Bugtraq mailing list archives
Re: Tumbleweed Worldsecure (MMS) BLANK '
From: Neil Pike <NeilPike () COMPUSERVE COM>
Date: Wed, 16 Aug 2000 17:48:52 -0400
Russ, By default SQL 7 goes into "mixed mode". This means it accepts NT auth or non-NT auth. If you use a non-NT auto-authed net-lib protocol and don't demand a "trusted" connection - e.g. use the tcp-ip sockets net-lib - then you can get in as "sa" and no password. MSDE is just the "cut-down" run-time engine of SQL Server and so has the same issue. The "issue" can be resolved by correct manual setup or correct setting of the unattend .iss file for MSDE by the vendors. The install wasn't botched by the user as the Tumbleweed vendors install MSDE automatically/silently and give you no chance to change the install type/password. In fact their docs hardly mention the fact that they're installing it, let alone saying anything about install options, changing the password etc.
The part that confuses me about this Tumbleweed vulnerability, and the
part
I asked "__nt__ () ANONYMOUS TO" (who originally posted this message) and
never
got answered, was that SQL 7.0 by default assumes you will be using NTLM
for
SQL Authentication. As such, no SA account is to be used. When configured like this the client performs the normal c/r with the SQL box and, if authenticated, is allowed access. Does the stripped down version of SQL 7.0 that Tumbleweed implemented use the same authentication basis? Was the installation performed by "__nt__ () ANONYMOUS TO" botched by telling it to use normal SA
authentication
instead? Cheers, Russ - NTBugtraq Editor
Neil Pike MVP/MCSE Protech Computing Ltd
Current thread:
- Re: Tumbleweed Worldsecure (MMS) BLANK ' Neil Pike (Aug 14)
- <Possible follow-ups>
- Re: Tumbleweed Worldsecure (MMS) BLANK ' Neil Pike (Aug 14)
- Re: Tumbleweed Worldsecure (MMS) BLANK ' Neil Pike (Aug 17)