Bugtraq mailing list archives

Re: MS-SQL 'sa' user exploit code

From: Microsoft Security Response Center <secure () MICROSOFT COM>
Date: Thu, 17 Aug 2000 17:11:36 -0700

-----BEGIN PGP SIGNED MESSAGE-----

Microsoft is committed to protecting customer's information and,
having investigated the issue, would like to address the recent SQL
Server thread.

Code previously posted to Bugtraq demonstrates the level of access
that an unauthenticated user could obtain should they locate an
Internet connected SQL Server configured to operate using Mixed Mode
Authentication with a blank sa password. The code does not exploit a
vulnerability. Rather, it uses the normal SQL authentication process
to gain access to the machine, for cases in which the password is a
known value -- namely, blank.

SQL Server 7.0 and earlier may be configured to run with Mixed Mode
Authentication. An sa account is created, having full rights to the
SQL environment. Users must manually configure a strong password for
this account.

Following any or all of the below best practices would negate the
impact of the posted blank sa password checking tool.

        1) Microsoft recommended best practices dictate running SQL Servers
with Integrated Authentication (utilizing NT credentials) rather than
Mixed Mode Authentication. To determine which mode your SQL Server is
using, open SQL Enterprise Manager, select Server Properties for the
server in question, and review the information on the Security tab.
Details about running in Integrated Mode can be found in the
following whitepaper:
http://www.microsoft.com/technet/SQL/Technote/secure.asp

        2) If you must run in Mixed Mode, assign a complex password to the
sa account. Passwords should be selected and managed in accordance
with your company's password composition and maintenance policy.
Blank passwords may be changed from the SQL query window with the
following syntax:
        
                exec sp_password null, 'complexpwd', sa

        3) Block inbound traffic to the SQL port (tcp 1433) at your Internet
connected border devices (routers/firewalls). Best practices dictate
that all traffic should be blocked at your Internet connected border
devices and that only protocols that support your security policy be
allowed through. NOTE: tcp 1433 is the default port for SQL
communication, however, this value may be modified by the SQL Server
administrator. If the SQL port cannot be blocked on the border
devices, utilize IPSec filters (Win2K) or Advanced IP Security
filters (NT4) to block connections, originating from the Internet,
destined for the SQL Server.

SQL Server 2000 uses Integrated Authentication by default. Users
requiring Mixed Mode authentication are prompted to supply a
non-blank sa password during the installation process.

Regards,

Secure () Microsoft com

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOZx/OY0ZSRQxA/UrAQExowgAit3NQgds4EDQV5M+14MVoi48roD88tau
TP1A8ZBbqOQlD9KQYXR12DUugW3NXsLYfdudnsx8wY70wp3eUf4c5kQMCHhcENXH
6neffRX/oK5ir1nAcx08ZlMS2Q9Sb2T7d3mLrJvpCMNKEnlHCyGXNVQW+VWX01P+
BGxHW5UEHpyNmV1yuLk5fFEEFqcsReg3eGUvT18V91AZ1ySVwS9MrFjLntrJ0uHF
5+hzvjN1HdB++0OIcBirDO3yHpG/J1baBCJYFCSuXIsTCHJ7JXlnakKHRBMeS/SQ
J/Yoj/YG8wOGJRqYI3mvGHgNq01S+7vdkYoHO5jiCQn+MTyACFJBaA==
=mIn/
-----END PGP SIGNATURE-----

Current thread:

MS-SQL 'sa' user exploit code herbless (Aug 15)
- <Possible follow-ups>
- Re: MS-SQL 'sa' user exploit code Neil Pike (Aug 17)
- Re: MS-SQL 'sa' user exploit code Microsoft Security Response Center (Aug 18)
- Re: MS-SQL 'sa' user exploit code Jon Keeter (Aug 21)
  - Re: MS-SQL 'sa' user exploit code Domas Mituzas (Aug 23)