Default Behavior: Piranha vs. Microsoft SQL Server

Do you remember the Piranha debacle back in April? Welcome to Part II. Last Tuesday, it was revealed that Microsoft SQL Server 7.0 is shipped with a default password - just like Red Hat's piranha module. Unlike Piranha, SQL Server is very common software for large e-business websites. Unlike Piranha, the vulnerable software has been shipping for months. Unlike Red Hat, Microsoft refuses to take responsibility for their mistake, which, unlike Red Hat's, has resulted in actual documented break-ins, some at high-profile websites. So why haven't you read about it?

Because unlike Red Hat, Microsoft is getting a pass by the media.

Piranha is web clustering/failover software that was released in April by Red Hat without much QA. It somehow went out the door with a default password ("Q") and without docs explaining in big bold caps that it must be changed. If you installed the Piranha RPM without reading the docs carefully, you had a security hole on your site.

The hole allowed an attacker to come in over port 80 and execute arbitrary commands as the Piranha user, which would have been the web user. Typically that's a nonprivileged "nobody" account. While this is never good, let's just note for the record that this is a read-only exploit unless the webserver is very poorly configured.

The media flipped, in a word, out.

Piranha: A Case Study

On April 25, Computerworld announced that the "backdoor password ... could allow an attacker to compromise a Web server and deface and destroy a Web site." Informationweek and Internetweek both warned about "a back-door security flaw that carries ISS's highest danger rating." MSNBC/ZDNET ran the story as "Red Hat Linux open to backdoor password" and explained "there's a backdoor account in Red Hat's Linux that would let a computer intruder access and alter files." The Standard's early report on April 25 wasn't too bad but attacked -- as all reports did to some degree -- the strawman myth that open source is inherently secure. At least it didn't use the word "backdoor." Newsbytes was pretty much the same.

"Backdoor" implies that the flaw was deliberately inserted, by a thoughtless or even malicious programmer. Why did most stories incorrectly use that word? Mostly because that was how it was described in the press release. A security firm called Internet Security Systems found the flaw on April 24 and sent out a security advisory that used the term four times by the end of the first paragraph.

ISS also made some interesting statements when speaking to the press about the vulnerability. Oft-quoted was a line about open-source being both a blessing and a curse (the media loves "on the one hand, on the other hand"). I also liked this comment from their research director:

"There's limited quality assurance in the open-source environment," says Rouland, "because open-source software is basically a bunch of peoples' hobby."

Of the early stories about Piranha, the best one I found was Henry Kingman's ZDNet piece on April 24 (both early and accurate: amazing). CNET's on April 25 wasn't bad either, though they let ISS lay down the anti-open-source and pro-Microsoft propaganda a little thick.

In the days to come, the story didn't change much except to note that Red Hat -- correctly, as it turned out -- denied the seriousness of the vulnerability and tried to explain that it wasn't really a backdoor. Inter@ctive Week's Charles Babcock did such a piece on May 1.

Computer Reseller News still called it a backdoor on April 27. And NetworkWorldFusion's report and Informationweek's followup both came out on May 1, both got the important facts right, but both still called it a backdoor.

ClieNT Server News ran an article in their May issue explaining "Red Hat Red-Faced." I'm not about to pay to read the whole thing. The free synopsis that's available smirks at how "embarrassed" the company must be, and ends: "It seems that Red Hat left a back door in," dot, dot, dot.

The Standard had a second, fair piece that eschewed the term and even, after quoting the line about open-source being a "hobby," gently suggested otherwise.

But the gold stars go to just two good reports. SecurityFocus' Elias Levy, on May 1, turned the spotlight on ISS by pointing out how they "...can make headlines by using the right jargon, even when it's wrong." And Linux World News' Liz Coolbaugh, who had weighed in a few days earlier, questioning the media's coverage in her story "Red Hat Security Hole Not a 'Backdoor'."

If you find any more stories about Piranha, post them below. The Red Hat-bashing pretty much came to a halt a week later, when a little Microsoft-specific email virus named "ILOVEYOU" did a few billion dollars' worth of damage.

(Breaking news: all charges dropped; to quote 10,000 Maniacs, "who ya wanna blame?")

Microsoft SQL Server 7.0

You've heard about the SQL Server vulnerability, right? The one found on Tuesday, six days ago?

Well, no, you probably haven't, unless you read NTBugtraq. Even the maintainer of SecurityPortal's Microsoft Security Digest missed it this week (don't worry: I dropped him a note, he added it).

As the cracker Herbless describes it:

"It has come to light that it is now common knowledge that MS-SQL has a blank 'sa' password by default. This seems to affect a _lot_ of servers on the internet."

A default password vulnerability? Sounds familiar, doesn't it?

Here's Herbless's description and exploit code, posted to BugTraq last Tuesday. And here's Microsoft's acknowledgement, posted on Thursday.

Herbless wasn't kidding when he said it affected a lot of servers. If you're running SQL Server 7.0, with a firewall that doesn't block its port, and you haven't changed the sysadmin password, you're vulnerable.

As he described it to me, unlike Piranha's vulnerability which gave read-only access as an unprivileged user, this one typically gives access as "BUILTIN\System." I don't speak NT, so he had to describe to me what this is: "god-like powers ... greater that those of even the 'Administrator' user."

In other words, you have been 0wn3d.

You may be thinking that this is a vulnerability. Go back and read Microsoft's acknowledgement again. They say quite clearly, "The code does not exploit a vulnerability."

Does it confuse you that what was previously a "backdoor" is now not even a "vulnerability"? That threw me for a loop too -- as well as some of Microsoft's other disclaimers, which only make sense when you realize you're reading non-sequiturs about the newer version SQL Server 2000 (the vulnerability only affects SQL Server 7.0).

All will become clear, though, once you read this story from vnunet.com -- the only media story I've seen, by the way. The fault lies with the website administrators:

"Hacked websites 'didn't read the manual'

"Microsoft has blamed administrator error, rather than a bug in its software, for leaving hundreds of websites running SQL server open to attack this week."

Did they say hundreds? Yes, hundreds, at the very least. And did they say "hacked websites"? Yes -- this is not a theoretical vulnerability with no known attacks, like Piranha was.

All this month, Herbless has been cracking into websites like the National Transportation Safety Board and leaving edgy political messages (while backing up the original files and telling the admins how to close the holes). He confirmed to me that all his attacks, including the Fish and Wildlife Service, the UK's Adult Learning Inspectorate, and the Commonwealth Telecommunications Organisation, were done by exploiting Microsoft SQL Server.

Just to make the story that much better, according to Herbless, the default configuration of SQL Server 7.0 also has logging turned off -- in which case a successful attack would leave few if any tracks.

Sites are lucky if their webpages are hijacked; that way they know to fix the problem, format and reinstall. But some of those "hundreds" of websites running the vulnerable installation have surely been cracked by black hats who quietly installed Back Orifice or a similar remote-exploit program. They can set an SQL Server password, but it won't help them: they'll still be 0wn3d.

The proper fix would be to force the password to be changed before the software can be used, as piranha now does. Wayne Sowery of MIS Corporate Defence Solutions confirmed for me that "versions up to SQL Server 2000 do not ask for the SA password during installation ... we also tried various install options such as 'typical' and 'custom,' neither prompted for a new SA password." Incidentally, he too questions whether this is properly described as a "vulnerability," but I'm not sure what else it could be called.

The lesson here is that the media doesn't treat security reports very fairly. Some organizations have their own selfish reasons to push one agenda or another. (Like Slashdot? You bet. But you know where we stand.)

The motive doesn't have to be that devious, though sometimes, of course, it is. If a reporter gets to write a story that questions a core belief of Linux zealots -- whether or not it's actually a core belief, and whether or not they're actually zealots -- that will be much more attractive than simply reporting security news. The nitty-gritty of security news, after all, is rather dry.

So next time you see a biased polemic about system security, or even a small media feeding frenzy about the latest exploit, take a moment to ask why it's being reported outside of the admins' mailing lists. Open source software is still a new idea to many in the traditional news media, and that means that it's a hook for them to hang any kind of story on -- good or bad.

What?

[Greyfox]

I thought the whole point of buying MS products was that it made those $100K+ a year sysadmins obselete! Why, I rounded up a bunch of "Will Work For Food" people to admin my systems and I pay them in hamburgers! Now you're telling me you actually have to know something about computers to admin their software?

Oh well, at least we still have the chimpanzees we trained to do Visual Basic programming...

Re:What?

[drewish_princess]

We found chimps work great in Perl, their code is a little tought to read sometimes but it seems to be working so far. Maybe we could get them to comment it...

Re:There is a reason why nobody talked about this

[piku]

"Wait a minute, if there were that many articles about a problem with Piranha which is installed on fairly few..."

Yes I know. Thats why I mentioned the Red Hat website thing. I know they really really blew that out of proportion. But if Slashdot critizes them for blowing it out of proportion, then does the same themselves with the Windows problem, they are just being hypocritical.

"By publicizing it, /. has helped to assure that the white hats have the same information. They can now secure their sites before they have trojans installed or their websites wiped clean." No, now they DON'T have the time to secure their sites because now everyone and their mother knows about it. Before this only the people who need to know about it (and the l33t hackers), but now everyone does.

Sometimes full disclosure isn't the best option. When security holes are found they should be kept quiet until they are fixed and people who are running the servers or whatever are notified.

Telling people about a security hole before it can be fixed is like telling people about a bad computer virus weeks after it hit.

Re:*grin* Here's another...

[Shoeboy]

Ummm what about instances where you can't use trusted authentication. Say when you've got a web server using nt authentication and it's not a BDC and SQL is on another box?
--Shoeboy

Re:The difference here...

[man_of_mr_e]

RedHat doesn't install anything by default. You are given the option of choosing exactly what you want and don't want when you install.

Yes and no. I would imagine that very few people go through and choose each of the thousands of package options. More likely, they just set the checkbox for a typical install of certain types, which is as good as a default install.

Re:*grin* Here's another...

[jallen02]

That is a really easy one to fix to. It most often occurs when you are using a variable for say your ID field.

To fix you have to make sure you do some validation on your fields... its more or less common sense..

Jeremy

Re:Releasing details of vulnerabilities(Off Topic)

[MojoRising]

>(Note that this does not exculpate MS for making >crappy stuff like OE - this is merely my
>opinion. It'd be like seeing someone drive a >Corvair after Nader's exposé.)

There is nothing wrong with Corvair provided the rear tires are properly inflated, so says a Federal Government study in 1972. Ralph Nader was WRONG. Just like he was about Y2K issues...

Mojo

Re:There is a reason why nobody talked about this

[Kronovohr]

Just to let you know, any skr1pt k1dd13 worth his/her salt knew about this
last month.

Re:Releasing details of vulnerabilities

[ethereal]

Is it well known? If I set up a web site on NT tomorrow, would it's vaunted ease-of-use make this default known to me? It's well known if you are an experienced admin of anything, but if I'm small business owner who wants to plug in Microsoft and forget it, how well known is this?

Did anybody actually READ this post?

[flea]

I guess I shouln't be surprised the the majority of posters here don't get that this article was about MEDIA BIAS. This article is not about the reletive merits of MS software versus GNU/Linux software (the writer does bring that in, but only as a minor dig).

Let me sum up for you who apparently can write but not read (well, maybe someone else can read this to you)...

Redhat software package ships with default password; media goes crazy over this so-called "back door" into the operating system.

Microsoft ships thier SQL server with no password for "se" user and no prompt to change it, allowing complete system compromise under common cirumstances; media is strangely quiet about this.

In other words, very similar problems, but MS doesn't get attacked by the media.

THAT is what the friggin' article is about!

Re:Did anybody actually READ this post?

[BlowCat]

Hello! If you want to filter out dummy posts set your score level appropriately.
If those guys don't read the original post they won't read yours.
Repetition doesn't improve the signal/noise ratio.

Re:I could be wrong, but...

[SquadBoy]

Pirhana was only installed if you choose clustering. If you choose clustering you should have known what you were doing. This would not apply to people installing stuff for the first time ever. Oh wait in the Micro$haft world yes it would. My bad.

Re:Oh, come *on*

[graniteMonkey]

Yeah, and if I knew your root password, another user account+password, and you enabled telnet and su, I could log onto your [server type]server and do [bad stuff] to it.

You're right, this could be potentially dangerous. But you don't give a handgun to someone who's never used one before and act all surprised when they shoot themselves in the head(apparently experienced owners have done the same to themselves).

Maintaining and setting up a database is not a task for the unwashed masses, nor should it be designed with your typical "where's the 'any' key" user in mind. Any competent admin, and I mean ANY slightly competent DB admin knows to set the stupid default password. Anyone claiming to be competent who doesn't know about this "vulnerability" should be fired immediately.

overreaction

[Garpenlov]

Uhm... wow, talk about rabid ignorance.

If you install MSSQL7, the default password for the sa account is blank.

If you don't change it, it's still blank.

In an install of linux, the default root password is blank. If you don't change it, it's still blank.

The only difference is that you are usually asked to change it during the linux install...

But if you can't think to change default passwords after installing SQL server, you shouldn't be using it anyway.

Re:overreaction

[nagora]

The only difference ihe only difference is that you are usually asked to change it during the linux install...

Gee, maybe that's the point of the story.

But if you can't think to change default passwords after installing SQL server, you shouldn't be using it anyway.

You've never re-installed a server in a hurry or late at night, then? Everyone needs reminding sometimes.

TWW

Re:Never underestimate the stupidity of Micrsoft

[norton_I]

The point of the article is that for RedHat, this was called "a major backdoor" and for MS, a "feature".

But here is a news flash for people. Oracle has *two* default u/p combos: sys/manager and system/change_on_install (cute, eh?). Both have administrator privs. Oracle 8i introduces the relatively poorly documented outln/outln login, though with far fewer privleges. Other oracle add on packages (Intermedia, iFS, whatnot) often add other default username/password combos with varying degrees of power.

Of course, people with a clue firewall the damn things, and only allow incoming connections to their web server, or even use a private network segment for them. This is why, IMO, the RedHat problem is bigger... Even though it is usually read-only, as a web server issue, it will *always* be vulnerable to the outside. DB servers rarely are, unless the admin is enough of a cluefuck to not change the default PW. er...

Re:Releasing details of vulnerabilities

[fence]

This is only an issue if you install MS-SQL server. And if you do, then you won't just "plug it in and forget it", because you would need to know, or have someone who knows, enough about the SQL server to add users/create databases, tables, procs, etc.

Granted, these items aren't very difficult, but each time that you login as the system administrator to do the above items it might occur to you that "hey--I just logged in without a password" maybe I should change my 'sa' password.

or not...
---
Interested in the Colorado Lottery?

Re:It is documented - if you look for it....

[gfxguy]

I don't know why I picked on you, just a random one of many comments, and this is a real opinion, not just a troll.

The problem is that you need a an admin password in order to do anything useful, so they give it a default, just like RedHat. The problem lies in them not FORCING you to change it the way RedHat now does.

Now, think about this for a minute. I had a localized machine at home, not on a network, and I installed Linux. Linux made me install a new root password. Now, it's probably a good idea to do it, I don't run everything as root, I know what I'm doing, and I went and took it out anyway - because I know how. But forcing you to do something is not what I consider to be in the spirit of free software. Having the option to do whatever you want is in the spirit of this community. Everytime a program makes me do something, I get pissed off. Who's running the show, me or my computer?

It's like seatbelt laws. I've always used my seatbelt, long before there were laws, because it only makes sense to do it. But who has the right to tell me I MUST wear a seatbelt? Making people do things "for their own good" does not make me happy, it makes me quite sad.

Of course, right now none of my machines are solo, and they all have pretty strong protection - at least a good root password and most services turned off, and a firewall to boot. This is clearly not an error on Microsoft's part. There is nothing unsecure about the software when used correctly. And I'm the last person to support MS (just look at my SIG).

On to the issue: it's hard to say why RedHat got raked over the coals and MS didn't, I see lot's of good postings that have alternative views, any of which may be correct or partially correct. Who knows? We don't. It's sad and unfair, but let's just keep doing what we do best and spread the word about alternative (not just Linux) operating systems.

----------

Re:Releasing details of vulnerabilities

[BlowCat]

I agree. Hiding information helps dedicated crackers be the first. Telling technical details to everybody helps kids be bad. Some basic guidelines should be respected. Everybody should be able to find out, but it's IMO not a good idea to provoke everybody by saying - look, it's that simple, you can do it too.

Re:*grin* Here's another...

[tswinzig]

Why the hell did this get modded up so high?

Basically, if someone is passing variables into a page (say index.asp?variable=5) then you can piggyback your own query after that (say index.asp?variable=5%20DELETE%20FROM%20sysobjects ). Or something.

This is a programmer problem, not a problem with SQL Server. In *many* cases, I use multiple SQL commands in one call through ODBC, for speed. I'm not positive, but I think this is kosher with the ANSI-SQL spec.

The problem occurs when you don't check the data you are sending to your SQL server through ODBC. For instance, if you let people pass in $value, thinking it's going to be a constraint for a WHERE clause, they could just as easily change that value and add something more sinister.

You think: "Hmmm, $value will be a number! I'll write, 'SELECT * FROM MyTable WHERE thenumber = $value'.

Meanwhile, Mr. Blackhat sends 'value=5; USE master; DELETE FROM sysobjects'.

Again, this is not specific to Microsoft or SQL Server ... so please stop spreading the FUD.

Of course ... you have to understand SQL a bit

Indeed...

-thomas

New(s) Vulnerability

[_Sprocket_]

Is it *REALLY* Microsofts fault, and should they *REALLY* call this a vulnerability, when the admin KNOWINGLY leaves a system account with a blank password exposed to the Internet in all its glory?

