Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Released Patch: Tumbleweed Worldsecure (MMS) BLANK 'sa' account p asswordvuln erability [virus checked]

From: Ingo Wupper <ingo.wupper () VANCO DE>
Date: Wed, 16 Aug 2000 14:17:13 +0200
Tumbleweed has released a patch for the above problem. Pls find the URL in
the eMail below:
 
Regards
 

         Vanco Euronet GmbH 
 - the human network - 

         Ingo Wupper 
 (Leiter Geschäftsbereich eSecurity) 
 Tel:  +49 6102 785-601 
 Fax: +49 6102 785-556 



        The information contained in this eMail is confidential. It is
intended solely for the addressee. Access to this eMail by anyone else is
unauthorized. If you are not the intended recipient, any form of disclosure,
reproduction, distribution or any action taken or refrained from in reliance
on it is prohibited and may be unlawful. Please notify the sender
immediatly. All statements of opinion or advice directed via this eMail to
our clients are subject to the terms and conditions expressed in the
governing VANCO AGB's. The content of this eMail is not

        legally binding unless confirmed by letter. 





-----Ursprüngliche Nachricht-----
Von: klaus.stracker () tumbleweed com [mailto:klaus.stracker () tumbleweed com]
Gesendet: Mittwoch, 16. August 2000 14:24
An: ingo.wupper () vanco de
Cc: kurt.dawidowitsch () tumbleweed com
Betreff: Tumbleweed Worldsecure (MMS) BLANK 'sa' account passwordvuln
erability [virus checked]


Hallo Herr Wupper,
 
Bezueglich Ihrer Mitteilung wurde am letzten Freitag ein Security Patch
freigegeben.
 
http://thompson.tumbleweed.com/NewKB/bulletin/UPFiles/sa-official.htm
<http://thompson.tumbleweed.com/NewKB/bulletin/UPFiles/sa-official.htm> 
 
 
Ich hoffe Ihnen hiermit geholfen zu haben.
 
 
Freundliche Gruesse
 
Klaus Stracker
Tumbleweed Communications
 
 
-----Original Message-----
From: Ingo Wupper [mailto:ingo.wupper () vanco de]
Sent: 11 August 2000 07:44
To: Pat Boswell-Saul
Subject: WG: Tumbleweed Worldsecure (MMS) BLANK 'sa' account passwordvuln
erability [virus checked]



Could you pls clarify the comment of Tumbleweed denying this vuln. with you
technical staff ? 

Thx. 

Best Regards, 

         Vanco Euronet GmbH 
         - the human network - 

         Ingo Wupper 
         (Leiter Geschäftsbereich eSecurity) 
         Tel:  +49 6102 785-601 
         Fax: +49 6102 785-556 



        The information contained in this eMail is confidential. It is
intended solely for the addressee. Access to this eMail by anyone else is
unauthorized. If you are not the intended recipient, any form of disclosure,
reproduction, distribution or any action taken or refrained from in reliance
on it is prohibited and may be unlawful. Please notify the sender
immediatly. All statements of opinion or advice directed via this eMail to
our clients are subject to the terms and conditions expressed in the
governing VANCO AGB's. The content of this eMail is not

        legally binding unless confirmed by letter. 







-----Ursprüngliche Nachricht----- 
Von: NT HATER [ mailto:__nt__ () ANONYMOUS TO <mailto:__nt__ () ANONYMOUS TO> ] 
Gesendet: Donnerstag, 10. August 2000 18:37 
An: BUGTRAQ () SECURITYFOCUS COM 
Betreff: Tumbleweed Worldsecure (MMS) BLANK 'sa' account password 
vulnerability [virus checked] 


I've recently discovered the following vulnerability: 
Product: Tumbleweed Messaging Management System (MMS) (Formerly Worldtalk 
Worldsecure) http://www.tumbleweed.com/solutions/products/mms_products
<http://www.tumbleweed.com/solutions/products/mms_products>  
Version: 4.3 - 4.5 (all builds) 
Description: Product uses Microsoft's MSDE (Database engine) which is a
stripped 
down version of the Microsoft SQL server 7.0.  During the setup stage, I was

never asked for the 'sa' account password, which led me to think that 
application is either generating a random password every time it installs or
the 
password is the same for all installations.  Well, after thurther research I

discovered that the password is left BLANK !!!  This is a huge remotely 
exploitable vulnerability.  After I remotely connected to the database (with

'sa' account and NO PASSWORD) I was able to delete the databases (denial of 
service, product becomes unusable) and modify the data (customer
certificates, 
configuration of the product, logs, etc.). 

Tumbeweed refuses to acknowledge this vulnerability, which caused major
outrage 
among my customers.  Therefore, I have no choice but to go public about this

vulnerability. 

Please feel free to contact me with ANY questions regarding this issue,
although 
I would like to remain anonymous. 

Thank you very much. 

------------------------------------------------------------ 
Hey you! Claim your FREE anonymous email account: 
Click Here -> http://www.anonymous.to <http://www.anonymous.to>

Attachment: Ingo Wupper.vcf
Description:

Attachment: Ingo Wupper.vcf
Description:

Previous By Date Next
Previous By Thread Next

Current thread: