Bugtraq mailing list archives
Re: MSDE / Re: Default Password Database
From: secure () MICROSOFT COM (Microsoft Security Response Center)
Date: Tue, 11 Jul 2000 15:30:38 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hello Eric, MSDE and SQL Server can be thought of as the same for the purposes of our security patches. In some of the security bulletins we specifically mention MSDE (MS00-014), in others we have not included it. We've fixed the sa blank login configuration by default in SQL Server 2000. However, the only way MSDE could have admin rights to the machine is if the person who installs it (or scripts the install) chose to select to run the services as LocalSystem, and chose to run in "mixed" security mode instead of Windows NT Integrated. If you have other specific questions please feel free to email us. Regards, Secure () Microsoft com - -----Original Message----- From: Eric Monti [mailto:ericm () DENMAC COM] Sent: Monday, July 10, 2000 1:08 PM To: BUGTRAQ () SECURITYFOCUS COM Subject: MSDE / Re: Default Password Database An addition for your excellent database, Eric -- and something for the other folks on bugtraq to chew on: Microsoft Data Engine (A toned down version of MS SQL server) installs with a blank password for 'sa'. Since the 'MSDE' listens on the standard MSSQL 1433/tcp SQL port, you can log in remotely with this. It also works with named pipes on NT but not on Win9x. This MSDE is now distributed as part of Office 2000 (for Access 2000) and in 'redistributable' form as msdex86.exe for use in 3rd party applications. MSDE is incorporated in several MS and 3rd party packages. Some that I know of include Visio 2000, Visual Studio 6.0, and well.. Access 2000. I know of at least one 3rd party application -- a "security" product that I cannot name (sorry...)-- that also uses it. There probably are others. All of the applications I/my colleague have tested with it have had tcp/1433 (ms-sql port) listening while the engine is running (in some cases, always) and have been subject to the default login hole. After logging in remotely, a simple "xp_cmdshell" extended stored procedure call (yes it is included) yields access to the underlying NT server in seconds (as SYSTEM if I recall). Xp_cmdshell was not tested with Win9x. Also, we've noticed that many of the recent MS-SQL holes/advisories/fixes that have been coming out recently have made no mention of MSDE and to my knowledge the fixes have not been incorporated into it by MS. A bit more info on MSDE is available at (mostly "feature-fluff"): http://www.microsoft.com/technet/office/trmsde1.asp http://www.devx.com/upload/free/features/vbpj/1999/10oct99/rd1099/rd10 99 .asp None of the documentation I've read have made any mention of the default password or need to change it, although ironically the first link above gives a warning in the form of a code example that uses: "Server=cabxli;Uid=SA;Pwd=;" If anyone knows of other applications that use the MSDE, we'd be interested in finding out what they are to try working around the default password issue if possible when running across them, and avoid them if not. Much credit goes to my colleague Alex Nikonchuk for identifying and researching this. Eric Monti Denmac Systems ericm () denmac com | monti () ushost com -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOWugDY0ZSRQxA/UrAQENVwf+JUNV1XAnrJABBwLcYIqfud+4vvzgIBRf NngCoXjGIA6ALSXB0JjTeHS0EL13cBmUs5w2u1dQPxkUyMAvFUXdC8FEiPbOrPnw YmgHDnWhAHzf8Jgu9EUi8FZguh6hq5xDRN+a2ubcL3/rzsMaDgONGHVsMoTnWaq3 yhf6fMBy4EU9jQJjStkOtYkqeELhUwI5FjTrex/WwT2Q6EKMTsgx5Zt/BlNS8m/r vg5ut6BfAWpmD8s1Gtwhp3xitNVBPv7WHziBEE1MA1fYbvIJhAs3H9Vt8N4jD4uE Z1wLowBtrytKWYUt7/Ju8BdS9NzggYhc0xeA0va6BfOKcDqmbJtA3Q== =UEDP -----END PGP SIGNATURE----- <HR NOSHADE> <UL> <LI>application/x-pkcs7-signature attachment: smime.p7s </UL>
Current thread:
- MSDE / Re: Default Password Database Eric Monti (Jul 10)
- <Possible follow-ups>
- Re: MSDE / Re: Default Password Database Microsoft Security Response Center (Jul 11)