I don't think we're directly concerned about who's "fault" this is. Sure - it'll be used in the constant propoganda battle various corporate marketing departments rage. But that's not our focus. What we're concerened with is the press' reporting of the vulnerability.

Wait. Is it a vulnerability? Certainly. If we can believe this is the exploit Herbless is using, a cursory look at the attrition.org archive will show a handfull of gov't and commercial site defacements accredited to him and presume its involving this default password issue. Web sites are being defaced. Whether it is trivial or not, its still a vulnerability.

So how trivial is this? DO sysadmins knowingly put out boxes with default passwords belonging to highly priviliged accounts? Common sense would suggest the admins wouldn't leave "the biggest door to [their] house" open. Trivial? Perhapse. Obvious... apparently not.

So we have a fairly serious situation, one many admins are apparently unaware of, affecting a large number of sites. Isn't that newsworthy?

Perhapse its not affecting THAT many sites. Of course, the fact that the pirahna case didn't involve actual defacements seems to argue against that being a pre-requisite of newsworthiness.

Perhapse Microsoft owns the press and vetos this kind of coverage. Sure... some of the sources mentioned might be more than friendly towards Microsoft. But not all of them. Besides, bashing Microsoft is trendy in some circles. I'm sure at least a few would have jumped on the chance to show that they're hip.

Maybe news of Microsoft vulnerabilities just isn't interesting anymore? PHBs are trying to wrap their brains around this whole Open Source jugernaught that just materialized in front of them. Since Red Hat is one of the more tangible phantoms, its a given that there will be a readership interested in material that deals with Open Source development and Red Hat. Will Red Hat vulerability news sell? No brainer.

Of course, this all goes far beyond the cares of your average admin. All exploits are trivial once they're known and a patch / configuration is available. Its just a matter of knowing the vulnerability is there and doing something about it. Any admin can do it. Simple. Trivial.

How are a majority of sites taken? Trivial exploits known for months if not years by the general community. The challenge developers have, closed or open source, is limiting the exploits available "out of the box".

Re:So why haven't you read about it?

[Opinion+Dalek]

Other large commercial DBs do not require you to set the password.

Oracle 7 has a default password for SYS of Change_on_install as well as having a password called 'SCOTT' with a password of TIGER, Sybase's default password for sa is also blank, Interbase's default password for sysdba is masterkey. I don't think Informix has this problem, but it is so long since I installed it I can't remember what choices it offered me.

I think your phrase should have read:

'A good DBA will know about these holes and will set the sa password as part of the installation process.'

Re:You over-estimate MS Product buyers

[Rorschach1]

Anyone who doesn't have the very basic level of knowledge required to know better than to leave the SA password blank doesn't have any business running a security-sensitive system, regardless of the vendor. SQL Server and Oracle are TOOLS. Installed straight out of the box they do essentially NOTHING - someone who only knows to click the 'next' button on the install wizard has no use for an RDBMS.

Don't get me wrong, I think not making the SA password change a part of the install is a bad idea, since it's easy to forget when you get busy with making your database actually do something. The only flaw here is in the wizard.

As for the ability to control the OS from SQL, that's not a bug, that's a feature. =] Granted, it's not a feature most of us use, and the stored procedure should probably be removed. That's just another part of being aware of the security implications of any system you put on the Internet.

As for the original note's comparison of the Piranha thing and this non-problem, get a life, people. What is it with /.'ers and this persecution complex? It's worse than an old Amiga users group meeting. Stop whining about the unfair treatment of Linux in the media and worry a little more about putting out some quality code.

the password is

[VAXGeek]

the default password is:
.seineew era sreenigne taH deR
------------
a funny comment: 1 karma
an insightful comment: 1 karma
a good old-fashioned flame: priceless

Re:the password is

[Hard_Code]

*KNOCK* *KNOCK* This is MasterCard, you are infringing on our ad phrases. Because people might become confused and think you are representing MasterCard or that MasterCard is sponsoring your posts, we are going to sue you now.

Best Practices

[graniteMonkey]

I don't know what all you guys are complaining about. I always set my sa password to 'sa' right after I install my database. How hard is it to follow good security practices?

Re:Oh, come *on*

[noweb4u]

Except that you can't use enable without a set password from a telnet session. Only through serial. This is the equivalent of only being able to walk up to the MSSQL server and execute commands on the console. The worst a non enabled user can get is very little. Nothing can be changed. This too is read only. Even with no password you can't reload the router or format my flash disk!
Trust me I forgot to put an enable password on a switch I run, and I can't do a damn thing with it :-(
I guess I will have to put one on eventually :-)

Brown Orifice...

[Psarchasm]

You probably won't hear much about the fact that Brown Orifice also (for the most part) works on IE.

Such is life.

Re:Brown Orifice...

[mustard]

You know, that's funny. I remember hearing on the radio that they specifically said IE didn't have that weakness.

I also remember thinking at the time, "everytime there's a new IE exploit, they never say 'this doesn't affect people running Netscape', yet now, here is a Netscape problem and they specifically mention 'does not affect IE'" So much for spin.

This is related to the 2600 article

[Dr.+Dew]

It strikes me that there's a link between the response of the judge in the 2600 decision and the reponse of the different press sources cited in this article.

What they have in common is a mistrust and fear of those who make, support, and use <free, open-source, ... your favorite term here> tools. This mistrust produces a hostility toward the people involved as well as toward the tools themselves.

You didn't ask me, but that looks to me like the reactionary response by those who are frustrated by the reported technical successes of free software. DeCSS seems like deeper, more offensive magic if you assume that CSS started off being very secure. Linux and Apache seem like upstarts if Microsoft has been your sole introduction and guide through the world of personal computing.

It's also related to how religiously and self-righteously we tend to hop on those successes. Some people are used to hearing paid PR and marketing folks doing that, and it sounds like the pretty background noise of commerce to them.

Community-produced software, on the other hand, makes noise that sounds more like revolution to some ears, in part because it's not looking lucrative in the traditional sense.

There's nothing wrong with wanting judges to make rational decisions, or media sources to make reasonable reports. It's foolish, on the other hand, to believe that either is likely, let alone assured.

The real answers come as we address technical issues, even while we're indignant about and frustrated by the falsehoods and prejudice.

While I don't want to live in a technocracy, I prefer my software built there, y'know?

Releasing details of vulnerabilities

[KuRL]

Not trying to be flamebait here, but does anyone other than me find it a little wrong that the default password was actually published instead of a description of the vulnerability without the password? I mean, sure, if someone wants to post the default password, that's their right, and yes, I'm kinda blaming the messenger here, but why encourage exploitation of this type?

I've heard the argument that Microsoft won't fix it unless the vulnerability is made public, but doesn't everyone know that to be bullshit? I mean, Outlook's flaws were explained in detail, and instead of Microsoft fixing 'em, I just get more internal memos from the IT department telling me what subject-lines will delete the contents of my hard drive and send itself out to every member of the firm. Clearly telling the public how to make an exploit can only aggravate the problem, so why do people insist on doing it?

Re:Releasing details of vulnerabilities

[Stephen+Samuel]

"Ease of use" implies sane defaults. In the case of Passwords, a sane default is forcing the user to choose one of their own. (this may be a 'stupid' password, but a stupid password that needs to be guessed is better than a password that any script kiddie can put in a script. -- and that is better than no password which is easy for somebody to guess by accident. (I hit return, and it let me in). It's like the difference between a blast door, a screen door, and no door whatsoever.

As for the difference between a proprietary system and an O/S system, when you buy from microsoft, you have to accept their defaults. If RedHat or Debian insisted on distributing systems that installed with root passwords I'd always have the option of building my own distribution and giving that to my friends without having to worry about them sueing my ass off for saving my newbie friends' butts.

Re:Releasing details of vulnerabilities

[Vicegrip]

Incorrect. Not only are you asked for the sa password during SQL7 setup, it is trivial to change using the Enterprise Manager at any time.

I can't believe people are making an issue of this. Choosing a good root password is the No1 step of any system setup. Next you'll be saying that "well it should pick a password for me and provide me with an api to change it..."..

Come on. "yeah... I think I'll go live with a blank root password... thats a good idea.. huhuhuuhuhuhhhu"

Re:Releasing details of vulnerabilities

[Vanders]

I do believe it was described as a "blank" SA password. Seems a bit OTT to me, but thats what it says. Also the fact that it "does not ask for a SA password during installation" also seems to point to a "blank" password.

Re:Releasing details of vulnerabilities

[Samus]

Actually you are wrong. It will prompt you for the account to run under and I think will allow you to create an account but it doesn't ever say anything about changing the sa password. I think where the people get confused is that they don't even know that the sa account exists since the administrator of the box has admin rights in the database. So go and actually install MSSQL 7 before you comment.

"What are the three words guaranteed to humiliate men everywhere?

