Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

MSDE / Re: Default Password Database

From: ericm () DENMAC COM (Eric Monti)
Date: Mon, 10 Jul 2000 15:07:53 -0500

An addition for your excellent database, Eric -- and something for the other folks on bugtraq to chew on:

Microsoft Data Engine (A toned down version of MS SQL server) installs with a blank password for 'sa'. Since the 'MSDE' 
listens on the standard MSSQL 1433/tcp SQL port, you can log in remotely with this. It also works with named pipes on 
NT but not on Win9x.

This MSDE is now distributed as part of Office 2000 (for Access 2000) and in 'redistributable' form as msdex86.exe for 
use in 3rd party applications.

MSDE is incorporated in several MS and 3rd party packages. Some that I know of include Visio 2000, Visual Studio 6.0, 
and well.. Access 2000. I know of at least one 3rd party application -- a "security" product that I cannot name 
(sorry...)-- that also uses it. There probably are others.

All of the applications I/my colleague have tested with it have had tcp/1433 (ms-sql port) listening while the engine 
is running (in some cases, always) and have been subject to the default login hole. After logging in remotely, a simple 
"xp_cmdshell" extended stored procedure call (yes it is included) yields access to the underlying NT server in seconds 
(as SYSTEM if I recall). Xp_cmdshell was not tested with Win9x.

Also, we've noticed that many of the recent MS-SQL holes/advisories/fixes that have been coming out recently have made 
no mention of MSDE and to my knowledge the fixes have not been incorporated into it by MS.

A bit more info on MSDE is available at (mostly "feature-fluff"):
http://www.microsoft.com/technet/office/trmsde1.asp 
http://www.devx.com/upload/free/features/vbpj/1999/10oct99/rd1099/rd1099.asp

None of the documentation I've read have made any mention of the default password or need to change it, although 
ironically the first link above gives a warning in the form of a code example that uses:
"Server=cabxli;Uid=SA;Pwd=;"

If anyone knows of other applications that use the MSDE, we'd be interested in finding out what they are to try working 
around the default password issue if possible when running across them, and avoid them if
not.

Much credit goes to my colleague Alex Nikonchuk for identifying and researching this.

Eric Monti
Denmac Systems
ericm () denmac com | monti () ushost com
Previous By Date Next
Previous By Thread Next

Current thread: