MSDE Advisory

From: Adrian Romo (ARomo@QUILOGY.COM)
Date: 05/23/02

Date:         Thu, 23 May 2002 08:17:18 -0500
From: Adrian Romo <ARomo@QUILOGY.COM>

Title: Insecure Microsoft Data Engine (MSDE) Could Lead
to Code
Date: 05 May 2002
Software: Microsoft Visio 2000 Enterprise
Visio Enterprise Networking Tools 1.0
Visual Studio 6.0
Office 2000/XP (running on a Windows 9x system)
Impact: Run code of attacker's choice
Max Risk: Critical
Visio Enterprise 2000 and VENT 1.0 use MSDE as a database server to
store information. Visual Studio, Office and other 3rd party software
can also use MSDE as a database server.
The MSDE installation option included with Visio 2000 Enterprise and
VENT 1.0 defaults to Mixed Authentication. Additionally, the default
username in these cases is 'sa' and the default password is blank.
Installing MSDE for Visual Studio 6.0 also uses the same defaults. The
version of MSDE available on Office 2000/XP media defaults to Windows
Integrated Security when installed on a Windows NT/2000/XP computer.
However, when this version of MSDE is installed on a Windows 9x/me
computer, it also defaults to 'sa' and a blank password. A malicious
user could execute the code of his choice on a system running MSDE with
'sa' and a blank password. Such code would execute using the security
context of the MSSQLSERVER service, which is LOCALSYSTEM in the case of
a default MSDE install.
I stumbled upon this vulnerability running SQLPoke on a LAN. Tools like
this and SQLPing can pinpoint effected systems. Once identified, a
malicious user could then use SQL Query Analyzer or osql to execute any
OS command using the xp_cmdshell stored procedure.
Mitigating Factors:
This vulnerability can only be remotely exploited on Internet-facing
computers that allow access to TCP port 1433 or by other machines on the
same Local Area Network.
Vendor Response:
I contacted the Microsoft Security Response Center about this issue on
3-6-02. They published KB article Q321081
<;EN-US;q321081> on
4-9-02 to address the issue with Visio. They subsequently published
<;EN-US;q322336> about
MSDE in general on 5-8-02. Q322336 actually addresses how to fix the
problem more completely than Q321081, it talks about modifying the
registry to switch MSDE to Windows Integrated Security as opposed to
just changing the 'sa' password. Microsoft decided that this issue is
simply a MSDE configuration problem and does not require a patch.
Consequently, since there is no patch they also elected not to issue a
Security Bulletin despite the level of risk involved to effected
systems. The emergence of the DoubleTap/SQLSnake worm compelled me to
go ahead and post this in order to make people aware of these new KB
Adrian Romo
Senior Consultant
Quilogy - The Art & Science of Business
Quilogy Security Assessment Services: Enterprise Security for the
Digital Age

Relevant Pages

  • Getting to the bottom of MSDE network connection problems ...
    ... but other than that it is MSDE 2000 with sp3a already applied. ... I've finally figured out the connection problems associated with this, ... and it seems the problems are due to Windows XP and not MSDE. ... the enterprise/standard versions of SQL server won't install ...
  • Re: File Protection
    ... I found that it turned out to be a known issue in MSDE setup or SP3a Setup ... However on computers with Windows XP SP1 if the dllcache ... install program for the app, and I'm running into an error with the MSDE ... get a Windows File Protection error on a 'fresh' WinXP Home computer. ...
  • RE: problem installing MSDE 2000 when MS BCM already installed
    ... All these machines were brand new Windows XP Pro boxes with MS Office ... MDAC 2.8 was installed prior to kicking off our MSDE setup. ... We install MSDE with default language settings. ...
  • Re: ADO.NET 2.0 & MSDE & Win98
    ... Does SQL Server Express run just fine on Windows 98? ... At this point in time you should be using SQL Server Express, ... not MSDE. ... DISABLENETWORKPROTOCOLS ...
  • Re: Answer: Access creates ADP database in MSDE only with SQL Server Authentication mode
    ... I can't test your combination (A2K, MSDE in a non-DC network). ... full SQL Server 2000 in a network with PDC & DCs. ... > I created a user account as a Windows ...