Re:Releasing details of vulnerabilities

[fence]

It is well known by anyone who uses/installs/admins Sybase or MS-SQl servers that the default password is blank and that the first thing that one should do after installing a new server is issue the following command

sp_password null,"my_new_password","sa"
---
Interested in the Colorado Lottery?

Re:Releasing details of vulnerabilities

[White+Roses]

My last job was working for a company that will remain nameless because it might embarass the American Association of Physics Teachers. It might please you to know that their SQL install most likely still has the default sa password.

Did I know it was the default until today? No, I just assumed that some PHB set it to be blank to not have to remember. On the other hand, the Linux boxen that I set up for the company, they all had reasonably complex root passwords (which have changed, yes I checked). Red Hat Linux prompts you for a root password during install. Did I ever install SQL? No, so I don't know one way or another whether it prompts you or not. Whose fault is it? Everyone shares some blame here, but . . .

The issue at hand is not who is to blame, rather it is the corporate agenda of news agencies. In two nearly identical situations, Red Hat was broiled over the flames of righteousness, and Microsoft shunted the blame onto their users. Red Hat fixed the problem, making it abundantly clear that the default password is dangerous to go live with, and Microsoft will continue to blame the people who pay money to them for having such a deplorable lack of vision.

Blame the user, blame the company. Who's responding to their users, and who's making the users respond to them?

Alas, again I digress. The point is, the media has said that one thing that looks like a duck, and quacks like a duck is a rabid rhino in one case and a demure kitten in another.

Re:Releasing details of vulnerabilities

[v4mpyr]

"does anyone other than me find it a little wrong that the default password was actually published instead of a description of the vulnerability without the password?" As a subscriber of the SecurityFocus lists I have noticed that the media often doesn't even get a drift of a problem such as this until it has been thouroughly discussed, solved and broadcast to the thousands of other list subscribers. Like it or not few of these subscribers are our ever beloved crackers. Simply put, the media is just publishing already common (in the security world anyway) knowledge.

Re:Releasing details of vulnerabilities

[ethereal]

d00d, I l00k3d @r0Und on that sUbn37, but 1 cou1dn't f1nd y0ur b@wx to r00t !@%^$#!! U have thw4rt3d my '1337 h4x0r1ng ski11z!!@#$! [Man, it is tough to type that way. I need a perl script to do this!]

But seriously, Microsoft markets their products specifically at the market segment that has less than half-a-noggin, wants to use a computer, and wants Microsoft to set it all up for them and handle everything. I'm not saying this is the correct approach to take, especially with a server, but that is the mentality that has been cultivated in Windows circles.

It's good that a warning box comes up for you about this password; but apparently it either didn't come up for your fellow MS SQL admins, or else they expected Microsoft would handle that part. It seems to me that user awareness and education would be the best ways to prevent these problems in the future, but I don't see Microsoft as really encouraging those things, at least past a certain point.

Re:Releasing details of vulnerabilities

[gclef]

Clearly telling the public how to make an exploit can only aggravate the problem, so why do people insist on doing it?

It's called full disclosure, and it's about as zealously adhered to in the security community as open source software is here. The central point is that while releasing the details of an exploit does make it easier for script kiddies to attack you, it also allows you to determine for yourself if your servers are vulnerable. Given M$'s history of writing truth-bending advisories, (or, in this case, denying that there is a vulnerability at all...) I find it very useful.

Re:Releasing details of vulnerabilities

[Stephen+Samuel]

This is rather like the US army blaming Vietnamese kids for stepping on land mines. If they knew what and where they were, they wouldn't step on them.
More directly, it's like RedHat installing the system with an empty root password. If you've got a UNIX veteran installing the system who KNOWS about the login, KNOWS how dangerous it is and doesn't just forget to change all these, not necessarily documented, default user passwords then you're fine.

On the other hand, the users who don't know to fix this without having to be told are the most at risk. Given that MS claims to be the OS for ignorant users ("linux is for experts") this is kinda like the pesticide manufacturers promoting cherry and bubble-gum flavoured pesticides (I kid you not!)

It also sounds like the SQL server may CREATE an user with a blank password. If this is the case, the it would become a case of a login that didn't previously exist suddenly gives remote users the ability to seriously 'own' your machine.

In any case, this is rather like Linux installing with a blank root password. (or MySql installer adding a root user with no password, if that's what this bug does). Any half-ass distribution source should know far better than to do something like that.
You can blame the Royal Swiss Navy for not replacing the screen doors on their submarines, but it was a stupid manufacturer who installed them in the first place.

Re:Releasing details of vulnerabilities

[hiryuu]

Clearly telling the public how to make an exploit can only aggravate the problem, so why do people insist on doing it?

You pointed out in your post that despite the publicity regarding MS Outlook's vulnerabilities, the problem has not been fixed and the number of people exploiting said vulnerabilities is going up. (Anyone wanna take bets on exponential growth?) The problem I see with this outlook (pun not intended) is that there is a shared responsibility - MS bears the lion's share, since it's their product, but in this example, anyone still using Outlook after all this time and all these problems should know a bit better, and has a pretty strong impetus to use something else.

(Note that this does not exculpate MS for making crappy stuff like OE - this is merely my opinion. It'd be like seeing someone drive a Corvair after Nader's exposé.)

All that said, I agree with the notion of exploits' details being made public, albeit in a timely fashion with regards to notifying the responsible party first. After that, as far as I'm concerned, it's perfectly okay to go pointing at the n00d emperor.:P

Re:Releasing details of vulnerabilities

[KuRL]

I meant the people reporting the vulnerability.

Re:Releasing details of vulnerabilities

[Kronovohr]

This is _exactly_ what I've been saying for the longest. Forget about Outlook
and its craptacular features and remember Macro BASIC. How long have macro
viruses been around? 10 years? At least. Has MS done _absolutely anything_
about them? Oh, Office 2000 has some features that keep these things from
happening, but that's an age-old vulnerability! MS certainly has a lot of
fault in this, and it responsible for quite a bit of its misfortune [from
Concept all the way to the latest ska and so on], but who is really the
responsible party now? The idiots who still use these products and put faith
in them, believing that the entire work of macro viruses is "normal", and
that it's all the "damn hackers'" fault.
What could have been done? Well, let's see...
Sandboxing
Altering abused commands
Restricting writes to primary templates
etc...
Of course, this has only bred a response now, and I don't know of any place
that it's really been put to the test; however, it's sure as hell made NAI
and Symantec richer than hell over something that could have [and should have!]
been fixed long ago.

Re:Releasing details of vulnerabilities

[kevin+lyda]

published by who? do you mean by the folks doing microsoft's docs or by the people reporting the vulnerability?

Re:Releasing details of vulnerabilities

[stang]

"Better to have everyone think you a fool and to keep silent, than to open your mouth and silence all doubts."

Dad? Is that you?

Re:Releasing details of vulnerabilities

[guibaby]

I reeeeealy hate to defend Microsoft on this one. But, This is not a vulnerablility. Just like it was
not in RedHats case. How stupid do you have to be, as an admin, to leave a password as it
is when it is installed?
Not on my routers
Not on my Servers
Not on my bicycle combination lock.
This blank SA password has been the way it is, atleast since
SQL6.5 and probably since way before that. If you are to stupid to lockup your valuable, I have a hard time feeling sorry for your loss.
Why doesn't someone take some personal GodDamn responsibily in this world. Bunch of
crybaby losers make me wants puke.

What is that? is that hair gel?

Re:Releasing details of vulnerabilities

[jallen02]

What utter bull crap.. the default password is a BLANK field.. Open Enterprise manager, point it to a website port 1433, username "sa", password "" YOUR IN.. dont gimme that.. heh it makes me laugh my ass off so just dont go there, this is TOTALLY ms's fault.

Re:Oh, come *on*

1) SQL 7 does not listen on port 80.

Strawman. Nobody said that it did.

The reference to port 80 was in regards to the Piranha problem, not the SQL Server problem.

Read for comprehension. Don't just skim to try to read what you think is there.

Shit, this is a problem

[Shoeboy]

This is how I got domain admin rights on the houston domain at microsoft. (that's where all the MSN servers reside) I love the blank password. Why'd they have to go and tell the DBA's about it ;(
This isn't new, it's been around for ages. It was there in the first MS SQL Sever version 4.21a.
It's ancient and it's beautiful.
Like all NT services, SQL can be run under a domain admin account. It frequently is. SQL also has a command called 'xp_cmdshell' that allows you to shell commands to the OS.
Executing an xp_cmdshell 'net group "domain admins" username /ADD /DOMAIN' will make you a domain admin.
I love this.
--Shoeboy

Re:Shit, this is a problem

[spongman]

err... net group can only be run on a domain controller.

biased media?no...

[eries]

Who does this surprise? Just watch CNN or the New York Time's political coverage - and those reporters actually know a fair bit about politics. Of course, we don't mind when it's *our side* that's getting the leg up (and why should those racist-evil-corporate-religious-nuts-or-whatever-t hey-are crazies get any more breaks?), but media bias is everywhere.

Pretty sad, but unless we're willing to crack down on _all_ media bias, it's not going to change for RedHat...

Re:The difference here...

[v4mpyr]

RedHat doesn't install anything by default. You are given the option of choosing exactly what you want and don't want when you install.

Re:So why haven't you read about it?

[Shoeboy]

'Rooting' an SQL db does not give you as much control over a machine as rooting the whole OS does
RTFM
xp_cmdshell
xp_regaddmultistring
xp_regdeletekey
xp_regdeletevalue
xp_regenumvalues
xp_regread
xp_regremovemultistring
xp_regwrite
--Shoeboy

deja vu?

[bad-badtz-maru]

"Last Tuesday, it was revealed that Microsoft SQL Server 7.0 is shipped with a default password - just like Red Hat's piranha module"

Did you just subscribe to bugtraq last week? This same issue with regards to MSSQL comes up about every six months, this "news" is rather dated.

Badtz-Maru

Sybase does exactly the same thing.

[emil]

When you fire up the server for the first time, the sa password is blank.

Can we burn down their corporate headquarters too?

Hmm, Oracle has 3 default passwords

[pondlife]

So, in the interests of preserving the balance of this discussion, and ./'s journalistic integrity (such as it is), who is going to scream at Oracle for shipping a product with 3 default passwords?

I'm no Oracle guru, but the default SYS, SYSTEM and SCOTT accounts all have well-documented passwords ('changeoninstall', 'manager' and 'tiger', if I remember rightly). I'm sure someone will flame me for getting them wrong, but what the hell.

Would anyone like to bet on the percentage of Oracle installations where all 3 passwords have been changed, or the SCOTT account dropped and the 2 remaining ones changed? This is a question of bad administration, not a bad product.

Why on earth are you not complaining about that huge Oracle security hole? As many posters have pointed out, the MSSQL installation allows you to leave the sa password blank, but all documentation (and, hopefully, common sense) says you should be fired for incompetence if you do that.

In fact, Msoft's recommendation is to not use passwords at all, but rather NT integrated security, where no MSSQL passwords are involved. Set a very strong sa password, lock it in the safe, then forget about it. Whatever your view of NT password security, it's a lot stronger than simple MSSQL passwords with no quality checking or expirations.

This story is simply Msoft-bashing, which obviously is an occupational hazard round here, but it doesn't help ./ers look like the mature, open, sensible, non-judgmental people they so constantly claim to be.

Finally, MSSQL 2000 closes this 'hole' - you are prompted for an sa password, and can only leave it blank by acknowledging a dialogue box warning you of the dangers. If that's not good enough, you have no business being anywhere near a production box. (And anyone who leaves any production account password blank, or weak, should be shot, full stop).

Disclaimer: I'm an MCSE+I and MCDBA, which obviously ranks me somewhere below genital herpes in most ./ers' desirability stakes...

It's all about perception

[r_newman]

This is really going to get me flamed, but anyway here goes...

In my time in IT (a little over 7 years), many of the Windows NT sysadmins I've met have been jumped-up Win95 users, who just happened to be able to convince the boss they could run a server.

Coming from the Win9x background, I have noticed that these people have little or no concept of just how vulnerable a badly passworded (or unpassworded) server can be. I've found that a little knowledge actually IS a dangerous thing... the experienced Win9x users don't take Windows NT and it's associated apps too seriously as they associate it with their home PCs.

The same people incidentally, when moved to a UNIX system, become highly paranoid, as it is easier for them to take something they don't have at home seriously.

Just my tuppence worth.

good new for crackers, bad news for corporations.

[11390036]

If stuff like this isn't publicized, for whatever reason, it simply makes a cracker's 'hobby' easier.

And people wonder how a script kiddy can cause so much damage? BS like this!

Re:There is a reason why nobody talked about this

[ethereal]

Sometimes full disclosure isn't the best option. When security holes are found they should be kept quiet until they are fixed and people who are running the servers or whatever are notified.

I would be more inclined to agree with this if Microsoft et al. were more inclined to notify users of security problems more quickly (or at all). As long as software companies keep trying to sweep this sort of thing under the rug, we need quick, full disclosure to keep them honest. If this hurts too many users, those users should quit using software from companies who aren't staying abreast of security problems.

Re:There is a reason why nobody talked about this

[ethereal]

I can't vouch for the Red Hat website issue, but you should think before you speak. Now you are just as bad as those other sites blowing the issue out of proportion.

Wait a minute, if there were that many articles about a problem with Piranha which is installed on fairly few machines, but there has been one (two if you count /.) news reports about the MSSQL problem which is installed on many many machines, it seems like /. would have to publicize this every day for a month to even approach the correct proportion of (installed base at risk) * (amount of news stories about problem). The whole point of this article is that coverage on this issue is not in proportion.

Had you just let this alone nobody would even know about the exploit. But just because its Windows you have to jump all over it and its result will be a ton of websites wiped clean.

No, if you'd actually read you would find that the black hat community already knows about this exploit. By publicizing it, /. has helped to assure that the white hats have the same information. They can now secure their sites before they have trojans installed or their websites wiped clean.

Welcome to the world of full disclosure - if you don't like the public finding out bad things about the software you're running, maybe you should use different software.

Re:Just let me get this straight...

[Shoeboy]

To complete the setup of the server, and create the storage space to STORE your data (read: You can't.. can NOT.. skip this step and expect it to work right, er, at all.) you have to login as 'sa' with no password.
RTFM on integrated security
isql /E -- login as sa regardless of the password as long as you're in local administrators (which you have to be to install the silly thing)
--Shoeboy

Ding, ding, ding, we have a winner.

[bkosse]

Why is it the worst security hole ever when it happened in Piranna, but nothing when it happens in SQL Server? That is the point. The press jumped all over the "backdoor" RH had, but don't touch SQL server despite it being a more dangerous configuration.

--
Ben Kosse

Re:Ding, ding, ding, we have a winner.

[Black+Parrot]

> The press jumped all over the "backdoor" RH had, but don't touch SQL server despite it being a more dangerous configuration.

Simple explanation. The RH "backdoor" came up about a week after the (false alarm) "weenies" backdoor scare for Windows. The media had to protect their interests by making much of the fact that RH was "just as bad" as their primary source of ad revenue.

Their fears of people migrating from Windows to Linux (and thus cutting off their primary source of revenue) seem to be well founded, because fear of deliberate backdoors is one of the most oft cited reasons for parties outside the USA to want to use OSS.

Now the situation is just the opposite, i.e. this makes MS look bad rather than RH, and the media don't want to bite the hand that feeds them.

--

Re:Ok

[Stephen+Samuel]

I think that we've beaten the "if any good sysadmin knows to change the password, then why didn't Microsoft force Newbie sysadmins to do the same" horse to death.
The next question is: how come this isn't big news?

I think that there's a benign answer to this one: It's not sexy anymore.

When the Piranha thing became known, MS had just been beaten to death over all sorts of security bugs, including their backdoor fiasco. The general subject was hot news.

Now a security company (friendly to MS, of course), sends out a press release with everything short of " Back door security vulnerability virus!!!! in neon pink.

For MS apologists, this would look like a silver smoke grenade to cover their own back door. They're going to push it all they can. Sites like MSN could probably be expected to push it to the max.

Properly spun, it would look, to many news editors, like 'the next big headline'. The last thing that they'll want is to be scooped. Given the time constraints and lack of technical savy on the part of many journalists, they're most likely to eat the press release and regurgitate with minimal digestion.

In this case, however, back doors and default passwords have been out of the news for a while now. Sites affected are likely to be small to medium (yahoo and Hotmail better have sysadmins who know to change the password). It's simply not sexy.

As an analogy: If some US sailor had dropped a hand grenade and blown up two of his buddies on a US Nuclear Sub 6 weeks ago, it would have been front page news at the sub's home port, and rated a light aside anywhere else. If it happened this week, with the Kursk a multi-billion dollar mass coffin on the bottom of the ocean, it would be front page news. The news itself wouldn't be any different, but the context would.

Never assign beligerance to something that can be adequately explained by mere stupidity.

It's not just an MS issue.

[mbpark]

What's next. Are you going to publish that Oracle has a security hole because the default password for system is 'manager' and sys is 'change_on_install'? Sybase ASE sets a default blank password also, at least on 11.x.x, which is installed on a large amount of websites, and is used in the finance industry extensively.

This is entirely a moot topic because EVERY major RDBMS I know ships with a default password. The only reason this seems to be an issue here is because most NT/SQL Server admins do not know better to change the password, and because the vast majority of NT/IIS/ASP applications apparently use the sa account.

If you're a DBA and you leave a default password on a database, and you leave that port open on your firewall, you've got issues.

If you even use the SA, SYS, or SYSTEM accounts in ANY applications for ANYTHING, you've got even bigger issues.

