Re: MSDE / Re: Default Password Database

[secure () MICROSOFT COM (Microsoft Security Response Center)]

-----BEGIN PGP SIGNED MESSAGE-----

Hello Eric,

MSDE and SQL Server can be thought of as the same for the purposes of
our security patches.  In some of the security bulletins we
specifically
mention MSDE (MS00-014), in others we have not included it.

We've fixed the sa blank login configuration by default in SQL Server
2000.  However, the only way MSDE could have admin rights to the
machine
is if the person who installs it (or scripts the install) chose to
select to run the services as LocalSystem, and chose to run in
"mixed"
security mode instead of Windows NT Integrated.

If you have other specific questions please feel free to email us.

Regards,
Secure () Microsoft com
- -----Original Message-----
From: Eric Monti [mailto:ericm () DENMAC COM]
Sent: Monday, July 10, 2000 1:08 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: MSDE / Re: Default Password Database

An addition for your excellent database, Eric -- and something for
the
other folks on bugtraq to chew on:

Microsoft Data Engine (A toned down version of MS SQL server)
installs
with a blank password for 'sa'. Since the 'MSDE' listens on the
standard
MSSQL 1433/tcp SQL port, you can log in remotely with this. It also
works with named pipes on NT but not on Win9x.

This MSDE is now distributed as part of Office 2000 (for Access 2000)
and in 'redistributable' form as msdex86.exe for use in 3rd party
applications.

MSDE is incorporated in several MS and 3rd party packages. Some that
I
know of include Visio 2000, Visual Studio 6.0, and well.. Access
2000. I
know of at least one 3rd party application -- a "security" product
that
I cannot name (sorry...)-- that also uses it. There probably are
others.

All of the applications I/my colleague have tested with it have had
tcp/1433 (ms-sql port) listening while the engine is running (in some
cases, always) and have been subject to the default login hole. After
logging in remotely, a simple "xp_cmdshell" extended stored procedure
call (yes it is included) yields access to the underlying NT server
in
seconds (as SYSTEM if I recall). Xp_cmdshell was not tested with
Win9x.

Also, we've noticed that many of the recent MS-SQL
holes/advisories/fixes that have been coming out recently have made
no
mention of MSDE and to my knowledge the fixes have not been
incorporated
into it by MS.

A bit more info on MSDE is available at (mostly "feature-fluff"):
http://www.microsoft.com/technet/office/trmsde1.asp
http://www.devx.com/upload/free/features/vbpj/1999/10oct99/rd1099/rd10
99
.asp

None of the documentation I've read have made any mention of the
default
password or need to change it, although ironically the first link
above
gives a warning in the form of a code example that uses:
"Server=cabxli;Uid=SA;Pwd=;"

If anyone knows of other applications that use the MSDE, we'd be
interested in finding out what they are to try working around the
default password issue if possible when running across them, and
avoid
them if
not.

Much credit goes to my colleague Alex Nikonchuk for identifying and
researching this.

Eric Monti
Denmac Systems
ericm () denmac com | monti () ushost com

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOWugDY0ZSRQxA/UrAQENVwf+JUNV1XAnrJABBwLcYIqfud+4vvzgIBRf
NngCoXjGIA6ALSXB0JjTeHS0EL13cBmUs5w2u1dQPxkUyMAvFUXdC8FEiPbOrPnw
YmgHDnWhAHzf8Jgu9EUi8FZguh6hq5xDRN+a2ubcL3/rzsMaDgONGHVsMoTnWaq3
yhf6fMBy4EU9jQJjStkOtYkqeELhUwI5FjTrex/WwT2Q6EKMTsgx5Zt/BlNS8m/r
vg5ut6BfAWpmD8s1Gtwhp3xitNVBPv7WHziBEE1MA1fYbvIJhAs3H9Vt8N4jD4uE
Z1wLowBtrytKWYUt7/Ju8BdS9NzggYhc0xeA0va6BfOKcDqmbJtA3Q==
=UEDP
-----END PGP SIGNATURE-----

<HR NOSHADE>
<UL>
<LI>application/x-pkcs7-signature attachment: smime.p7s
</UL>