Re: [Full-disclosure] Database servers on XP and the curious flaw
From: Dave King (davefd_at_davewking.com)
Date: Thu, 17 Nov 2005 09:53:40 -0700 To: firstname.lastname@example.org
You are most likely right that by default MSDE and 2005 Express are
secure by default. I'm sorry for the misunderstanding, I thought I made
this clear when I said "if the configuration allows the guest account
access to the database", but I guess I should have added something about
that by default it's secure. I'm sure this was my mistake because I've
received at least 3 emails that have pointed this out that SQL server is
secure by default. Mostly my comment was in reference to "How many
people at home run a fully fledged RDBMS on their XP systems?". I was
just trying to point out that more people than we may think _are_
running database servers on their system.
James Eaton-Lee wrote:
>On Wed, 2005-11-16 at 12:20 -0700, Dave King wrote:
>>While it still may not be "millions of people" several products come
>>bundled with the desktop edition of SQL Server 2000, and I'm sure many
>>will come with SQL Server 2005 Express. As far as I can tell by reading
>>the paper (but not testing it myself) these are probably vulnerable as
>>well if the configuration allows the guest account access to the database.
>"Microsoft SQL Server 2000 - By default, Microsoft SQL Server 2000 is
>not vulnerable. Like Oracle, SQL Server authenticates the client using
>the NTLM SSPI AcceptSecurityContext() function and the user is logged on
>as Guest, however, as SQL Server requires that a specific user be
>granted access, the remote user can log in – by default SQL Server
>doesn’t allow Guest access to the database server. If, for whatever
>reason, someone has granted either the Guest account or the built-in
>Guests group access to the SQL Server then a remote user without valid
>credentials will gain access."
>I may be wrong, but I'd assume that the way in which SQLDE authenticates
>is similar to MSSQL and therefore isn't affected by this... feel quite
>free to correct me, because I don't claim to be an expert on the DE
>version of SQL! :)
>This of course wouldn't be the case for databases bundled with insecure
>permissions (as vendors are apt to do), and that'd probably be what I'd
>worry about most in these situations.
> - James.
>>>To be honest I don't think we're talking millions of people. How many
>>>people at home run a fully fledged RDBMS on their XP systems? Very few
>>>I'd guess. Besides, Simple File Sharing is documented so MS are
>>>educating those willing to seek information.
>>Full-Disclosure - We believe in it.
>>Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/