Bugtraq mailing list archives
Re: Tumbleweed Worldsecure (MMS) BLANK 'sa' account passwordvulnerability
From: Mark Tinberg <mtinberg () securepipe com>
Date: Mon, 14 Aug 2000 18:03:16 -0500
I would strongly disagree, just putting something like this in the documentation is not enough, you must force a reasonable account password (hopefully using something like crack to make sure it isn't trivially breakable) at install-time. Anything less is just asking for trouble, not even the best administrators remember everything, everytime, let alone the schmoe who just clicks on the installer and thinks everything is going to be allright. I don't know whether access to the sa account is really required for this piece of software but if not then then it should be set to a random password at install time, at least this will stall/prevent remote abuse. Oh, and just because somebody else, even a high profile company like Oracle, makes this mistake too doesn't make it the right way to do things. "A. Trent Foley" wrote:
I'm not so sure I would call this a "vulnerability". So long as the installation instructions have you change the password prior to putting the machine in to production, I wouldn't blame this on either Microsoft or Tumbleweed. After all, even Oracle Enterprise (as well as all other Oracle's I've ever dealt with) gives the sys and system users well-known passwords at install time. It is up to a competent administrator to change those passwords or else risk the inevitable. A. Trent Foley -----Original Message----- From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of NT HATER Sent: Thursday, August 10, 2000 11:37 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: Tumbleweed Worldsecure (MMS) BLANK 'sa' account password vulnerability I've recently discovered the following vulnerability: Product: Tumbleweed Messaging Management System (MMS) (Formerly Worldtalk Worldsecure) http://www.tumbleweed.com/solutions/products/mms_products Version: 4.3 - 4.5 (all builds) Description: Product uses Microsoft's MSDE (Database engine) which is a stripped down version of the Microsoft SQL server 7.0. During the setup stage, I was never asked for the 'sa' account password, which led me to think that application is either generating a random password every time it installs or the password is the same for all installations. Well, after thurther research I discovered that the password is left BLANK !!! This is a huge remotely exploitable vulnerability. After I remotely connected to the database (with 'sa' account and NO PASSWORD) I was able to delete the databases (denial of service, product becomes unusable) and modify the data (customer certificates, configuration of the product, logs, etc.). Tumbeweed refuses to acknowledge this vulnerability, which caused major outrage among my customers. Therefore, I have no choice but to go public about this vulnerability. Please feel free to contact me with ANY questions regarding this issue, although I would like to remain anonymous. Thank you very much.
-- Mark Tinberg <MTinberg () securepipe com> Network Security Engineer, SecurePipe Communications LLC. Remember: Wherever you go, there you are!
Current thread:
- Tumbleweed Worldsecure (MMS) BLANK 'sa' account password vulnerability NT HATER (Aug 10)
- Re: Tumbleweed Worldsecure (MMS) BLANK 'sa' account password vulnerability A. Trent Foley (Aug 11)
- Re: Tumbleweed Worldsecure (MMS) BLANK 'sa' account passwordvulnerability Mark Tinberg (Aug 15)
- Re: Tumbleweed Worldsecure (MMS) BLANK 'sa' account password vulnerability A. Trent Foley (Aug 11)