May 24th, 2002, 03:30 PM
Vulnerability: Microsoft Data Engine
Microsoft Visio 2000 Enterprise
Visio Enterprise Networking Tools 1.0
Visual Studio 6.0
Office 2000/XP (running on a Windows 9x system)
Impact: Run code of attacker's choice
Max Risk: Critical
Visio Enterprise 2000 and VENT 1.0 use MSDE as a database server tostore information. Visual Studio, Office and other 3rd party softwarecan also use MSDE as a database server.
The MSDE installation option included with Visio 2000 Enterprise andVENT 1.0 defaults to Mixed Authentication. Additionally, the defaultusername in these cases is 'sa' and the default password is blank.Installing MSDE for Visual Studio 6.0 also uses the same defaults. Theversion of MSDE available on Office 2000/XP media defaults to WindowsIntegrated Security when installed on a Windows NT/2000/XP computer.However, when this version of MSDE is installed on a Windows 9x/mecomputer, it also defaults to 'sa' and a blank password. A malicioususer could execute the code of his choice on a system running MSDE with'sa' and a blank password. Such code would execute using the securitycontext of the MSSQLSERVER service, which is LOCALSYSTEM in the case ofa default MSDE install.
I stumbled upon this vulnerability running SQLPoke on a LAN. Tools likethis and SQLPing can pinpoint effected systems. Once identified, amalicious user could then use SQL Query Analyzer or osql to execute anyOS command using the xp_cmdshell stored procedure.
This vulnerability can only be remotely exploited on Internet-facingcomputers that allow access to TCP port 1433 or by other machines on thesame Local Area Network.
I contacted the Microsoft Security Response Center about this issue on3-6-02. They published KB article Q321081 on4-9-02 to address the issue with Visio. They subsequently publishedQ322336 aboutMSDE in general on 5-8-02. Q322336 actually addresses how to fix theproblem more completely than Q321081, it talks about modifying theregistry to switch MSDE to Windows Integrated Security as opposed tojust changing the 'sa' password. Microsoft decided that this issue issimply a MSDE configuration problem and does not require a patch.Consequently, since there is no patch they also elected not to issue aSecurity Bulletin despite the level of risk involved to effectedsystems. The emergence of the DoubleTap/SQLSnake worm compelled me togo ahead and post this in order to make people aware of these new KBarticles.
Quilogy - The Art & Science of Business
Crap.. i have Office XP on my Win98 Box...
May 25th, 2002, 04:39 AM
WE ARE the anti cancer...
WE ARE the only answer...