Vulnerability: Microsoft Data Engine
Results 1 to 2 of 2

Thread: Vulnerability: Microsoft Data Engine

  1. #1
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001

    Exclamation Vulnerability: Microsoft Data Engine

    Microsoft Visio 2000 Enterprise
    Visio Enterprise Networking Tools 1.0
    Visual Studio 6.0
    Office 2000/XP (running on a Windows 9x system)
    Impact: Run code of attacker's choice
    Max Risk: Critical


    Visio Enterprise 2000 and VENT 1.0 use MSDE as a database server tostore information. Visual Studio, Office and other 3rd party softwarecan also use MSDE as a database server.

    The MSDE installation option included with Visio 2000 Enterprise andVENT 1.0 defaults to Mixed Authentication. Additionally, the defaultusername in these cases is 'sa' and the default password is blank.Installing MSDE for Visual Studio 6.0 also uses the same defaults. Theversion of MSDE available on Office 2000/XP media defaults to WindowsIntegrated Security when installed on a Windows NT/2000/XP computer.However, when this version of MSDE is installed on a Windows 9x/mecomputer, it also defaults to 'sa' and a blank password. A malicioususer could execute the code of his choice on a system running MSDE with'sa' and a blank password. Such code would execute using the securitycontext of the MSSQLSERVER service, which is LOCALSYSTEM in the case ofa default MSDE install.


    I stumbled upon this vulnerability running SQLPoke on a LAN. Tools likethis and SQLPing can pinpoint effected systems. Once identified, amalicious user could then use SQL Query Analyzer or osql to execute anyOS command using the xp_cmdshell stored procedure.

    Mitigating Factors:

    This vulnerability can only be remotely exploited on Internet-facingcomputers that allow access to TCP port 1433 or by other machines on thesame Local Area Network.

    Vendor Response:

    I contacted the Microsoft Security Response Center about this issue on3-6-02. They published KB article Q321081 on4-9-02 to address the issue with Visio. They subsequently publishedQ322336 aboutMSDE in general on 5-8-02. Q322336 actually addresses how to fix theproblem more completely than Q321081, it talks about modifying theregistry to switch MSDE to Windows Integrated Security as opposed tojust changing the 'sa' password. Microsoft decided that this issue issimply a MSDE configuration problem and does not require a patch.Consequently, since there is no patch they also elected not to issue aSecurity Bulletin despite the level of risk involved to effectedsystems. The emergence of the DoubleTap/SQLSnake worm compelled me togo ahead and post this in order to make people aware of these new KBarticles.

    Adrian Romo
    Senior Consultant
    Quilogy - The Art & Science of Business


    Crap.. i have Office XP on my Win98 Box...

  2. #2
    Good job sonic...
    WE ARE the anti cancer...
    WE ARE the only answer...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts