Default Behavior: Piranha vs. Microsoft SQL Server

Do you remember the Piranha debacle back in April? Welcome to Part II. Last Tuesday, it was revealed that Microsoft SQL Server 7.0 is shipped with a default password - just like Red Hat's piranha module. Unlike Piranha, SQL Server is very common software for large e-business websites. Unlike Piranha, the vulnerable software has been shipping for months. Unlike Red Hat, Microsoft refuses to take responsibility for their mistake, which, unlike Red Hat's, has resulted in actual documented break-ins, some at high-profile websites. So why haven't you read about it?

Because unlike Red Hat, Microsoft is getting a pass by the media.

Piranha is web clustering/failover software that was released in April by Red Hat without much QA. It somehow went out the door with a default password ("Q") and without docs explaining in big bold caps that it must be changed. If you installed the Piranha RPM without reading the docs carefully, you had a security hole on your site.

The hole allowed an attacker to come in over port 80 and execute arbitrary commands as the Piranha user, which would have been the web user. Typically that's a nonprivileged "nobody" account. While this is never good, let's just note for the record that this is a read-only exploit unless the webserver is very poorly configured.

The media flipped, in a word, out.

Piranha: A Case Study

On April 25, Computerworld announced that the "backdoor password ... could allow an attacker to compromise a Web server and deface and destroy a Web site." Informationweek and Internetweek both warned about "a back-door security flaw that carries ISS's highest danger rating." MSNBC/ZDNET ran the story as "Red Hat Linux open to backdoor password" and explained "there's a backdoor account in Red Hat's Linux that would let a computer intruder access and alter files." The Standard's early report on April 25 wasn't too bad but attacked -- as all reports did to some degree -- the strawman myth that open source is inherently secure. At least it didn't use the word "backdoor." Newsbytes was pretty much the same.

"Backdoor" implies that the flaw was deliberately inserted, by a thoughtless or even malicious programmer. Why did most stories incorrectly use that word? Mostly because that was how it was described in the press release. A security firm called Internet Security Systems found the flaw on April 24 and sent out a security advisory that used the term four times by the end of the first paragraph.

ISS also made some interesting statements when speaking to the press about the vulnerability. Oft-quoted was a line about open-source being both a blessing and a curse (the media loves "on the one hand, on the other hand"). I also liked this comment from their research director:

"There's limited quality assurance in the open-source environment," says Rouland, "because open-source software is basically a bunch of peoples' hobby."

Of the early stories about Piranha, the best one I found was Henry Kingman's ZDNet piece on April 24 (both early and accurate: amazing). CNET's on April 25 wasn't bad either, though they let ISS lay down the anti-open-source and pro-Microsoft propaganda a little thick.

In the days to come, the story didn't change much except to note that Red Hat -- correctly, as it turned out -- denied the seriousness of the vulnerability and tried to explain that it wasn't really a backdoor. Inter@ctive Week's Charles Babcock did such a piece on May 1.

Computer Reseller News still called it a backdoor on April 27. And NetworkWorldFusion's report and Informationweek's followup both came out on May 1, both got the important facts right, but both still called it a backdoor.

ClieNT Server News ran an article in their May issue explaining "Red Hat Red-Faced." I'm not about to pay to read the whole thing. The free synopsis that's available smirks at how "embarrassed" the company must be, and ends: "It seems that Red Hat left a back door in," dot, dot, dot.

The Standard had a second, fair piece that eschewed the term and even, after quoting the line about open-source being a "hobby," gently suggested otherwise.

But the gold stars go to just two good reports. SecurityFocus' Elias Levy, on May 1, turned the spotlight on ISS by pointing out how they "...can make headlines by using the right jargon, even when it's wrong." And Linux World News' Liz Coolbaugh, who had weighed in a few days earlier, questioning the media's coverage in her story "Red Hat Security Hole Not a 'Backdoor'."

If you find any more stories about Piranha, post them below. The Red Hat-bashing pretty much came to a halt a week later, when a little Microsoft-specific email virus named "ILOVEYOU" did a few billion dollars' worth of damage.

(Breaking news: all charges dropped; to quote 10,000 Maniacs, "who ya wanna blame?")

Microsoft SQL Server 7.0

You've heard about the SQL Server vulnerability, right? The one found on Tuesday, six days ago?

Well, no, you probably haven't, unless you read NTBugtraq. Even the maintainer of SecurityPortal's Microsoft Security Digest missed it this week (don't worry: I dropped him a note, he added it).

As the cracker Herbless describes it:

"It has come to light that it is now common knowledge that MS-SQL has a blank 'sa' password by default. This seems to affect a _lot_ of servers on the internet."

A default password vulnerability? Sounds familiar, doesn't it?

Here's Herbless's description and exploit code, posted to BugTraq last Tuesday. And here's Microsoft's acknowledgement, posted on Thursday.

Herbless wasn't kidding when he said it affected a lot of servers. If you're running SQL Server 7.0, with a firewall that doesn't block its port, and you haven't changed the sysadmin password, you're vulnerable.

As he described it to me, unlike Piranha's vulnerability which gave read-only access as an unprivileged user, this one typically gives access as "BUILTIN\System." I don't speak NT, so he had to describe to me what this is: "god-like powers ... greater that those of even the 'Administrator' user."

In other words, you have been 0wn3d.

You may be thinking that this is a vulnerability. Go back and read Microsoft's acknowledgement again. They say quite clearly, "The code does not exploit a vulnerability."

Does it confuse you that what was previously a "backdoor" is now not even a "vulnerability"? That threw me for a loop too -- as well as some of Microsoft's other disclaimers, which only make sense when you realize you're reading non-sequiturs about the newer version SQL Server 2000 (the vulnerability only affects SQL Server 7.0).

All will become clear, though, once you read this story from vnunet.com -- the only media story I've seen, by the way. The fault lies with the website administrators:

"Hacked websites 'didn't read the manual'

"Microsoft has blamed administrator error, rather than a bug in its software, for leaving hundreds of websites running SQL server open to attack this week."

Did they say hundreds? Yes, hundreds, at the very least. And did they say "hacked websites"? Yes -- this is not a theoretical vulnerability with no known attacks, like Piranha was.

All this month, Herbless has been cracking into websites like the National Transportation Safety Board and leaving edgy political messages (while backing up the original files and telling the admins how to close the holes). He confirmed to me that all his attacks, including the Fish and Wildlife Service, the UK's Adult Learning Inspectorate, and the Commonwealth Telecommunications Organisation, were done by exploiting Microsoft SQL Server.

Just to make the story that much better, according to Herbless, the default configuration of SQL Server 7.0 also has logging turned off -- in which case a successful attack would leave few if any tracks.

Sites are lucky if their webpages are hijacked; that way they know to fix the problem, format and reinstall. But some of those "hundreds" of websites running the vulnerable installation have surely been cracked by black hats who quietly installed Back Orifice or a similar remote-exploit program. They can set an SQL Server password, but it won't help them: they'll still be 0wn3d.

The proper fix would be to force the password to be changed before the software can be used, as piranha now does. Wayne Sowery of MIS Corporate Defence Solutions confirmed for me that "versions up to SQL Server 2000 do not ask for the SA password during installation ... we also tried various install options such as 'typical' and 'custom,' neither prompted for a new SA password." Incidentally, he too questions whether this is properly described as a "vulnerability," but I'm not sure what else it could be called.

The lesson here is that the media doesn't treat security reports very fairly. Some organizations have their own selfish reasons to push one agenda or another. (Like Slashdot? You bet. But you know where we stand.)

The motive doesn't have to be that devious, though sometimes, of course, it is. If a reporter gets to write a story that questions a core belief of Linux zealots -- whether or not it's actually a core belief, and whether or not they're actually zealots -- that will be much more attractive than simply reporting security news. The nitty-gritty of security news, after all, is rather dry.

So next time you see a biased polemic about system security, or even a small media feeding frenzy about the latest exploit, take a moment to ask why it's being reported outside of the admins' mailing lists. Open source software is still a new idea to many in the traditional news media, and that means that it's a hook for them to hang any kind of story on -- good or bad.

What?

[Greyfox]

I thought the whole point of buying MS products was that it made those $100K+ a year sysadmins obselete! Why, I rounded up a bunch of "Will Work For Food" people to admin my systems and I pay them in hamburgers! Now you're telling me you actually have to know something about computers to admin their software?

Oh well, at least we still have the chimpanzees we trained to do Visual Basic programming...

Re:There is a reason why nobody talked about this

[piku]

"Wait a minute, if there were that many articles about a problem with Piranha which is installed on fairly few..."

Yes I know. Thats why I mentioned the Red Hat website thing. I know they really really blew that out of proportion. But if Slashdot critizes them for blowing it out of proportion, then does the same themselves with the Windows problem, they are just being hypocritical.

"By publicizing it, /. has helped to assure that the white hats have the same information. They can now secure their sites before they have trojans installed or their websites wiped clean." No, now they DON'T have the time to secure their sites because now everyone and their mother knows about it. Before this only the people who need to know about it (and the l33t hackers), but now everyone does.

Sometimes full disclosure isn't the best option. When security holes are found they should be kept quiet until they are fixed and people who are running the servers or whatever are notified.

Telling people about a security hole before it can be fixed is like telling people about a bad computer virus weeks after it hit.

Re:*grin* Here's another...

[Shoeboy]

Ummm what about instances where you can't use trusted authentication. Say when you've got a web server using nt authentication and it's not a BDC and SQL is on another box?
--Shoeboy

Re:The difference here...

[man_of_mr_e]

RedHat doesn't install anything by default. You are given the option of choosing exactly what you want and don't want when you install.

Yes and no. I would imagine that very few people go through and choose each of the thousands of package options. More likely, they just set the checkbox for a typical install of certain types, which is as good as a default install.

Re:*grin* Here's another...

[jallen02]

That is a really easy one to fix to. It most often occurs when you are using a variable for say your ID field.

To fix you have to make sure you do some validation on your fields... its more or less common sense..

Jeremy

Re:Releasing details of vulnerabilities(Off Topic)

[MojoRising]

>(Note that this does not exculpate MS for making >crappy stuff like OE - this is merely my
>opinion. It'd be like seeing someone drive a >Corvair after Nader's exposé.)

There is nothing wrong with Corvair provided the rear tires are properly inflated, so says a Federal Government study in 1972. Ralph Nader was WRONG. Just like he was about Y2K issues...

Mojo

Re:There is a reason why nobody talked about this

[Kronovohr]

Just to let you know, any skr1pt k1dd13 worth his/her salt knew about this
last month.

Re:Releasing details of vulnerabilities

[ethereal]

Is it well known? If I set up a web site on NT tomorrow, would it's vaunted ease-of-use make this default known to me? It's well known if you are an experienced admin of anything, but if I'm small business owner who wants to plug in Microsoft and forget it, how well known is this?

Did anybody actually READ this post?

[flea]

I guess I shouln't be surprised the the majority of posters here don't get that this article was about MEDIA BIAS. This article is not about the reletive merits of MS software versus GNU/Linux software (the writer does bring that in, but only as a minor dig).

Let me sum up for you who apparently can write but not read (well, maybe someone else can read this to you)...

Redhat software package ships with default password; media goes crazy over this so-called "back door" into the operating system.

Microsoft ships thier SQL server with no password for "se" user and no prompt to change it, allowing complete system compromise under common cirumstances; media is strangely quiet about this.

In other words, very similar problems, but MS doesn't get attacked by the media.

THAT is what the friggin' article is about!

Re:I could be wrong, but...

[SquadBoy]

Pirhana was only installed if you choose clustering. If you choose clustering you should have known what you were doing. This would not apply to people installing stuff for the first time ever. Oh wait in the Micro$haft world yes it would. My bad.

Re:Oh, come *on*

[graniteMonkey]

Yeah, and if I knew your root password, another user account+password, and you enabled telnet and su, I could log onto your [server type]server and do [bad stuff] to it.

You're right, this could be potentially dangerous. But you don't give a handgun to someone who's never used one before and act all surprised when they shoot themselves in the head(apparently experienced owners have done the same to themselves).

Maintaining and setting up a database is not a task for the unwashed masses, nor should it be designed with your typical "where's the 'any' key" user in mind. Any competent admin, and I mean ANY slightly competent DB admin knows to set the stupid default password. Anyone claiming to be competent who doesn't know about this "vulnerability" should be fired immediately.

overreaction

[Garpenlov]

Uhm... wow, talk about rabid ignorance.

If you install MSSQL7, the default password for the sa account is blank.

If you don't change it, it's still blank.

In an install of linux, the default root password is blank. If you don't change it, it's still blank.

The only difference is that you are usually asked to change it during the linux install...

But if you can't think to change default passwords after installing SQL server, you shouldn't be using it anyway.

Re:Never underestimate the stupidity of Micrsoft

[norton_I]

The point of the article is that for RedHat, this was called "a major backdoor" and for MS, a "feature".

But here is a news flash for people. Oracle has *two* default u/p combos: sys/manager and system/change_on_install (cute, eh?). Both have administrator privs. Oracle 8i introduces the relatively poorly documented outln/outln login, though with far fewer privleges. Other oracle add on packages (Intermedia, iFS, whatnot) often add other default username/password combos with varying degrees of power.

Of course, people with a clue firewall the damn things, and only allow incoming connections to their web server, or even use a private network segment for them. This is why, IMO, the RedHat problem is bigger... Even though it is usually read-only, as a web server issue, it will *always* be vulnerable to the outside. DB servers rarely are, unless the admin is enough of a cluefuck to not change the default PW. er...

Re:Releasing details of vulnerabilities

[fence]

This is only an issue if you install MS-SQL server. And if you do, then you won't just "plug it in and forget it", because you would need to know, or have someone who knows, enough about the SQL server to add users/create databases, tables, procs, etc.

Granted, these items aren't very difficult, but each time that you login as the system administrator to do the above items it might occur to you that "hey--I just logged in without a password" maybe I should change my 'sa' password.

or not...
---
Interested in the Colorado Lottery?

Re:It is documented - if you look for it....

[gfxguy]

I don't know why I picked on you, just a random one of many comments, and this is a real opinion, not just a troll.

The problem is that you need a an admin password in order to do anything useful, so they give it a default, just like RedHat. The problem lies in them not FORCING you to change it the way RedHat now does.

Now, think about this for a minute. I had a localized machine at home, not on a network, and I installed Linux. Linux made me install a new root password. Now, it's probably a good idea to do it, I don't run everything as root, I know what I'm doing, and I went and took it out anyway - because I know how. But forcing you to do something is not what I consider to be in the spirit of free software. Having the option to do whatever you want is in the spirit of this community. Everytime a program makes me do something, I get pissed off. Who's running the show, me or my computer?

It's like seatbelt laws. I've always used my seatbelt, long before there were laws, because it only makes sense to do it. But who has the right to tell me I MUST wear a seatbelt? Making people do things "for their own good" does not make me happy, it makes me quite sad.

Of course, right now none of my machines are solo, and they all have pretty strong protection - at least a good root password and most services turned off, and a firewall to boot. This is clearly not an error on Microsoft's part. There is nothing unsecure about the software when used correctly. And I'm the last person to support MS (just look at my SIG).

On to the issue: it's hard to say why RedHat got raked over the coals and MS didn't, I see lot's of good postings that have alternative views, any of which may be correct or partially correct. Who knows? We don't. It's sad and unfair, but let's just keep doing what we do best and spread the word about alternative (not just Linux) operating systems.

----------

Re:Releasing details of vulnerabilities

[BlowCat]

I agree. Hiding information helps dedicated crackers be the first. Telling technical details to everybody helps kids be bad. Some basic guidelines should be respected. Everybody should be able to find out, but it's IMO not a good idea to provoke everybody by saying - look, it's that simple, you can do it too.

Re:*grin* Here's another...

[tswinzig]

Why the hell did this get modded up so high?

Basically, if someone is passing variables into a page (say index.asp?variable=5) then you can piggyback your own query after that (say index.asp?variable=5%20DELETE%20FROM%20sysobjects ). Or something.

This is a programmer problem, not a problem with SQL Server. In *many* cases, I use multiple SQL commands in one call through ODBC, for speed. I'm not positive, but I think this is kosher with the ANSI-SQL spec.

The problem occurs when you don't check the data you are sending to your SQL server through ODBC. For instance, if you let people pass in $value, thinking it's going to be a constraint for a WHERE clause, they could just as easily change that value and add something more sinister.

You think: "Hmmm, $value will be a number! I'll write, 'SELECT * FROM MyTable WHERE thenumber = $value'.

Meanwhile, Mr. Blackhat sends 'value=5; USE master; DELETE FROM sysobjects'.

Again, this is not specific to Microsoft or SQL Server ... so please stop spreading the FUD.

Of course ... you have to understand SQL a bit

Indeed...

-thomas

New(s) Vulnerability

[_Sprocket_]

Is it *REALLY* Microsofts fault, and should they *REALLY* call this a vulnerability, when the admin KNOWINGLY leaves a system account with a blank password exposed to the Internet in all its glory?

I don't think we're directly concerned about who's "fault" this is. Sure - it'll be used in the constant propoganda battle various corporate marketing departments rage. But that's not our focus. What we're concerened with is the press' reporting of the vulnerability.

Wait. Is it a vulnerability? Certainly. If we can believe this is the exploit Herbless is using, a cursory look at the attrition.org archive will show a handfull of gov't and commercial site defacements accredited to him and presume its involving this default password issue. Web sites are being defaced. Whether it is trivial or not, its still a vulnerability.

So how trivial is this? DO sysadmins knowingly put out boxes with default passwords belonging to highly priviliged accounts? Common sense would suggest the admins wouldn't leave "the biggest door to [their] house" open. Trivial? Perhapse. Obvious... apparently not.

So we have a fairly serious situation, one many admins are apparently unaware of, affecting a large number of sites. Isn't that newsworthy?

Perhapse its not affecting THAT many sites. Of course, the fact that the pirahna case didn't involve actual defacements seems to argue against that being a pre-requisite of newsworthiness.

Perhapse Microsoft owns the press and vetos this kind of coverage. Sure... some of the sources mentioned might be more than friendly towards Microsoft. But not all of them. Besides, bashing Microsoft is trendy in some circles. I'm sure at least a few would have jumped on the chance to show that they're hip.

Maybe news of Microsoft vulnerabilities just isn't interesting anymore? PHBs are trying to wrap their brains around this whole Open Source jugernaught that just materialized in front of them. Since Red Hat is one of the more tangible phantoms, its a given that there will be a readership interested in material that deals with Open Source development and Red Hat. Will Red Hat vulerability news sell? No brainer.

Of course, this all goes far beyond the cares of your average admin. All exploits are trivial once they're known and a patch / configuration is available. Its just a matter of knowing the vulnerability is there and doing something about it. Any admin can do it. Simple. Trivial.

How are a majority of sites taken? Trivial exploits known for months if not years by the general community. The challenge developers have, closed or open source, is limiting the exploits available "out of the box".

Re:So why haven't you read about it?

[Opinion Dalek]

Other large commercial DBs do not require you to set the password.

Oracle 7 has a default password for SYS of Change_on_install as well as having a password called 'SCOTT' with a password of TIGER, Sybase's default password for sa is also blank, Interbase's default password for sysdba is masterkey. I don't think Informix has this problem, but it is so long since I installed it I can't remember what choices it offered me.

I think your phrase should have read:

'A good DBA will know about these holes and will set the sa password as part of the installation process.'

Re:You over-estimate MS Product buyers

[Rorschach1]

Anyone who doesn't have the very basic level of knowledge required to know better than to leave the SA password blank doesn't have any business running a security-sensitive system, regardless of the vendor. SQL Server and Oracle are TOOLS. Installed straight out of the box they do essentially NOTHING - someone who only knows to click the 'next' button on the install wizard has no use for an RDBMS.

Don't get me wrong, I think not making the SA password change a part of the install is a bad idea, since it's easy to forget when you get busy with making your database actually do something. The only flaw here is in the wizard.

As for the ability to control the OS from SQL, that's not a bug, that's a feature. =] Granted, it's not a feature most of us use, and the stored procedure should probably be removed. That's just another part of being aware of the security implications of any system you put on the Internet.

As for the original note's comparison of the Piranha thing and this non-problem, get a life, people. What is it with /.'ers and this persecution complex? It's worse than an old Amiga users group meeting. Stop whining about the unfair treatment of Linux in the media and worry a little more about putting out some quality code.

the password is

[VAXGeek]

the default password is:
.seineew era sreenigne taH deR
------------
a funny comment: 1 karma
an insightful comment: 1 karma
a good old-fashioned flame: priceless

Best Practices

[graniteMonkey]

I don't know what all you guys are complaining about. I always set my sa password to 'sa' right after I install my database. How hard is it to follow good security practices?

Re:Oh, come *on*

[noweb4u]

Except that you can't use enable without a set password from a telnet session. Only through serial. This is the equivalent of only being able to walk up to the MSSQL server and execute commands on the console. The worst a non enabled user can get is very little. Nothing can be changed. This too is read only. Even with no password you can't reload the router or format my flash disk!
Trust me I forgot to put an enable password on a switch I run, and I can't do a damn thing with it :-(
I guess I will have to put one on eventually :-)

Brown Orifice...

[Psarchasm]

You probably won't hear much about the fact that Brown Orifice also (for the most part) works on IE.

Such is life.

This is related to the 2600 article

[Dr. Dew]

It strikes me that there's a link between the response of the judge in the 2600 decision [slashdot.org] and the reponse of the different press sources cited in this article.

What they have in common is a mistrust and fear of those who make, support, and use <free, open-source, ... your favorite term here> tools. This mistrust produces a hostility toward the people involved as well as toward the tools themselves.

You didn't ask me, but that looks to me like the reactionary response by those who are frustrated by the reported technical successes of free software. DeCSS seems like deeper, more offensive magic if you assume that CSS started off being very secure. Linux and Apache seem like upstarts [netcraft.com] if Microsoft has been your sole introduction and guide through the world of personal computing.

It's also related to how religiously and self-righteously we tend to hop on those successes. Some people are used to hearing paid PR and marketing folks doing that, and it sounds like the pretty background noise of commerce to them.

Community-produced software, on the other hand, makes noise that sounds more like revolution to some ears, in part because it's not looking lucrative [lwn.net] in the traditional sense.

There's nothing wrong with wanting judges to make rational decisions, or media sources to make reasonable reports. It's foolish, on the other hand, to believe that either is likely, let alone assured.

The real answers come as we address technical issues, even while we're indignant about and frustrated by the falsehoods and prejudice.

While I don't want to live in a technocracy, I prefer my software built there, y'know?

Releasing details of vulnerabilities

[KuRL]

Not trying to be flamebait here, but does anyone other than me find it a little wrong that the default password was actually published instead of a description of the vulnerability without the password? I mean, sure, if someone wants to post the default password, that's their right, and yes, I'm kinda blaming the messenger here, but why encourage exploitation of this type?

I've heard the argument that Microsoft won't fix it unless the vulnerability is made public, but doesn't everyone know that to be bullshit? I mean, Outlook's flaws were explained in detail, and instead of Microsoft fixing 'em, I just get more internal memos from the IT department telling me what subject-lines will delete the contents of my hard drive and send itself out to every member of the firm. Clearly telling the public how to make an exploit can only aggravate the problem, so why do people insist on doing it?

Shit, this is a problem

[Shoeboy]

This is how I got domain admin rights on the houston domain at microsoft. (that's where all the MSN servers reside) I love the blank password. Why'd they have to go and tell the DBA's about it ;(
This isn't new, it's been around for ages. It was there in the first MS SQL Sever version 4.21a.
It's ancient and it's beautiful.
Like all NT services, SQL can be run under a domain admin account. It frequently is. SQL also has a command called 'xp_cmdshell' that allows you to shell commands to the OS.
Executing an xp_cmdshell 'net group "domain admins" username /ADD /DOMAIN' will make you a domain admin.
I love this.
--Shoeboy

Re:So why haven't you read about it?

[Shoeboy]

'Rooting' an SQL db does not give you as much control over a machine as rooting the whole OS does
RTFM
xp_cmdshell
xp_regaddmultistring
xp_regdeletekey
xp_regdeletevalue
xp_regenumvalues
xp_regread
xp_regremovemultistring
xp_regwrite
--Shoeboy

Re:Releasing details of vulnerabilities

[Stephen Samuel]

"Ease of use" implies sane defaults. In the case of Passwords, a sane default is forcing the user to choose one of their own. (this may be a 'stupid' password, but a stupid password that needs to be guessed is better than a password that any script kiddie can put in a script. -- and that is better than no password which is easy for somebody to guess by accident. (I hit return, and it let me in). It's like the difference between a blast door, a screen door, and no door whatsoever.

As for the difference between a proprietary system and an O/S system, when you buy from microsoft, you have to accept their defaults. If RedHat or Debian insisted on distributing systems that installed with root passwords I'd always have the option of building my own distribution and giving that to my friends without having to worry about them sueing my ass off for saving my newbie friends' butts.

Re:Just let me get this straight...

[Shoeboy]

To complete the setup of the server, and create the storage space to STORE your data (read: You can't.. can NOT.. skip this step and expect it to work right, er, at all.) you have to login as 'sa' with no password.
RTFM on integrated security
isql /E -- login as sa regardless of the password as long as you're in local administrators (which you have to be to install the silly thing)
--Shoeboy

Re:Ok

[Stephen Samuel]

I think that we've beaten the "if any good sysadmin knows to change the password, then why didn't Microsoft force Newbie sysadmins to do the same" horse to death.
The next question is: how come this isn't big news?

I think that there's a benign answer to this one: It's not sexy anymore.

When the Piranha thing became known, MS had just been beaten to death over all sorts of security bugs, including their backdoor fiasco. The general subject was hot news.

Now a security company (friendly to MS, of course), sends out a press release with everything short of " Back door security vulnerability virus!!!! in neon pink.

For MS apologists, this would look like a silver smoke grenade to cover their own back door. They're going to push it all they can. Sites like MSN could probably be expected to push it to the max.

Properly spun, it would look, to many news editors, like 'the next big headline'. The last thing that they'll want is to be scooped. Given the time constraints and lack of technical savy on the part of many journalists, they're most likely to eat the press release and regurgitate with minimal digestion.

In this case, however, back doors and default passwords have been out of the news for a while now. Sites affected are likely to be small to medium (yahoo and Hotmail better have sysadmins who know to change the password). It's simply not sexy.

As an analogy: If some US sailor had dropped a hand grenade and blown up two of his buddies on a US Nuclear Sub 6 weeks ago, it would have been front page news at the sub's home port, and rated a light aside anywhere else. If it happened this week, with the Kursk a multi-billion dollar mass coffin on the bottom of the ocean, it would be front page news. The news itself wouldn't be any different, but the context would.

Never assign beligerance to something that can be adequately explained by mere stupidity.

Re:Oh, come *on*

[MrBlack]

It listens on port 1433 if I remember correctly. I'm not a h4X0r or anything like that, but I've developed some web sites for people using ASP (god, what I wouldn't have given for types, that's not asking too much is it?, anyway..) In the process I read some stuff on a few asp web sites and found info on an IIS exploit that (when not properly patched) allowed you to view asp code as plain text. That's no big deal, no one includes anything critical like passwords in their asp code do they? I was pretty amazed when I saw a fairly high-profile e-commerce web-site had their SQL Server passwords there in plain text. Not only that but they hadn't been changed from the default "sa". This was the first web-site I tried so I am sure it is not an isolated case. My point (I do have one) is that people who should know better, who spend millions on advertising, still can't set up their database correctly (or treat security as a product, not a process 'cause that would be too expensive). All the best software isn't worth a pinch of shit if you don't set it up correctly. I don't think anyone in the linux community would claim that linux is totally secure out of the box. The problem is how insecure SQL Server and a lot of other MS products are. Our sys-admin has a list of a couple of hundred things you have to do to make a fresh NT box somthing approximating "secure". I think the vulnerability in SQL is a real problem, and as you point out it has been a real problem for some time. There are hundreds, possibly thousands of web sites out there with a major security hole in them and you call it hysterical handwringing.

This is commonly left open by MSCE consultants.

[brad.hill]

I remember reading a security survey done MONTHS ago about this very same vulnerability. They picked out a couple of dozen e-commerce Web sites and found that a shocking number of them had SQL server running on the *same machine* as IIS, with no firewall of the SQL server ports and the default logins and passwords still enabled. They were able to log in and get credit card numbers, addresses and expiration dates, along with any other personal information collected about customers.

Most of the sites that were in this sorry state were systems put together by MCSE consultants.

Now, I don't have hard evidence to back this up, but I think you'd be pretty unlikely to get that kind of sorry ass configuration from IBM, Oracle or Sun certified consultants using Unix systems. (Linux is another story, but they're not even nearly in the same league as Microsoft when it comes to professional services and turnkey solutions.)

The meatspace metaphor is more like hiring a certified contractor from the world's biggest burglar alarm company to install a home security system, and he leaves the default disable code in the system or installs the master override switch on the outside of your house. The alarm company may not be directly at fault, but there is a strong case for negligence/fraud regarding the "certification" program that is really just a marketing tool.

Re:Just let me get this straight...

[weinerdog]

You can't blame the poor admin. Show me where, in the MSCE training manuals, it tells you that having a null password is a bad thing.

Re:Oh, come *on*

[Black Parrot]

> VMS default system account SYSTEM/manager, default service account FIELD/service

When I last used VMS c. 10 years ago, you had to enter new passwords for priviliged accounts as part of the installation process. I know this personally, because I did quite a few VMS installations myself.

The "standards" you report were just the stupidity of bogo-gurus that wanted an easy-to-remember password. Yes, I heard of lots of security audits where the first test was to try to log on to "system" with "manager", and lots of people failed it. But in every case it was because some dumbass typed "manager" in and then re-typed it for verification.

Lots of VMS-based software products created an account when you installed them, but without fail you had to pick your own password when you installed the product, if it was a Digital product. (Most 3rd-party s/w required it as well because it was an easy call in the VMS installation library.)

Possibly the VMS engineers have gotten stupid in the last 10 years, but I doubt it.

--

Re:Ding, ding, ding, we have a winner.

[Black Parrot]

> The press jumped all over the "backdoor" RH had, but don't touch SQL server despite it being a more dangerous configuration.

Simple explanation. The RH "backdoor" came up about a week after the (false alarm) "weenies" backdoor scare for Windows. The media had to protect their interests by making much of the fact that RH was "just as bad" as their primary source of ad revenue.

Their fears of people migrating from Windows to Linux (and thus cutting off their primary source of revenue) seem to be well founded, because fear of deliberate backdoors is one of the most oft cited reasons for parties outside the USA to want to use OSS.

Now the situation is just the opposite, i.e. this makes MS look bad rather than RH, and the media don't want to bite the hand that feeds them.

--

Re:NOT a vulnerability

[Moofie]

You've totally done an end run around the point here.

Microsoft makes security gaffe, they get to say "Pay no attention to the man behind the curtain...look over there at that shiny new SQL 2000! Buy it today for $umpty bajillion dollars!". Media buys it lock stock and barrel. (mostly)

Red Hat makes minor, non-destructive security gaffe, and the media calls into question an entire programming philosophy. (mostly)

The mechanics of the gaffe are not really interesting to the REAL issue here...namely, the self-administered blowjob Microsoft enjoys on the major news organs (one of which has become MS's bitch).

You're right. Anybody who doesn't change the SA password shouldn't be allowed near any devices with buttons on them. However, Microsoft should have been pilloried for this, and they weren't. They successfully pointed the finger at the hapless (clueless, feckless, reckless, and really really dumb) admins whose training they (MS) designed (poorly) and subsidized and advertised.

(Enjoying the parentheticals?)

Re:Oh, come *on*

[guran]

Sad but true... Pehaps MS should paste the following on the NT option pack CD?

If you do not change default passwords, you are an idiot.

If you do not place your database server inside your firewall, you are an idiot

If you let your ASP application connect to the database as sa, you are an idiot.

If the database users you use to connect to the database has priviliges to do anything more than they need, you are an idiot.

If you do not check every user data (text fields, url's etc) before passing them on to the database, you are an idiot.

If you are an idiot: thank you for purchasing this software. Too bad you are too stupid to use it.

Re:BUILTIN/System not the same as a user account

[spitzak]

Yes, but if you know how to set that up you probably know enough to change the password, too.

Bad analogy, try this:

[AJWM]

Lets take this little bit of humor into meatspace.. You open the biggest door to your house to get in, and leave it open. You settle in for a day, and then go out to party... but you leave the door open still. You are robbed blind and silly, and theres not even a broken window, because *you* left the door open.

Nope, more like you have a lock installed on your door made by a manufacturer who ships all locks keyed to the same key, and expects you to re-key the lock when you install it. You do lock the door behind you (but haven't rekeyed the lock) and somebody else using his copy of the key breaks into your house.

This puts 3, the company that made the lock, at least partly in the wrong, although it's probably still your fault for choosing that lock company in the first place.

Re:the password is

[Hard_Code]

*KNOCK* *KNOCK* This is MasterCard, you are infringing on our ad phrases. Because people might become confused and think you are representing MasterCard or that MasterCard is sponsoring your posts, we are going to sue you now.

Ok

[El Huevo Anales]

As someone who has installed SQL server a few times, let me say this....

When you setup the software, it creates the sa account and asks you to set a password. It is blank by default. If you don't set one, you are an idiot.

But it doesn't matter if the default is blank or 30 characters long, if it's a default you should change it. This is true with any piece of software, MS or otherwise. And of course OSS is going to get bashed, since you have so many zealots SCREAMING about how secure OSS is, and how crappy MS is.

EHA

Oh for crying out loud!!!

[Otis_INF]

Microsoft has put online a number of articles and tutorials to secure SQL server. They can be found here:

http://www.microsoft.com/tec hnet/security/database.asp [microsoft.com]

When you read those articles, for example the SQLserver 7 security how to here [microsoft.com], with good tips on securing databases inside SQLserver, ODBC links to databases etc etc, you'll learn that SEVERAL TIMES you're advised to give the 'sa' account a secure password (that is: a password difficult to guess) and NEVER USE the 'sa' account again, only in case of trouble. You're adviced to setup accounts in NT and to use these inside SQLserver, and how to use NT security over SQLserver security (thus, using NT accounts instead of SQLserver accounts, like the 'sa' account, over thrusted pipes.)

I simply don't understand why MS has to be blamed for typical misbehaviour of end-users. If an end user doesn't want to read the articles online or doesn't want to understand the issues concerning security and internet when installing and setting up corporate systems (we're not talking a deskop system here), why is it suddenly the vendor's problem? "Yes, dear RedHat helpdesk guy, I did rm -rf /* when I was logged in as root, why is it MY fault that everything is gone?".

--

Of course it wasn't news

[djweis]

Everyone knows that Microsoft only makes perfectly secure products. Only that Linux stuff has security holes, and people need reminded of it constantly (even if it's not a completely accurate reminder).

Re:Just let me get this straight...

[spitzak]

To complete the setup of the server, and create the storage space to STORE your data (read: You can't.. can NOT.. skip this step and expect it to work right, er, at all.) you have to login as 'sa' with no password.

Can anybody confirm this, and confirm that this is not true of pirana? Ie: is SQL useless unless the user logs in at least once, and is pirana usable without using the password.

Amoung all the noise here, this is the first coherent response that indicates that in fact the two pieces of software might be different.

It's all about what qualifies as "news"

[tuffy]

When RedHat has a vulnerability, it's news because such things are pretty rare. When Microsoft has a vulnerability, it's not news because it happens so damn often. To widely publicize it is like putting "Sun To Rise" as the morning headline...

Unbiased reporting is not possible

[FascDot Killed My Pr]

During the Pirhana furor anyone who wrote any kind of negative story was told "not a backdoor, this is not really news, read the manual, etc". Maybe the explanation is not "they hate Linux and are out to get us" or "they are obviously in the pocket of MS" but instead "now they understand that a default password, while bad, is not really newsworthy". The REAL test of that hyposthesis will be the NEXT Linux default password issue. If it gets reported, then we know MS problems are being ignored while Linux problems are not.
--

Facts all backwards.

[Wonko42]

What's all this hoopla about this default password being "discovered" last Tuesday?? For the love of poop, this default password thing wasn't discovered! It's a freaking documented thing, and it's been in every version of Microsoft SQL Server that I've ever used. It goes without saying that anyone who neglects to change the default password is an idiot. How is this a new issue? Microsoft SQL Server has been around for years and years. There's nothing at all new about this. Saying that all this stuff came to light last Tuesday is complete baloney.

--

Re:*grin* Here's another...

[Pfhreakaz0id]

Write a COM object and have it impersonate another NT account. Have it talk to the database.... BTw, I agree that the stupid passwords shouldn't be sent clear, but DON'T USE IT!
---

Re:Oh, come *on*

[happystink]

I wasn't saying it was. The guy asked in his post if Piranha was, and said he thought it was. I corrected him. Does everything have to be an us-vs-them thing around here? Can I not state one fucking fact without someone making it into an argument.

sig:

Repeat after me.

[blakestah]

Is it *REALLY* Microsofts fault, and should they *REALLY* call this a vulnerability, when the admin KNOWINGLY leaves a system account with a blank password exposed to the Internet in all its glory?


Repeat after me. Installations should be secure by default, insecure due to administrator action. The converse is NOT true.

So now, for penance, I suggest you go to OpenBSD [openbsd.org] and catch a clue on creating systems with security appropriate for being placed open on the net.

Same old situation

[Curious G]

So what's really all that new about this? That the press is apparently taking sides? That happens all the time. That another Microsoft-specific security hole is not getting much attention while a similar open-source one is? That's what happens when the press takes sides.Same old, same old...
What I would like to see is an article in some major publication that points out that anyone dumb enough to *not* change a *default* password that allows a user "god-like powers" is going to be experiencing some problems whether they are using open-source or proprietary systems. If you don't change default behavior of your machines, that isn't really the fault of the company that shipped it to you. That's just bad policy.

Re:Releasing details of vulnerabilities

[Vanders]

I do believe it was described as a "blank" SA password. Seems a bit OTT to me, but thats what it says. Also the fact that it "does not ask for a SA password during installation" also seems to point to a "blank" password.

People still distrust MS security.

[generic-man]

The article seemed to hint that MS is more trusted than Red Hat as a purveyor of software. In my opinion, few companies can be less trusted than Microsoft. They release new features like e-mail scripting, with no regard for security whatsoever. When this is exploited, it takes them several weeks to release a patch (all the while shooting out press releases that the patch is "coming soon"). Even the patch doesn't ensure a problem-free setup -- it breaks functionality with Palm Outlook conduits, for example.

Remember when we could laugh at e-mail forwards like "Do not open a message with 'Good times' in the subject"? Well, thanks to Microsoft innovations, these are now very real advisories. The IT department at the large office where I work put up hundreds of flyers to ensure that people didn't open these attachments. Many people still did, out of curiosity or just plain stupidity. The solution? Reconfigure the mail server to reject these things outright.

Microsoft has cost many people hours in overtime reconfiguring systems that were designed poorly from the get-go, and then has the gall to blame administrators. Good Lord, man, someone needs a whooping with the clue stick.

Re:Just let me get this straight...

[YoJ]

Here's another analogy. A young couple buys a new house. The manufacturer gives them the keys and a manual. The couple tries the keys, the keys work, so after they've moved in they lock up their house and go to a movie. They come back to find their house robbed. They read the manual and it turns out the keys they were given were standard manufacturers keys, the same for all the houses in the lot.

So who's to blame? The manufacturer for handing out generic keys? The couple for not reading the manual? I think it's pretty clear that the manufacturer should be to blame for not telling the couple the keys were generic when he handed them out.

This isn't news.

[.....]

The (problem?) is that a Microsoft vulnerability isn't news, unless a *lot* of people get hurt by it (e.g., Melissa). Not to put down Microsoft, but it is fairly common knowledge, even among the ZDnet readership, that Microsoft products frequently ship with their pants down ^H^H^H^H^H^H^H with their security features disabled. So, where this is just more of the same, it's not news.

On the other hand, open source folks usually like to crow about the security of their systems. Consequently, a security hole (even one like this, where the vulnerability is due to incompetent administration) is news.

Response to Fred Moody (who misquoted me, grrr).

