MSDE Advisory

From: Adrian Romo (ARomo@QUILOGY.COM)
Date: 05/23/02

Date:         Thu, 23 May 2002 08:17:18 -0500
From: Adrian Romo <ARomo@QUILOGY.COM>

Title: Insecure Microsoft Data Engine (MSDE) Could Lead
to Code
Date: 05 May 2002
Software: Microsoft Visio 2000 Enterprise
Visio Enterprise Networking Tools 1.0
Visual Studio 6.0
Office 2000/XP (running on a Windows 9x system)
Impact: Run code of attacker's choice
Max Risk: Critical
Visio Enterprise 2000 and VENT 1.0 use MSDE as a database server to
store information. Visual Studio, Office and other 3rd party software
can also use MSDE as a database server.
The MSDE installation option included with Visio 2000 Enterprise and
VENT 1.0 defaults to Mixed Authentication. Additionally, the default
username in these cases is 'sa' and the default password is blank.
Installing MSDE for Visual Studio 6.0 also uses the same defaults. The
version of MSDE available on Office 2000/XP media defaults to Windows
Integrated Security when installed on a Windows NT/2000/XP computer.
However, when this version of MSDE is installed on a Windows 9x/me
computer, it also defaults to 'sa' and a blank password. A malicious
user could execute the code of his choice on a system running MSDE with
'sa' and a blank password. Such code would execute using the security
context of the MSSQLSERVER service, which is LOCALSYSTEM in the case of
a default MSDE install.
I stumbled upon this vulnerability running SQLPoke on a LAN. Tools like
this and SQLPing can pinpoint effected systems. Once identified, a
malicious user could then use SQL Query Analyzer or osql to execute any
OS command using the xp_cmdshell stored procedure.
Mitigating Factors:
This vulnerability can only be remotely exploited on Internet-facing
computers that allow access to TCP port 1433 or by other machines on the
same Local Area Network.
Vendor Response:
I contacted the Microsoft Security Response Center about this issue on
3-6-02. They published KB article Q321081
<;EN-US;q321081> on
4-9-02 to address the issue with Visio. They subsequently published
<;EN-US;q322336> about
MSDE in general on 5-8-02. Q322336 actually addresses how to fix the
problem more completely than Q321081, it talks about modifying the
registry to switch MSDE to Windows Integrated Security as opposed to
just changing the 'sa' password. Microsoft decided that this issue is
simply a MSDE configuration problem and does not require a patch.
Consequently, since there is no patch they also elected not to issue a
Security Bulletin despite the level of risk involved to effected
systems. The emergence of the DoubleTap/SQLSnake worm compelled me to
go ahead and post this in order to make people aware of these new KB
Adrian Romo
Senior Consultant
Quilogy - The Art & Science of Business
Quilogy Security Assessment Services: Enterprise Security for the
Digital Age