Re: Database servers on XP and the curious flaw

[Dave King <davefd () davewking com>]

You are most likely right that by default MSDE and 2005 Express are
secure by default.  I'm sorry for the misunderstanding, I thought I made
this clear when I said "if the configuration allows the guest account
access to the database", but I guess I should have added something about
that by default it's secure.  I'm sure this was my mistake because I've
received at least 3 emails that have pointed this out that SQL server is
secure by default.  Mostly my comment was in reference to "How many
people at home run a fully fledged RDBMS on their XP systems?".  I was
just trying to point out that more people than we may think _are_
running database servers on their system.

Laters,
Dave King


James Eaton-Lee wrote:

> On Wed, 2005-11-16 at 12:20 -0700, Dave King wrote:
>  
>
> > While it still may not be "millions of people" several products come
> > bundled with the desktop edition of SQL Server 2000, and I'm sure many
> > will come with SQL Server 2005 Express.  As far as I can tell by reading
> > the paper (but not testing it myself) these are probably vulnerable as
> > well if the configuration allows the guest account access to the database.
> >    
>
> "Microsoft SQL Server 2000 - By default, Microsoft SQL Server 2000 is
> not vulnerable. Like Oracle, SQL Server authenticates the client using
> the NTLM SSPI AcceptSecurityContext() function and the user is logged on
> as Guest, however, as SQL Server requires that a specific user be
> granted access, the remote user can log in – by default SQL Server
> doesn’t allow Guest access to the database server. If, for whatever
> reason, someone has granted either the Guest account or the built-in
> Guests group access to the SQL Server then a remote user without valid
> credentials will gain access."
>
> I may be wrong, but I'd assume that the way in which SQLDE authenticates
> is similar to MSSQL and therefore isn't affected by this... feel quite
> free to correct me, because I don't claim to be an expert on the DE
> version of SQL! :)
>
> This of course wouldn't be the case for databases bundled with insecure
> permissions (as vendors are apt to do), and that'd probably be what I'd
> worry about most in these situations.
>
> - James.
>
>  
>
> > Dave King
> > http://www.thesecure.net
> >
> >    
> >
> > > To be honest I don't think we're talking millions of people. How many
> > > people at home run a fully fledged RDBMS on their XP systems? Very few
> > > I'd guess. Besides, Simple File Sharing is documented so MS are
> > > educating those willing to seek information.
> > >
> > >      
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >    
>
>
>
>  

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/