[listuser]

Fred Moody was nice enough to quote me and completely take them out of context/etc. My response to him: http://www.securityportal. com/topnews/moody20000821.html [securityportal.com].

Changing it is the fun part.

[Hentai]

The place where I work has had this hole in place since it started using IIS a few years ago. Since then, we've grown to have two HUGE websites, both running off of a 300+ gig database, as well as a huge array of support programs. Guess what? ALL of them log in using sa with no password. Guess what? ALL of them have to be changed. Guess what? Noone wants to do it because if something broke in the process, we'd be dead in the water. Nevermind that we WILL be dead in the water when someone finally hacks us.

I'm in Dilbert Hell!

Re:The difference here...

[Stephen Samuel]

Don't tell me -- you used to work for MicroSoft before you started defending RedHat?

My understanding was that Piranha was NOT enabled by default (It may have ben installed, but default configs did not run it.)

Well, default passwords aren't limited to m$

[BillyG]

Oracle has two equally critical accounts, SYSTEM and SYS, with well-known default passwords of "manager" and "change_on_install". Fail to change those, and your Oracle db is just as open as a blank-password sa account on m$ sqlserver.

MySQL (I'm rusty here: correct me if I'm wrong) also defaults the root user to no password, like the m$ sa user.

Not defending m$: Just pointing out that this is fairly common practice, and that there is indeed some responsibility to "know what you're doing" when opening a database up to the world ...

Re:Releasing details of vulnerabilities

[v4mpyr]

"does anyone other than me find it a little wrong that the default password was actually published instead of a description of the vulnerability without the password?" As a subscriber of the SecurityFocus lists I have noticed that the media often doesn't even get a drift of a problem such as this until it has been thouroughly discussed, solved and broadcast to the thousands of other list subscribers. Like it or not few of these subscribers are our ever beloved crackers. Simply put, the media is just publishing already common (in the security world anyway) knowledge.

The Power of the Media

[wishus]

The Power of the media lies not in how it tells its stories, but in which stories it chooses not to tell.

wishus
Vote for freedom! [harrybrowne2000.org]
---

Re:Just let me get this straight...

[concept14]

Lets take this little bit of humor into meatspace.. You open the biggest door to your house to get in, and leave it open. You settle in for a day, and then go out to party... but you leave the door open still. You are robbed blind and silly, and theres not even a broken window, because *you* left the door open. Who is at fault? (Other than the robber) 1. The person who built your house 2. The bank, for owning your house 3. The company that made the lock 4. Your sorry ass for leaving the door open I vote 4. Who's with me?

5. The insurance company, for publicizing a case just like this that happened in the neighborhood, but implying that only Open Source houses were vulnerable.

Fighting bias with reverse bias

[StaticLimit]

Slashdot once again defends Linux when someone claims there is a bug by shouting loudly that it's not a bug, but something that should be addressed by proper system administration...

Then turns around and blasts Microsoft for an identical issue (which of course is now a major bug!). And to top it off, the media gets blamed for bias... talk about your pot and your fscking kettle.

It's true... every remotely competant sysadmin has already changed the sa password and it's been common knowledge for years. It's a stupid vulnerablitiy that M$ should fix by prompting for an sa password as part of install. Its almost exactly like the RedHat non-bug, and as a result, is a non-bug now too. It IS a design flaw and it SHOULD be corrected.

- StaticLimit

Everybody knows...

[-Harlequin-]

I have Lenord Choen stuck in my head:

"Everybody knows that the dice are loaded...
Everybody rolls with their fingers crossed.
Everybody knows that the war is over...
Everybody knows that the good guys lost.
Everybody knows that...

Funny thing about that song - no matter where you are or what you're doing, the lyrics seem uncannily relevant to what is happening.

(Maybe I need to burn me a Happy Album (with lashings of Optimism)).

NOT a vulnerability

[Pinball Wizard]

I can't recall a single book I've read on SQL Server that did not instruct the reader to change the sa password immediately after installing. That is one of the most basic principles and if you don't know that, you have no business installing SQL Server at the professional level.

The fact that there might be someone out there clueless enough to omit this essential step is a far greater security concern than the fact that MS didn't include the changing of the sa password in the install wizard. Bottom line is, if you expect to be secure, you have to have people who know what they are doing. Someone has to read between the lines of all the GUI's and wizards and actually know what is going on.

i HAVE read about it before...

[god_of_the_machine]

OK now... I'm convinced that the "default password" is a design flaw... but the media HAS reported on this, I remember reading about it months ago on MSNBC. Check out the article [msnbc.com] where they say: "Not only were the sites storing the credit cards in plain text in a database connected to the Web -- the databases were using the default user name and in some cases, no password. [CLIP] It included about 20 Web sites which either had no password protection at all on their database servers -- in each case, they were running Microsoft's SQL Server software "

So maybe it's not a technical article... but the media has reported on this vulnerability of SQL Server... and the criticism is from Microsoft-sponsored MSNBC, no less.

-rt-

That's not all...

[Megane]

There's also another nasty "non-vulnerability" being repo rted on BugTraq [brim.net] related to IIS and the built-in web server in Windows 2000.

An undocumented HTTP request header of "Translate: f" will cause the web server to return the source code of an ASP page! And often, this source code contains juicy tidbits like SQL server passwords, not to mention the business logic behind the web site.

Upgrading to W2K SP1 is enough to fix this bug, but with Microsoft's history of NT4 service packs, it's understandable that nobody is in a hurry to upgrade.

An actual case

[HamNRye]

We purchased clustering software from a third party vendor that used SQL server extensively. (Name omitted for obvious reasons) The way their system was set up the "sa" passwd could not be changed. Other programs were hard coded to use this default passwd.

I asked the vendor two very important questions:
1) Why am I allowing all of these other machines to connect as the sysadmin anyway??
2) When will this be fixed?

The answer to both? "Um..."

I know many of you will say that this is a case that won't happen often, but I beg to differ:
One of our Sun based systems has a "default" root password. Changing your root passwd has the unfortunate side effect of none of the users being able to log in. The company that sold us the software has no idea why this is, and we were the first site to report this vulnerability. (?backdoor?) This is a vendor that has been in business for 20 years, and our systems are 5-6 years old. Of course this does mean that I could wreck the publishing industry some day...

Of course, an attach to an NT workstation on port 139 and a "net users" can yield up a domains worth of unames, and trying each with a blank password is almost guaranteed to get you into most corporate domains. Extract the SAM DB and get a copy of L0phtcrack...

Some days this stuff is just too easy...

Outlaw blank passwords!!!!!

Always change and default passwords while the vendor is still in the building!!! If you veer recieve a machine that is vulnerable in the way mentioned above, refuse delivery. Tell the vendor that you will not sign off on the install until these are fixed, and also that they will not get paid....

You are already ahead of 80% of admins out there.

~Hammy
"Good, Bad, I'm the guy with the root access." ~AOD

No

[jpowers]

As the folks at 2600 will tell you, companies like MS won't fix dangerous security holes like this unless there's a scare. IT folks see the security vulnerablity story and say "whatever, it'll be in the next service pack." If they see the password is public knowledge, though, they call M$ and throw a nutty. My guess is Redmond's working on it and won't admit there's a problem until they can say "...and here's the solution." Makes them look good, you know?

-jpowers

BUILTIN/System not the same as a user account

[tenor]

The BUILTIN/System account is a password within SQL Server, not a password within the NT logon environment. Don't get me wrong, you could wipe out an entire e-commerce site's database in a few minutes, but that is not the same thing as being Administrator. You can not, for example, delete files on a local hard drive. Although now that I think about it, since SQL Server uses COM, you could write a vicious ActiveX control to delete the files. Not sure how you would upload the activeX control to the database, but I'm sure a motivated individual would have few problems :)

Never underestimate the stupidity of Micrsoft

[MonTemplar]

Unfortunately, MS went and made the installation more user-friendly when they put together Small Business Server, of which SQL Server is a part. So they dropped, amongst other things, the need to set sa password. Luckily, I'd read up in advance of getting the system. Doh!

Re:Releasing details of vulnerabilities

[Stephen Samuel]

This is rather like the US army blaming Vietnamese kids for stepping on land mines. If they knew what and where they were, they wouldn't step on them.
More directly, it's like RedHat installing the system with an empty root password. If you've got a UNIX veteran installing the system who KNOWS about the login, KNOWS how dangerous it is and doesn't just forget to change all these, not necessarily documented, default user passwords then you're fine.

