Bugtraq mailing list archives
Re: MS-SQL 'sa' user exploit code
From: Jon Keeter <jonkeeter () YAHOO COM>
Date: Sun, 20 Aug 2000 08:54:52 -0700
Not defending Microsoft, but a lot of Oracle databases I see also still have the default SYSTEM and SYS passwords, namely 'manager', and 'change_on_install'. Also, Oracle password files are rarely used, usually because they aren't set up on the initial install, and if OS Authentication is used, compromise of the user 'oracle' account or 'dba' group, leads to the ability to use the svrmgrl command to connect to the database with the "connect internal" command and no password. In addition, a lot of batch programs, especially commercial job scheduling systems that run PL/SQL packages or just connect to Oracle, use sqlplus and the username/password connect string on the command line, easily viewable by anybody with an account on the machine while the process is running. --- Neil Pike <NeilPike () COMPUSERVE COM> wrote:
This is "fixed" in SQL 2000, where the default is NT integrated security and you have to manually override this and confirm you want a "standard" login, and confirm again if you want it to have a blank password... But anyone who leaves the default in SQL 7 or below deserves all they get! > It has come to light that it is now common knowledge that MS-SQL has a blank'sa' password by default. This seems toaffect a _lot_ of servers on theinternet.Neil Pike MVP/MCSE Protech Computing Ltd
===== - Jon Keeter Sr. UNIX Consultant Lighthouse Computer Services, Inc 888-542-8030 x123 PGP ID: 0x0D3723CD __________________________________________________ Do You Yahoo!? Yahoo! Mail Free email you can access from anywhere! http://mail.yahoo.com/
Current thread:
- MS-SQL 'sa' user exploit code herbless (Aug 15)
- <Possible follow-ups>
- Re: MS-SQL 'sa' user exploit code Neil Pike (Aug 17)
- Re: MS-SQL 'sa' user exploit code Microsoft Security Response Center (Aug 18)
- Re: MS-SQL 'sa' user exploit code Jon Keeter (Aug 21)
- Re: MS-SQL 'sa' user exploit code Domas Mituzas (Aug 23)