lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <437CB594.3070201@davewking.com>
Date: Thu Nov 17 16:54:00 2005
From: davefd at davewking.com (Dave King)
Subject: Database servers on XP and the curious flaw

You are most likely right that by default MSDE and 2005 Express are
secure by default.  I'm sorry for the misunderstanding, I thought I made
this clear when I said "if the configuration allows the guest account
access to the database", but I guess I should have added something about
that by default it's secure.  I'm sure this was my mistake because I've
received at least 3 emails that have pointed this out that SQL server is
secure by default.  Mostly my comment was in reference to "How many
people at home run a fully fledged RDBMS on their XP systems?".  I was
just trying to point out that more people than we may think _are_
running database servers on their system.

Laters,
Dave King


James Eaton-Lee wrote:

>On Wed, 2005-11-16 at 12:20 -0700, Dave King wrote:
>  
>
>>While it still may not be "millions of people" several products come
>>bundled with the desktop edition of SQL Server 2000, and I'm sure many
>>will come with SQL Server 2005 Express.  As far as I can tell by reading
>>the paper (but not testing it myself) these are probably vulnerable as
>>well if the configuration allows the guest account access to the database.
>>    
>>
>
>"Microsoft SQL Server 2000 - By default, Microsoft SQL Server 2000 is
>not vulnerable. Like Oracle, SQL Server authenticates the client using
>the NTLM SSPI AcceptSecurityContext() function and the user is logged on
>as Guest, however, as SQL Server requires that a specific user be
>granted access, the remote user can log in ? by default SQL Server
>doesn?t allow Guest access to the database server. If, for whatever
>reason, someone has granted either the Guest account or the built-in
>Guests group access to the SQL Server then a remote user without valid
>credentials will gain access."
>
>I may be wrong, but I'd assume that the way in which SQLDE authenticates
>is similar to MSSQL and therefore isn't affected by this... feel quite
>free to correct me, because I don't claim to be an expert on the DE
>version of SQL! :)
>
>This of course wouldn't be the case for databases bundled with insecure
>permissions (as vendors are apt to do), and that'd probably be what I'd
>worry about most in these situations.
>
> - James.
>
>  
>
>>Dave King
>>http://www.thesecure.net
>>
>>    
>>
>>>To be honest I don't think we're talking millions of people. How many
>>>people at home run a fully fledged RDBMS on their XP systems? Very few
>>>I'd guess. Besides, Simple File Sharing is documented so MS are
>>>educating those willing to seek information.
>>>
>>>      
>>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>Hosted and sponsored by Secunia - http://secunia.com/
>>    
>>
>
>
>
>  
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