Full Disclosure mailing list archives
Re: Database servers on XP and the curious flaw
From: Dave King <davefd () davewking com>
Date: Thu, 17 Nov 2005 09:53:40 -0700
You are most likely right that by default MSDE and 2005 Express are secure by default. I'm sorry for the misunderstanding, I thought I made this clear when I said "if the configuration allows the guest account access to the database", but I guess I should have added something about that by default it's secure. I'm sure this was my mistake because I've received at least 3 emails that have pointed this out that SQL server is secure by default. Mostly my comment was in reference to "How many people at home run a fully fledged RDBMS on their XP systems?". I was just trying to point out that more people than we may think _are_ running database servers on their system. Laters, Dave King James Eaton-Lee wrote:
On Wed, 2005-11-16 at 12:20 -0700, Dave King wrote:While it still may not be "millions of people" several products come bundled with the desktop edition of SQL Server 2000, and I'm sure many will come with SQL Server 2005 Express. As far as I can tell by reading the paper (but not testing it myself) these are probably vulnerable as well if the configuration allows the guest account access to the database."Microsoft SQL Server 2000 - By default, Microsoft SQL Server 2000 is not vulnerable. Like Oracle, SQL Server authenticates the client using the NTLM SSPI AcceptSecurityContext() function and the user is logged on as Guest, however, as SQL Server requires that a specific user be granted access, the remote user can log in – by default SQL Server doesn’t allow Guest access to the database server. If, for whatever reason, someone has granted either the Guest account or the built-in Guests group access to the SQL Server then a remote user without valid credentials will gain access." I may be wrong, but I'd assume that the way in which SQLDE authenticates is similar to MSSQL and therefore isn't affected by this... feel quite free to correct me, because I don't claim to be an expert on the DE version of SQL! :) This of course wouldn't be the case for databases bundled with insecure permissions (as vendors are apt to do), and that'd probably be what I'd worry about most in these situations. - James.Dave King http://www.thesecure.netTo be honest I don't think we're talking millions of people. How many people at home run a fully fledged RDBMS on their XP systems? Very few I'd guess. Besides, Simple File Sharing is documented so MS are educating those willing to seek information._______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Database servers on XP and the curious flaw David Litchfield (Nov 16)
- Re: Database servers on XP and the curious flaw Eliah Kagan (Nov 16)
- Re: Database servers on XP and the curious flaw David Litchfield (Nov 16)
- Re: Database servers on XP and the curious flaw Eliah Kagan (Nov 16)
- Re: Database servers on XP and the curious flaw Dave King (Nov 16)
- Re: Database servers on XP and the curious flaw James Eaton-Lee (Nov 17)
- Re: Database servers on XP and the curious flaw Dave King (Nov 17)
- Re: Database servers on XP and the curious flaw David Litchfield (Nov 16)
- Re: Database servers on XP and the curious flaw Eliah Kagan (Nov 16)
- Message not available
- Re: Database servers on XP and the curious flaw Eliah Kagan (Nov 16)
- RE: Database servers on XP and the curious flaw James Tucker (Nov 16)
- Re: Database servers on XP and the curious flaw Eliah Kagan (Nov 16)