Re: [Full-disclosure] Database servers on XP and the curious flaw
You are most likely right that by default MSDE and 2005 Express are secure by default. I'm sorry for the misunderstanding, I thought I made this clear when I said "if the configuration allows the guest account access to the database", but I guess I should have added something about that by default it's secure. I'm sure this was my mistake because I've received at least 3 emails that have pointed this out that SQL server is secure by default. Mostly my comment was in reference to "How many people at home run a fully fledged RDBMS on their XP systems?". I was just trying to point out that more people than we may think _are_ running database servers on their system. Laters, Dave King James Eaton-Lee wrote: >On Wed, 2005-11-16 at 12:20 -0700, Dave King wrote: > > >>While it still may not be "millions of people" several products come >>bundled with the desktop edition of SQL Server 2000, and I'm sure many >>will come with SQL Server 2005 Express. As far as I can tell by reading >>the paper (but not testing it myself) these are probably vulnerable as >>well if the configuration allows the guest account access to the database. >> >> > >"Microsoft SQL Server 2000 - By default, Microsoft SQL Server 2000 is >not vulnerable. Like Oracle, SQL Server authenticates the client using >the NTLM SSPI AcceptSecurityContext() function and the user is logged on >as Guest, however, as SQL Server requires that a specific user be >granted access, the remote user can log in – by default SQL Server >doesn’t allow Guest access to the database server. If, for whatever >reason, someone has granted either the Guest account or the built-in >Guests group access to the SQL Server then a remote user without valid >credentials will gain access." > >I may be wrong, but I'd assume that the way in which SQLDE authenticates >is similar to MSSQL and therefore isn't affected by this... feel quite >free to correct me, because I don't claim to be an expert on the DE >version of SQL! :) > >This of course wouldn't be the case for databases bundled with insecure >permissions (as vendors are apt to do), and that'd probably be what I'd >worry about most in these situations. > > - James. > > > >>Dave King >>http://www.thesecure.net >> >> >> >>>To be honest I don't think we're talking millions of people. How many >>>people at home run a fully fledged RDBMS on their XP systems? Very few >>>I'd guess. Besides, Simple File Sharing is documented so MS are >>>educating those willing to seek information. >>> >>> >>> >>___ >>Full-Disclosure - We believe in it. >>Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>Hosted and sponsored by Secunia - http://secunia.com/ >> >> > > > > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Database servers on XP and the curious flaw
On Wed, 2005-11-16 at 12:20 -0700, Dave King wrote: > While it still may not be "millions of people" several products come > bundled with the desktop edition of SQL Server 2000, and I'm sure many > will come with SQL Server 2005 Express. As far as I can tell by reading > the paper (but not testing it myself) these are probably vulnerable as > well if the configuration allows the guest account access to the database. "Microsoft SQL Server 2000 - By default, Microsoft SQL Server 2000 is not vulnerable. Like Oracle, SQL Server authenticates the client using the NTLM SSPI AcceptSecurityContext() function and the user is logged on as Guest, however, as SQL Server requires that a specific user be granted access, the remote user can log in – by default SQL Server doesn’t allow Guest access to the database server. If, for whatever reason, someone has granted either the Guest account or the built-in Guests group access to the SQL Server then a remote user without valid credentials will gain access." I may be wrong, but I'd assume that the way in which SQLDE authenticates is similar to MSSQL and therefore isn't affected by this... feel quite free to correct me, because I don't claim to be an expert on the DE version of SQL! :) This of course wouldn't be the case for databases bundled with insecure permissions (as vendors are apt to do), and that'd probably be what I'd worry about most in these situations. - James. > Dave King > http://www.thesecure.net > > > > > To be honest I don't think we're talking millions of people. How many > > people at home run a fully fledged RDBMS on their XP systems? Very few > > I'd guess. Besides, Simple File Sharing is documented so MS are > > educating those willing to seek information. > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Database servers on XP and the curious flaw
While it still may not be "millions of people" several products come bundled with the desktop edition of SQL Server 2000, and I'm sure many will come with SQL Server 2005 Express. As far as I can tell by reading the paper (but not testing it myself) these are probably vulnerable as well if the configuration allows the guest account access to the database. Dave King http://www.thesecure.net > > To be honest I don't think we're talking millions of people. How many > people at home run a fully fledged RDBMS on their XP systems? Very few > I'd guess. Besides, Simple File Sharing is documented so MS are > educating those willing to seek information. > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Database servers on XP and the curious flaw
James Tucker wrote: > Long day? It will be. -Eliah ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Database servers on XP and the curious flaw
Long day? > -Original Message- > From: Eliah Kagan [mailto:[EMAIL PROTECTED] > Sent: 16 November 2005 18:45 > To: [EMAIL PROTECTED] > Cc: bugtraq@securityfocus.com; > full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED] > Subject: Re: [Full-disclosure] Database servers on XP and the > curious flaw > > James Tucker wrote (off-list): > > I think you mis-read the paper, this is NOT the fault of MS, who'se > > DBS is NOT vulnerable due to PROPER authentication design > with the host OS. > > Yeah, you're right. What am I saying...? > > Forget everything I just said in this thread... > > I apologize to everybody who read what I said before. > > -Eliah ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Database servers on XP and the curious flaw
James Tucker wrote (off-list): > I think you mis-read the paper, this is NOT the fault of MS, who'se DBS is > NOT vulnerable due to PROPER authentication > design with the host OS. Yeah, you're right. What am I saying...? Forget everything I just said in this thread... I apologize to everybody who read what I said before. -Eliah ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Database servers on XP and the curious flaw
David Litchfield wrote: > Hi Eliah, > > >David Litchfield wrote: > >> Hey all, > >> I've just put up a paper on a curious flaw that appears when running a > > >My intent is not to MS-bash here, but perhaps Microsoft is to blame > >for not educating people about this issue. (If they had, your paper > >would be superfluous.) > > >Usually if millions of users are insecure because they don't know > >something, someone is to blame. > > To be honest I don't think we're talking millions of people. How many people > at home run a fully fledged RDBMS on their XP systems? Very few I'd guess. > Besides, Simple File Sharing is documented so MS are educating those willing > to seek information. > > Cheers, > David > http://www.databasesecurity.com/ > http://www.ngssoftware.com/ If I use an insecurely configured database for anything critical, I am insecure. That's everybody at a company that runs such a server and has it configured insecurely, every customer of the company who has personal information stored in the server, etc. I think that amounts to millions. However, it is true that by saying that, I made the problem look more widespread than it actually is, which is bad because it dilutes the power of the term, "millions of users," so that when the next UPnP or DCOM comes around, it will be more difficult to raise awareness about it. For this, I apologize. What I should say is, "usually, if millions of people are at risk of having their information security compromised because a few people don't know something they should, someone is to blame." The fault is certainly distributed, and it's not all on MS's shoulders. Come to think of it, if I (putting myself in the shoes of a clueless network administrator) am running a database server with simple file sharing enabled and not thinking about security, the fault is probably mine. But whoever's fault it is, I hope your paper moves people who don't have their act together, to get it together. -Eliah ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Database servers on XP and the curious flaw
Hi Eliah, David Litchfield wrote: Hey all, I've just put up a paper on a curious flaw that appears when running a My intent is not to MS-bash here, but perhaps Microsoft is to blame for not educating people about this issue. (If they had, your paper would be superfluous.) Usually if millions of users are insecure because they don't know something, someone is to blame. To be honest I don't think we're talking millions of people. How many people at home run a fully fledged RDBMS on their XP systems? Very few I'd guess. Besides, Simple File Sharing is documented so MS are educating those willing to seek information. Cheers, David http://www.databasesecurity.com/ http://www.ngssoftware.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Database servers on XP and the curious flaw
David Litchfield wrote: > Hey all, > I've just put up a paper on a curious flaw that appears when running a > database server on Windows XP with Simple File Sharing enabled. The flaw > essentially allows a remote attacker to gain access to the database, > sometimes with DBA privileges, without knowledge of a valid password. To be > honest, no-one is really to blame; it's just one of those cases where you > take two disparate mechanisms, shake them up, add a dash of lime and serve > up. The paper can be found here > http://www.databasesecurity.com/dbsec-papers.htm and is entitled "Database > Servers on Windows XP and the Unintended Consequences of Simple File > Sharing". It doubles-up as my entry for the "Longest Title" award. > Cheers, > David Litchfield > http://www.databasesecurity.com/ > http://www.ngssoftware.com/ My intent is not to MS-bash here, but perhaps Microsoft is to blame for not educating people about this issue. (If they had, your paper would be superfluous.) Usually if millions of users are insecure because they don't know something, someone is to blame. -Eliah ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Database servers on XP and the curious flaw
Hey all, I've just put up a paper on a curious flaw that appears when running a database server on Windows XP with Simple File Sharing enabled. The flaw essentially allows a remote attacker to gain access to the database, sometimes with DBA privileges, without knowledge of a valid password. To be honest, no-one is really to blame; it's just one of those cases where you take two disparate mechanisms, shake them up, add a dash of lime and serve up. The paper can be found here http://www.databasesecurity.com/dbsec-papers.htm and is entitled "Database Servers on Windows XP and the Unintended Consequences of Simple File Sharing". It doubles-up as my entry for the "Longest Title" award. Cheers, David Litchfield http://www.databasesecurity.com/ http://www.ngssoftware.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/