On the other hand, the users who don't know to fix this without having to be told are the most at risk. Given that MS claims to be the OS for ignorant users ("linux is for experts") this is kinda like the pesticide manufacturers promoting cherry and bubble-gum flavoured pesticides (I kid you not! [vancouversun.com])

It also sounds like the SQL server may CREATE an user with a blank password. If this is the case, the it would become a case of a login that didn't previously exist suddenly gives remote users the ability to seriously 'own' your machine.

In any case, this is rather like Linux installing with a blank root password. (or MySql installer adding a root user with no password, if that's what this bug does). Any half-ass distribution source should know far better than to do something like that.
You can blame the Royal Swiss Navy [vcn.bc.ca] for not replacing the screen doors on their submarines, but it was a stupid manufacturer who installed them in the first place.

Re:So why haven't you read about it?

[anticypher]

It was with this one particular release of M$SQL that the sa password was left blank during install, with no prompt or warning. Prior versions had a less user friendly install which would prompt for an sa password, ensuring most sites were protected. So idiots installing this latest release would leave the password blank. It has been on the market for a few months now, and the script kiddies have had a scanning kit for at least 2 months.

Those of us who watch security probing trends, noticed a huge increase in scanning on ports 1433 and 1434. When there was an M$SQL server sitting on 1433, the script checked for a blank password. It took a month of detective work by the white hats to come up with a reason for the sudden increase in this particular exploit. Now the egg is on micr~1.oft's face, but their PR department has squashed most news coverage, which is the reason for this /. rant^H^H^H^Harticle.

the AC

Missing the point

[barracg8]

You seem to be missing the point.

If you omit the section 'Piranha: A Case Study' above, you could be right.

This is not about whether an having a default password is leaving open a backdoor, but about the media treatment of Linux and NT.

Linux (well, a linux service) has a theoretical problem, only allowing read-only access, and no reports of it ever actually being exploited: Linux is "basically a bunch of peoples' hobby."

Windows (you know the drill) has a real problem, allowing root equivalent access, it *IS* actually being exploited: Eerie silence.

Why?

Is this a media conspiracy against Linux?
Probably not. Probably just lazy journalism.
The minute that MS heard about piranha, they will have gone into spin frenzy, putting words into journalists mouths, and basicly writing the reports for them. We can't stop this happening - we just have to do it ourselves.

Linux just needs better PR.
Why have you forsaken us, ESR?

cheers,
G

I'll tell you why...

[Rombuu]

So why haven't you read about it?

How about because most pieces of software for the past 30 years have shipped with default passwords?

So why haven't you read about it?

[anticypher]

So why haven't I read about it? Because I get all my news from slashdot, and this is the first they posted it :-)

Seriously, this exploit has been known for many weeks now. Probes for MS-SQL ports have equalled all other probes on our honeypots. When we did put up an MS-SQL server and recorded the responses, it seems there are already several kits out there looking for a blank sa password. Silly us, we set the sa password to sa, and nobody guessed :-)

You are right about the press giving micr~1.oft a free ride. But wait until a this exploit gets some better kits. 'Rooting' an SQL db does not give you as much control over a machine as rooting the whole OS does, and the general lack of SQL knowledge out there will limit what script kiddies can do. But given the widespread use of M$SQL server for web engines, there should be some spectacular hacks in the coming months.

Other large commercial DBs require you to set the sa password as part of the installation process.

the AC

*grin* Here's another...

[jedm]

Micro$oft considers it a feature that you can piggyback queries passed through an ODBC connection. What does this mean? This means that websites using ODBC connections to run queries (translation: dynamic pages) are extremely vulnerable to "tinkering" with. Basically, if someone is passing variables into a page (say index.asp?variable=5) then you can piggyback your own query after that (say index.asp?variable=5%20DELETE%20FROM%20sysobjects ). Or something. Of course you have to have permissions, and you have to understand SQL a bit -- but hey. 'tis a bit scary. See the link [phrack.com] to phrack, the relevant info is down towards the bottom. Again, this is old -- as in from SQL Server 6.5 days.

Just let me get this straight...

[Anonymous Coward]

So ISS (not to be confused with MS-IIS) does a brilliant bit of textwank, and gets away looking like the perverbial cat with the famed yellow bird..

I don't know the details of the situation, I admit.

Now someone finally realizes that the sa account in MS-SQL 7.0 ships with no password.. so did 6.5 BackOffice Edition.

To complete the setup of the server, and create the storage space to STORE your data (read: You can't.. can NOT.. skip this step and expect it to work right, er, at all.) you have to login as 'sa' with no password.

So from the very start, the admin KNOWS that there is no password, because hes already logged in to finish configuration.

Is it *REALLY* Microsofts fault, and should they *REALLY* call this a vulnerability, when the admin KNOWINGLY leaves a system account with a blank password exposed to the Internet in all its glory?

Lets take this little bit of humor into meatspace.. You open the biggest door to your house to get in, and leave it open. You settle in for a day, and then go out to party... but you leave the door open still. You are robbed blind and silly, and theres not even a broken window, because *you* left the door open.

Who is at fault? (Other than the robber)

1. The person who built your house
2. The bank, for owning your house
3. The company that made the lock
4. Your sorry ass for leaving the door open

I vote 4. Who's with me?

Obviously an installation package flub.

[AFCArchvile]

Why didn't Microsoft just patch the installer to prompt the administrator to enter a password? Kinda like every Linux distribution prompts you to enter a root password.

I think that this is just a classic omission on the part of the Microsoft (and Red Hat) software engineers. This is the reason why much of the software released as 1.0 is actually beta quality.

If I had my way, I'd add on a "gamma" software stage; the requirements of this stage being:

Full functionality,

Passed the 99 runtime test (ran the latest build at least 99 times without a single hitch)

Not quite tested on all systems (hence, the gamma)

It's closed source!

[The Salamander]

"There's limited quality assurance in the closed-source environment," says Harton, "because closed-source software is basically a just bunch of peoples' job."

Re:I'll tell you why...

[Platinum Dragon]

How about because most pieces of software for the past 30 years have shipped with default passwords?

Ok, so why was the Pirhana default password a story then? By your lights, that shouldn't have been reported either.

I think the Pirhana thing hit big due to the discovery of the "seineew era sreenigne epacsteN" thing in a chunk of MS software that I can't recall right now just a few days earlier, kind of a tit-for-tat thing. In any event, I think M$ needs all the media help it can get, in the face of antitrust, ILOVEYOU and the delays in getting any kind of a patch out, among other things.

On second thought, fudge 'em. About time they got dragged into the light. Maybe someone will also rake Red Hat and other Linux distributors over the coals a bit for their gaping-wide default installs:)

The story does make a good point about what kind of stories the media picks up on and how such things are reported, although I tend to cringe whenever I see a "Linux vs. Windows" story on /. nowadays; I know there's a potential flamewar sure to brew and lower the collective intelligence around here by another half-point.

media contradiction... of course

[cr@ckwhore]

As we all know, the media contradicts itself on a daily basis. They even go as far as to *gasp* LIE! What really surprises me is the lack of coverage about this latest Micro$oft security hole! You're absolutely right that Red Hat and the open source community as a whole came under frivolous attack over the piranha issue. The Microsoft SQL 7.0 default password problem is probably more dangerous and more widespread then piranha. For that we can thank the widespread use of Micro$oft's top of the line, high quality, efficient, bug free NT operating system. (sarcasm detected)

Let's look at how the media is contradicting themselves on this issue.

Remember the extreme media coverage during the Microsoft trials? Remember how it was in the top stories for weeks? Understand how it is the FEDERAL GOVERNMENT that is fighting Micro$oft? Why is the media giving them a free pass now, when we all know that the media is the little darling child of the FEDERAL GOVERNMENT? Does this make any sense?!?! NO!!

An anology: today you're supposed to stop at red lights and go on green. Tomorrow is a different day... perhaps we will stop on green and go on red. See what I mean?

Conclusion: The media has simply stuck itself in another contradiction that the mass blithering idiotic public won't see or understand. I like the theory that somehow Micro$oft is being carried under the wings of the media to hide this major security flaw. But of course, that doesn't make sense because the media is on the Government's side attacking Micro$oft... one would think that they would be all over this like a pack of rapid dogs! Where's the sanity?

Perhaps we can assume that Micro$oft has the ability to buy media coverage, or buy the lack of it. Perhaps they paid the media to focus on piranha. Perhaps they paid the media to ignore SQL 7.0. Perhaps I'm not a micro$oft fan... actually, it's definite and I haven't been for a long time.

--cr@ckwhore

Re:Releasing details of vulnerabilities

[Kronovohr]

This is _exactly_ what I've been saying for the longest. Forget about Outlook
and its craptacular features and remember Macro BASIC. How long have macro
viruses been around? 10 years? At least. Has MS done _absolutely anything_
about them? Oh, Office 2000 has some features that keep these things from
happening, but that's an age-old vulnerability! MS certainly has a lot of
fault in this, and it responsible for quite a bit of its misfortune [from
Concept all the way to the latest ska and so on], but who is really the
responsible party now? The idiots who still use these products and put faith
in them, believing that the entire work of macro viruses is "normal", and
that it's all the "damn hackers'" fault.
What could have been done? Well, let's see...
Sandboxing
Altering abused commands
Restricting writes to primary templates
etc...
Of course, this has only bred a response now, and I don't know of any place
that it's really been put to the test; however, it's sure as hell made NAI
and Symantec richer than hell over something that could have [and should have!]
been fixed long ago.

Re:People still distrust MS security.

[generic-man]

Certain people and departments *cough*HR*cough* in our company cannot fathom the possibility of typing the content of an e-mail in the e-mail body. Instead, everything from a six-line memo to a 9MB spreadsheet gets sent as an attachment.

I was talking to a co-worker who had been working here at the start of the Melissa virus outbreak. As the virus was first detected at our site, he received an urgent message saying "DO NOT OPEN ANY E-MAIL ATTACHMENTS!" For further information, he was referred to the enclosed Word document.

The virus security team now copies and pastes text into e-mail, the old-fashioned way. :)

Re:It is documented - if you look for it....

[NaughtyEddie]

Why not just ship a big fscking 24x18 poster with the letters RTFM? They could do a bulk deal, and ship it with every piece of software they sold, and people STILL wouldn't listen.

Re:I could be wrong, but...

[happystink]

Nope, Piranha was definitely not installed by default on redhat servers. It's something you have to go out of your way to set up, like SQL server is apparently.

sig:

Re:*grin* Here's another...

[Shoeboy]

Very nice, I wasn't aware of this one.
Did you know that SQL Server passwords are transmitted in plain text across the network unless you are using multiprotocol encryption?
That's another nice one.
--Shoeboy

this is old news

[handcraft]

i'm suprised this is just coming out now since 6.5 has had the same behavior for over a year. i've had the unfortunate experienc of working with both 6.5 and 7. both have a default sa password of "" and neither one prompt for the person installing to change the password. i can't tell you how may times i have been able to get into a mssql db because the person installing didn't know to set the sa password.

should we really be suprised by ms's lack of security?

You over-estimate MS Product buyers

[Cy Guy]

A significant percentage of people buy MS products because they trust them. They believe that MS has already done everything they can to provide the customer with the most perfect product (alot of) money can buy.

Therefore, if a MS product does something by default, a typical MS users feels its best left unchanged. After all, MS must know much more about computers than they do. That's why they're so successful, right?

MS even explains how the default blank password is a feature in that it facilitates 'Integrated Mode' i.e. letting NT manage access security. They say in their response to Bugtraq, that its only users who choose to run in 'Mixed Mode' (which they don't reccommend) that are at risk from the blank password. See http://www.microsoft.com/t echnet/SQL/Technote/secure.asp [microsoft.com] for more.

Of course they also say that there is a forced change of the password in SQL Server 2000.

Also note that Oracle has something four default usernames with default passwords, and that these are published in most books on Oracle. I think the real concern is that there is a known vulnerability in SQL Server that lets you gain control of the OS itself from within SQL Server, and I don't think MS response to Bugtraq has addressed this, other than to say you should have a firewall (like this will protect you from users within your own organization).

The Real Story ...

[Derwen]

Of course the other posters are right when they say that there is no story here (i. It's up to the SysAdmns; ii. of course media bias exists and the press are just beginning to get clued up on free software). The real gem is this quote:

"There's limited quality assurance in the open-source environment," says Rouland, "because open-source software is basically a bunch of peoples' hobby."

in a story posted minutes after this story [slashdot.org] about IBM, and its plans to open source something as useful [ibm.com] as Websphere.
Some of ISS's pages aren't opening right now (/. effect?) so I can't see if Mr. Rouland has shot himself in the other foot yet ;-)
Derwen

Comment removed

[account_deleted]

Comment removed based on user account deletion

I agree, not a problem

[Pfhreakaz0id]

Hey, I said at the time of the Red Hat thing that I thought it was overblown.
I also agree that software installs SHOULD ask for an admin password. In the case of SQL server, doing so is not that big of a deal. The install should say
1: What do you want for the sa password.
2: Pick an NT account/group for admin rights. AND make them pick at least one.
That way, SOMEONE is an admin and can change the sa password
---

big problem

[wardk]

As a consultant, I am at 2-5 sites per year. I have seen firsthand multiple production systems, and production systems connected to the internet still utilizing the default null sa password. This is widespread.

Typically, the current admins are aghast at it, and it's "that way since I got here". Changes are then not made as it affects too many proccesses. (code: too much work to do it right)

There's lots of excuses for it, none hold water, yet it remains. cracker paradise.

Re:Oh, come *on*

[happystink]

piranha was not installed by default, you had to install it specifically. so yeah, you're wrong on that part.

sig:

why even "nobody" access is a problem

[joey]

Great article. I do have one tiny little quibble this this:

Typically that's a nonprivileged "nobody" account. While this is never good, let's just note for the record that this is a read-only exploit unless the webserver is very poorly configured.

Access to any user on the system, even nobody, is still a very serious matter. Even if your web server is otherwise perfectly locked-down. Why?

Well, it automatically turns any other local exploits into effectively remote exploits. So an exploit in some dumb little suid game on your system, which would normally only let local users get root, suddenly mushrooms into an exploit that gives anyone root.

An attacker need only get in as user nobody, install a real backdoor, and wait. Eventually a local exploit will be found, and they can finish cracking the system.
--

Re:NOT a vulnerability

[Pinball Wizard]

I have a SQL Server powering a website on the internet. The website is also sitting behind an OpenBSD Firewall.

Now, no one from Microsoft is going to tell me that using an OpenBSD firewall is going to make my website more secure. Yet this is the type of thing that a good sysadmin will be able to do. You have to understand enough not to be dependent on any particular vendor.

Conversely, when I first became a sysadmin, I learned the concepts rather than the actual commands first. Regardless of what system you use(I started on AIX), the basic tasks are the same. You have to monitor the system, add/replace hardware, add/delete users, maintain a backup scheme, etc. etc. The actual commands or buttons you push are trivial. The concepts are what is important.

Why the disparity happens

[sterno]

What you are seeing isn't so much a media bias against Redhat and for Microsoft. This all comes down to a matter of newsworthiness. Everybody knows Microsoft is full of gaping security holes, so when another one comes along it isn't big news. On the other hand, when RedHat has a hole it is big news because Linux is so supposedly secure.

Really this strong coverage of redhat and weak coverage of Microsoft is just further illustration of how shoddy Microsoft's products are.

---

A simple explanation?

[John Jorsett]

It may not necessarily be that a) the media are incompetent or b) in the thrall of Microsoft. When a journalist gets a story like this, s/he is going to call Microsoft for comment. Msft spends gazillions on PR personnel, so you can bet the journalist is going to be inundated with their side of the story, which a horde of in-house personnel will have carefully crafted. Linux/Red Hat doesn't have such a PR machine poised to suppress such fires.

Re:what about mySQL?

[Masem]

It's been a while since I had to reinstall mysql, but I'm pretty sure that not only in the manual but in a pre or post install script, the system YELLS at you that the password is default and to change it ASAP (If not inserted by mysql, then the .rpms and .debs have been set to do this).