewalls). Best practices dictate that all traffic should be blocked at your Internet connected border devices and that only protocols that support your security policy be allowed through. NOTE: tcp 1433 is the default port for SQL communication, however, this value may be modified by the SQL Server administrator. If the SQL port cannot be blocked on the border devices, utilize IPSec filters (Win2K) or Advanced IP Security filters (NT4) to block connections, originating from the Internet, destined for the SQL Server. SQL Server 2000 uses Integrated Authentication by default. Users requiring Mixed Mode authentication are prompted to supply a non-blank sa password during the installation process. Regards, Secure () Microsoft com -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOZx/OY0ZSRQxA/UrAQExowgAit3NQgds4EDQV5M+14MVoi48roD88tau TP1A8ZBbqOQlD9KQYXR12DUugW3NXsLYfdudnsx8wY70wp3eUf4c5kQMCHhcENXH 6neffRX/oK5ir1nAcx08ZlMS2Q9Sb2T7d3mLrJvpCMNKEnlHCyGXNVQW+VWX01P+ BGxHW5UEHpyNmV1yuLk5fFEEFqcsReg3eGUvT18V91AZ1ySVwS9MrFjLntrJ0uHF 5+hzvjN1HdB++0OIcBirDO3yHpG/J1baBCJYFCSuXIsTCHJ7JXlnakKHRBMeS/SQ J/Yoj/YG8wOGJRqYI3mvGHgNq01S+7vdkYoHO5jiCQn+MTyACFJBaA== =mIn/ -----END PGP SIGNATURE-----
Current thread:
- MS-SQL 'sa' user exploit code herbless (Aug 15)
- <Possible follow-ups>
- Re: MS-SQL 'sa' user exploit code Neil Pike (Aug 17)
- Re: MS-SQL 'sa' user exploit code Microsoft Security Response Center (Aug 18)
- Re: MS-SQL 'sa' user exploit code Jon Keeter (Aug 21)
- Re: MS-SQL 'sa' user exploit code Domas Mituzas (Aug 23)