If you even integrate the signons with anything other than Kerberos DCE or a properly secured Linux system, you're asking for it. SQL 7.0 does this by default, and YOU CANNOT TURN IT OFF IN 7.0 or 2000. You however could in 6.5.

If you give ANY non-SA DB account on a public site access to the system tables or master database, you've shouldn't even be a DBA.

If I wanted to, I could mount the same attack in Oracle using the UTL_FILE package in PL/SQL to read any file on an accessible system, especially on an Oracle NT installation where the Oracle account installs as a default of the LSA (Local System Authority), meaning I could literally use SQL*PLUS, the DBMS_JOB package, and some creative PL/SQL stored procedure to own an NT (or unsecured Linux/UNIX) box running Oracle with just access to port 1521 and SQL/PLUS on my box (downloadable from OTN) and some knowledge of PL/SQL.

Sybase and Microsoft just make it much easier to do because of their default installs, and because MS makes it easy to run arbitrary OS commands. Sybase at least doesn't enable xp_cmdshell by default, from what I remember.

Heck, Sybase does the same thing, and on Sybase on UNIX one can even send UDP packets from the DBMS itself in a stored procedure. Think of what one could do with a default Sybase install, port 5000 open, and 64-processor support.

For what it's worth, Microsoft SQL Server 7.0 ships with a large amount of security holes that are much worse than a blank SA password, including the fact that unlike Oracle, you can't use encryption for client/server connections over TCP/IP without some serious hacking that disables your ability to patch or upgrade the server. Oracle can use SSL for client/server connections. It also uses NT default accounts, and the SQL Server Agent installs as LSA by default. Getting SQL Server 7.0 to run as anything non-priviliged is a pipe dream.

The bottom line is however that MS, Sybase, Oracle, and many other RDBMS vendors ship their databases with default passwords. If you're going to rip Microsoft for it (which Slashdot WOULD do first, it's a Linux site!), you should also rip Oracle and Sybase for it also. Security starts with a good DBA/Sysadmin team and making sure that this does not happen.

Re:I could be wrong, but...

[mrbinary]

Long live the blowfish! I agree, secure by default is the reason I chose to adopt OpenBSD for my webserver. For those who have never installed a *BSD (I've only dealt with OpenBSD so forgive me if this is not accurate for all the *BSD systems out there), the default is to NOT install ANY unnecessary services that could be exploited. The assumption being that if you need to have the service available on the system, you will install it. Also IIRC, it does not ship with telnet available, you must use SSH or install telnet on your own. I also rootkitted the whole damned thing as soon as I installed it (took me a fuck of a long time but I feel it's worth it). So now none of the default commands etc. do what an unsuspecting intruder thinks they might. Anyone interested should look into SecurityFocus for advisories and tips on how to secure your system (whatever OS you choose to run). For those who like Linux, you could also check out bastille-linux.org for a secured Linux solution (sorry haven't actually used it yet myself so I can't give firsthand accounting).
--posting anon to protect my site's security!

----

sourcecode vulnerabilities show sql passwords

[mgkimsal2]

Wired and Bugtraq both mentioned a czech site that can attempt several hacks against ASP pages, showing the source code. Many people have their user/pass in the code. This, coupled with the fact that SQL Server 7 (and 6.5, not sure about 2000) have no ability to filter requests based on IP address, means that anyone with Enterprise manager can hook right up to your SQL database. OK, companies with firewalls in place are immune, but not everyone uses firewalls - especially shared hosting environments. They HAVE to leave the thing open for their clients to connect from the outside. The ONLY thing keeping those people secure is the user/password combo. If that's viewed, they are compromised. There is one exploit example at http://www.aspsourcecode.com, with a link to the czech site there as well.

This looks like a big RTFM

[vanza]

Putting default passwords is common practice... I've seen it in many softwares.

<P>For example, why not try to exploit sites running Oracle databases whith the "system" user (default pw: "manager")?</P>

<P>Of course, the MSSQL administrator may have considerably higher power on a NT system than the Oracle admin, but, it's not MS's fault. (Well, they could put a message at the end of the installation, just as Oracle does.)</P>

<P>But actually I think this is not the point of the article (this being the way the press covers this things). And, about that, sorry, but while Linux don't get the backup of some billion-dollar company that is willing to make big PR's, this will continue to happen. Not that I care, though...</P>
--
Marcelo Vanzin

Thoughts from an NT admin

[duplicate-nickname]

Here's my take on this....

A lot of system administrators in the Windows World got their start from doing desktop support on Windows 3.x/9x. Then they were promoted to the rank of NT sysadmin when their company finally got a few NT boxes (probably to run SQL for their website).

I find that an extraordinarly large amount of NT admins really don't know what they are doing for this reason. Sure MS should require the sa account's password to be changed...but they didn't. Anyone with half of a clue should know to change the sa password, as they would change the local admin password on their NT boxes.

Incompetence plagues many of these so-called NT system adminitrators....incompetence you wouldn't see in most beginning *nix admins.

Most Windows vulnerabilities could never be exploited if people took even the most basic precautionary steps in securing their systems (i.e. changing a simple password).

Just some food for thought....

Note to Microsoft....it doesn't help having such low standards to obtain an MCSE. Any 12 year old can read a few books and pass the exams.

Re:It is documented - if you look for it....

[El+Micko]

Your not serious are you? Changing the default sa password is so obvious, it shouldnt need anything in big letters. If your gong to deploy a product to production without having the most basic understanding of security issues... well.. good luck!

Don't most databases have a default password?

[AIXadmin]

I know Oracle does. THough they have this nice habit of going out of their way to tell you to change it. What about Sybase, Informix, and DB2 that are among some of the heavyweights of the industry.
Cheers,
WFE
===========

Re:Oh, come *on*

[MrBlack]

It listens on port 1433 if I remember correctly. I'm not a h4X0r or anything like that, but I've developed some web sites for people using ASP (god, what I wouldn't have given for types, that's not asking too much is it?, anyway..) In the process I read some stuff on a few asp web sites and found info on an IIS exploit that (when not properly patched) allowed you to view asp code as plain text. That's no big deal, no one includes anything critical like passwords in their asp code do they? I was pretty amazed when I saw a fairly high-profile e-commerce web-site had their SQL Server passwords there in plain text. Not only that but they hadn't been changed from the default "sa". This was the first web-site I tried so I am sure it is not an isolated case. My point (I do have one) is that people who should know better, who spend millions on advertising, still can't set up their database correctly (or treat security as a product, not a process 'cause that would be too expensive). All the best software isn't worth a pinch of shit if you don't set it up correctly. I don't think anyone in the linux community would claim that linux is totally secure out of the box. The problem is how insecure SQL Server and a lot of other MS products are. Our sys-admin has a list of a couple of hundred things you have to do to make a fresh NT box somthing approximating "secure". I think the vulnerability in SQL is a real problem, and as you point out it has been a real problem for some time. There are hundreds, possibly thousands of web sites out there with a major security hole in them and you call it hysterical handwringing.

Re:Common Security Methods.

[jguthrie]

I'm very curious. How could a piece of software NOT ship with a default password? But I agree. If you install a piece of software and leave all built in admin accounts blank, you'd better have a good excuse on your resume.

Well, two ways that leap to mind are: Passwords that default to some invalid string like "x" in the shadow password file and passwords that the installation program forces you to change. Oh, and of course you could always just disable remote access until it is explicitly set up and have one of the things needed to set up remote access be creating the remote access account. That isn't exactly what you asked for, even though "no default accounts" implies "no default passwords", but it is the way that the Debian PostgreSQL maintainers and, I am lead to believe by other posts, the MySQL people enhance security for their systems.

I actually prefer the first, myself. Yes, the account is set up and ready to go. No, you can't actually use it until you set the password to a valid string. Of course, there is a bit of a support burden as people who don't read the manual try to puzzle out why it doesn't work, but at least you don't have the situation described in the vulnerability where people who didn't read the manual get it to work in a severely compromised way.

Re:Common Security Methods.

[darkora]

Speaking as an Oracle DBA, there has only been one site that I have gone to work for where I needed to ask what the password for the database was in order to start doing my job--my first job (when I didn't know anything about Oracle). That is one of the first things I check when I start working on databases at a site...passwords and security (that and a few other things that most _decent_ DBAs wouldn't let slide). Unfortunately, there are lots of low-end DBAs out there, but not as many quality DBAs (in some of these people's defense, I have seen situations where one of the IT staff gets handed the DBA baton and told, "Sink or swim, you're the new DBA--have fun!"). Sometimes you also have to remember that system/network/database admins are "invisible folk". If they do their job right, most management (not all mind you--there are some good managers out there) will always wonder what they are paying them for...at least until something goes wrong. When a manager has had a good operations staff working under them and that manager moves on elsewhere to spin up a new IT department, the staffing for administrators can sometimes be neglected--"Those SAs and DBAs didn't really do anything at my last shop, let's just grab someone off the street and train them!". Now if there are these admins out there just trying to "get by", some things like "common security measures" are going to lose priority over things like getting the database up and running, troubleshooting problems that you've not seen before, getting users/developers connected to the database, learning SQL, learning how to create database objects, etc. What may be common to a lot of us, may be the furthest things from their minds at the time...

Re:Oh, come *on*

[philos]

Cisco IOS does default to blank enable and login passwords. However, you cannot access the router using anything other than a local serial cable until you change the passwords. Take a look at Improving Security on Cisco routers.

This seems different to me then a SQL server password which you can by default connect to over the network (unless blocked by a firewall or ACL) without a password and execute code (or at least drop system tables...)

RE:
>3) You know what -- cisco equipment has a blank password by default! Oh no! Every single Cisco router and switch has a built in vulerability! Quick, call the press.

>4) Anyone who is qualified to configure a SQL server knows this is just part of the install. Just like Cisco equipment.

- philos

Re:NOT a vulnerability

[jesser]

I can't recall a single book I've read on SQL Server that did not instruct the reader to change the sa password immediately after installing.

Couldn't someone crack your system before you finish changing the password?

For once...

[Cris]

I have to agree with Microsoft. It's not a backdoor, vulnerability or hack. It's a password blank by default. You installed SQL Server, then you configured it. To do this, you logged in as sa with no password. You probably access SQL Server from your code using the sa account. Call me silly, but when does personal responsibility factor into this?

Redhat came with pirahna. You didn't ask for it (sort of kind of... it wasn't always clear you were getting it unless you were looking for it). To set it up, you did not need to use the default account. This is almost sneaky to the typical administrator that doesn't screen and evaluate EVERY SINGLE package that redhat installs by default (what is the count now? hundreds?).

I want to clarify my position--I don't fault redhat and I don't praise microsoft. They were two different scenarios and the media made 2 different reactions. I think that reacting at all to the Microsoft case is a waste because administrators who didn't fix this deserve what they get. The type of admin who doesn't do that leaves millions of other even less subtle holes elsewhere. That admin needs to learn to be more careful, and the hard way seems to be the only reality check.

On redhat's side, I'm sort of glad the media erupted. Yeah, it was a bit of a crucifiction that redhat didn't deserve, but I bet a lot of people who wouldn't have learned about the problem did from the frenzy.

I know a guy

[Bake]

who did just that! I got a mail from him with an attachment, (which I saved and viewed in notepad) and later that day I stopped by his office and took a look on his monitor, .. lo and behold .. there were quite a few messages with the subject .. "This illiterate (l)user doesn't know how to read"

Nothing New

[Prong]

Let's see:

Sybase ASE has a well-known, default password for the sa user. So does Oracle, for System and Manager. Sybase doesn't even prompt for a change on install, and neither does Oracle 8.0.x. Oracle 8i prompts for a change, but if you're in a hurry you'll blow right by it.

I think the real lesson here is for admins to RTFM. Anyone installing things on exposed or production machines had better damn well understand what they are doing.

Re:Oh, come *on*

The thing about this "exploit" is not the fact that it is a default password issue. It is about the fact that, by default:

(a) SQL runs as BUILTIN\System
(b) The ability to execute commands on the OS is a default feature
(c) Logging is disabled
(d) there is a blank default password

Any one of the above is bad, but all together?

Whilst I would agree, the sysadmins are mainly to blame for anyone exploiting these 'features', Microsoft has to accept responsibility for lazy implementation of key security features. Logging should be ON by default. The stored procedure to execute OS commands should be disabled. The sysadmin should be asked to create a user with lowly permissions and the "log on as service" right granted BEFORE installing the software. The installation process should then ask for this user before finishing.

These simple measures would have avoided all the fuss.

Peace,
Herbless

Re:NOT a vulnerability

[dudle]

I can't recall a single book I've read on SQL Server that did not instruct the reader to change the sa password immediately after installing. That is one of the most basic principles and if you don't know that, you have no business installing SQL Server at the professional level.

Amen brother!

But hey, welcome to the world of NT admins. I am not criticizing Microsoft, but rather the bozos who think they know how to do stuff just by clicking nifty icons.

My roomate is the best NT admin I know. His expertise in network engineering and security is amazing. He is an exception. Most of the folks I know that are in his position (NT Admin) suck! They think they have a clue but when you talk to them about BUGtraq, NTBUGtraq and the like they start looking at you funny.

And they take the liberty to tell you that Unix sucks 'cause it's not user friendly enough ... like if an admin needed user friendly stuff.

Re:what about mySQL?

[The+Madpostal+Worker]

its done in mysql_create_db (which creates the mysql datbase(used for authentication))

/*
*Not a Sermon, Just a Thought
*/

Re:Never underestimate the stupidity of Micrsoft

[The_Sultan]

ORACLE DEFAULT PASSWORD = change_on_install

Security problems with M$. Old news. Why bother?

[BlowCat]

I think media thinks we already know what to expect for M$. This is how MediaOne gets pissed off by M$: click here to find out

Comment removed

[account_deleted]

Comment removed based on user account deletion

Here ya go, Fred Moody

[Pflipp]

In a followup to his previous stupid article, Fred Moody dared to call the entire Linux community a set of morons just because they complain about him writing FUD messages supported by his miscalculations from bugtraq data. (Bugtraq themselves have reacted that this were miscalculations and that is was an unreliable method of determining the security of an OS anyway.)

Part of this has been on Slashdot, and we've all been angry together. Oh BTW, in his followup, the Moody even talks bad about Slashdot.

I think that the current Piranha vs. SQL Server article should make something clear to this man. Here's to hope that it becomes clear to his employer first, and that they fire him with a bick kick in the rear as a finishing touch. It's people like him that spoil the media.

It's... It's...

This is commonly left open by MSCE consultants.

[brad.hill]

I remember reading a security survey done MONTHS ago about this very same vulnerability. They picked out a couple of dozen e-commerce Web sites and found that a shocking number of them had SQL server running on the *same machine* as IIS, with no firewall of the SQL server ports and the default logins and passwords still enabled. They were able to log in and get credit card numbers, addresses and expiration dates, along with any other personal information collected about customers.

Most of the sites that were in this sorry state were systems put together by MCSE consultants.

Now, I don't have hard evidence to back this up, but I think you'd be pretty unlikely to get that kind of sorry ass configuration from IBM, Oracle or Sun certified consultants using Unix systems. (Linux is another story, but they're not even nearly in the same league as Microsoft when it comes to professional services and turnkey solutions.)

The meatspace metaphor is more like hiring a certified contractor from the world's biggest burglar alarm company to install a home security system, and he leaves the default disable code in the system or installs the master override switch on the outside of your house. The alarm company may not be directly at fault, but there is a strong case for negligence/fraud regarding the "certification" program that is really just a marketing tool.

How "Hidden" Is It In Piranha?

[John_Booty]

This story raises a very good point. It does seem like the media is treating the same exact behavior in two, totally different ways.

I don't really know anything about Piranha, though. My question is, how hidden is this default login in Piranha? In SQL Server 7.0, it's pretty bleeding obvious that a user with a login of "sa" has been created... even a quick glance at the users defined for a given database makes it totally obvious that there's a user called "sa" there. Here's a screenshot. I added the black rectangles in Photoshop; normally you'd see the name of my clients' servers there... :P

Pretty obvious, eh? I'm not saying this is good behavior on the part of the software, but at least it's bleeding obvious- even someone who's never used SQL Server before should notice this "sa" user the first time he/she configures users for a newly-created database.

So how hidden is this alleged "backdoor" user in Piranha? Is it obvious? Or is it well- hidden, meaning that an otherwise-competant user might easily overlook it?

Not defending Microsoft here, just trying to see if there's any justification for the difference in treatment...

Re:I could be wrong, but...

[mrbinary]

Doh! Oh well - there's no info on Slashdot about what the site in question is anyways... still should be more careful ensuring that the Post Anon checkbox is actually checked!

----

Re:BUILTIN/System not the same as a user account

[MrBogus]

It's common to SQL Server run as Administrator or even Domain Administrator, but in most cases it's entirely unnecessary.

With a little tweaking, you should be able to run SQL as a normal local or domain user with "logon as service" rights, the only exception being if you are doing something funky with the command shell

Re:Just let me get this straight...

[weinerdog]

You can't blame the poor admin. Show me where, in the MSCE training manuals, it tells you that having a null password is a bad thing.

Re:Oh, come *on*

[Black+Parrot]

> VMS default system account SYSTEM/manager, default service account FIELD/service

When I last used VMS c. 10 years ago, you had to enter new passwords for priviliged accounts as part of the installation process. I know this personally, because I did quite a few VMS installations myself.

The "standards" you report were just the stupidity of bogo-gurus that wanted an easy-to-remember password. Yes, I heard of lots of security audits where the first test was to try to log on to "system" with "manager", and lots of people failed it. But in every case it was because some dumbass typed "manager" in and then re-typed it for verification.

Lots of VMS-based software products created an account when you installed them, but without fail you had to pick your own password when you installed the product, if it was a Digital product. (Most 3rd-party s/w required it as well because it was an easy call in the VMS installation library.)

Possibly the VMS engineers have gotten stupid in the last 10 years, but I doubt it.

--

Microsoft isn't the only one

[AintTooProudToBeg]

I know a lot of people that use dba/sql as username/password for sybase's Adaptive Server.

Vulnerability in InterBase!

[GroovBird]

Hey, suckers I found this weak thing in InterBase! The default admin account is SYSADMIN and the default password is 'masterkey'. Well, D'uh. RTFM. RTFM. RTFM. And stop blaming MS while this is all the Admins at fault here!

Re:There is a reason why nobody talked about this

[piku]

Well I agree with that too. If the companies wont acknowlege that there is a problem then it does need to be brought into the public, but if a company is on top of security issues and works to fix problems the instant they are created, the media should not cover the problem until its fixed.

The default password should be ...

[Kanasta]

randomly generated as a variable length string of alphanumeric characters. That will force the installer to think a bit when they see a message saying their admin password has been set to 'sg083n2rs8dbixndu'. Then, perhaps they'd either set a new one or write this one on a post-it on the monitor. That solves the vulnerable idiot problem. Then, if they forget the password, they can call the pay per minute install helpline to get help = new revenue stream for the company.


---

Re:NOT a vulnerability

[Moofie]

You've totally done an end run around the point here.

Microsoft makes security gaffe, they get to say "Pay no attention to the man behind the curtain...look over there at that shiny new SQL 2000! Buy it today for $umpty bajillion dollars!". Media buys it lock stock and barrel. (mostly)

Red Hat makes minor, non-destructive security gaffe, and the media calls into question an entire programming philosophy. (mostly)

The mechanics of the gaffe are not really interesting to the REAL issue here...namely, the self-administered blowjob Microsoft enjoys on the major news organs (one of which has become MS's bitch).

You're right. Anybody who doesn't change the SA password shouldn't be allowed near any devices with buttons on them. However, Microsoft should have been pilloried for this, and they weren't. They successfully pointed the finger at the hapless (clueless, feckless, reckless, and really really dumb) admins whose training they (MS) designed (poorly) and subsidized and advertised.

(Enjoying the parentheticals?)

Re:You over-estimate MS Product buyers

[Moofie]

If it's a non-problem, why was it a problem for Piranha (golly that's hard to spell...)? I agree that the issue is minor, but RH got the shaft in the media, and MS gets beer and skittles.

Sounds like Slashdot is calling the major news media on biased reporting. That's, like, sorta what I come here for and stuff...

If it wasn't for that blank password...

[iceT]

...I would have lost access to a LOT of MS*Sql Servers in the past. You know, from those pesky people who come up 2 years after you last touched the database server, and tell you they forgot their password... If it wasn't for me leaving the database SA account with the blank password, I would have NEVER been able to get in...

Re:If it wasn't for that blank password...

[logistix]

I'm think you can change the SA's (or any) without having to know the old one. This assumes you have physical access to the machine, and didn't hardcode the password into any apps.

It all becomes clear now

[Kanasta]

Red Hat-bashing pretty much came to a halt a week later, when a little Microsoft-specific email virus named "ILOVEYOU" did a few billion dollars' worth of damage

Now we know the motive behind the iloveyou thingy. The purpose of the email was to destroy all the reporters' machines who were saying all these nasty things about Linux!


---

Re:NOT a vulnerability

[nickol]

Agreed. The blank password itself is not a security hole. But there is a combination of features: by default sa has blank password. by default the virtual user account under which xp_cmdshell is executed has too much rights. by default the SQL admin GUI program remembers the admin password.
All this makes MS SQL the most common place for attacks.

Re:Oh, come *on*

[guran]

Sad but true... Pehaps MS should paste the following on the NT option pack CD?

If you do not change default passwords, you are an idiot.

If you do not place your database server inside your firewall, you are an idiot

If you let your ASP application connect to the database as sa, you are an idiot.

If the database users you use to connect to the database has priviliges to do anything more than they need, you are an idiot.

If you do not check every user data (text fields, url's etc) before passing them on to the database, you are an idiot.

If you are an idiot: thank you for purchasing this software. Too bad you are too stupid to use it.

Re:BUILTIN/System not the same as a user account

[spitzak]

Yes, but if you know how to set that up you probably know enough to change the password, too.

Re:The difference here...

[Smuttley]

Can Red Hat really be blamed for people allowing the installer to install unknown packages. In my opinon the people who do this can't be very security concious, let alone be running a misson critical system.

Re:Never underestimate the stupidity of the Admin

[MonTemplar]

If they shipped TFM with the product, that would be great, but hey guess what, Small Business Server (what we have at work) just comes with a 'Getting Started' booklet.

I did buy a good book BEFORE installing the thing. But evidently I'm in the minority.

Re:If you use the default password...

[leo.p]

It is a security hole, as it *was* for piranha.


As the poster says, during the installation of SQL Server you are _clearly_ given the chance to change the password (an item that is easily changed using the Enterprise Manager at any time).


Funny, why is it that you cant get very far into an installation without providing an installation key but you can go from zero to hax0red in no time flat if you click next when asked for a password? Because there is SECURITY BUG in the installation's logic, that is why.

I'm sure the security people who get paid to come and clean up after you dont think its a flaw - clearly MS doesnt - but its a flaw nevertheless. A really big one.

Bad analogy, try this:

[AJWM]

Lets take this little bit of humor into meatspace.. You open the biggest door to your house to get in, and leave it open. You settle in for a day, and then go out to party... but you leave the door open still. You are robbed blind and silly, and theres not even a broken window, because *you* left the door open.

Nope, more like you have a lock installed on your door made by a manufacturer who ships all locks keyed to the same key, and expects you to re-key the lock when you install it. You do lock the door behind you (but haven't rekeyed the lock) and somebody else using his copy of the key breaks into your house.

This puts 3, the company that made the lock, at least partly in the wrong, although it's probably still your fault for choosing that lock company in the first place.

Re:Bad analogy, try this:

[Felinoid]

>This puts 3, the company that made the lock, at least partly in the wrong, although it's probably still your fault for choosing that lock company in the first place.

Now a days with as many known unfixed issues with Windows... No matter how poor a job Microsoft dose it's the fault of whom ever picked the software to start with...

I mean.. you can't blame the maker if the consummers buy faulty products knowing they are faulty...

Re:Bad analogy, try this:

[waters]

Nope, more like you have a lock installed on your door made by a manufacturer who ships all locks keyed to the same key, and expects you to re-key the lock when you install it. You do lock the door behind you (but haven't rekeyed the lock) and somebody else using his copy of the key breaks into your house

Your example doesn't really compare properly. Re-keying a lock is basically buying a new lock. A manufacturer would never ship a lock with all locks keyed same (it defeats the purpose of a lock). Your analogy doesn't make since.

Try this one instead.

You have a keypad lock installed on your door made by a manufacturer who ships all locks set to the same PIN (9999), but states in the instructions to change the PIN. You lock the door behind you, but didn't change the PIN. Someone uses the default PIN (9999) to break in.

Whos fault is it? I'd say it's your fault.

Excerpt from my brand new Oracle install

[Delirium+Tremens]

Other large commercial DBs require you to set the sa password as part of the installation process.

I just installed the latest Oracle 8i software with the Typical Install and this is what I got:

SYS password: change_on_install
SYSTEM password: manager

At least, they warned me, but it would have been slightly better if they had prompted me for a new password. Maybe I should have selected the Custom/Advanced Install.

Ok

[El+Huevo+Anales]

As someone who has installed SQL server a few times, let me say this....

When you setup the software, it creates the sa account and asks you to set a password. It is blank by default. If you don't set one, you are an idiot.

But it doesn't matter if the default is blank or 30 characters long, if it's a default you should change it. This is true with any piece of software, MS or otherwise. And of course OSS is going to get bashed, since you have so many zealots SCREAMING about how secure OSS is, and how crappy MS is.

EHA

Re:Ok

[malfunct]

Thank god someone has a brain in thier head. I honestly look down upon slashdot for posting this. Of course any admin worth his salt will change all the default passwords.

I must admit that I know nearly nothing about database adiminstration and the first day I started work with SQL Server I was informed to change the password. Its not a vunerablity in the software its a well known fact about it.

Think a little before you shout wolf. Geeze.

Oh for crying out loud!!!

[Otis_INF]

Microsoft has put online a number of articles and tutorials to secure SQL server. They can be found here:

http://www.microsoft.com/tec hnet/security/database.asp

When you read those articles, for example the SQLserver 7 security how to here, with good tips on securing databases inside SQLserver, ODBC links to databases etc etc, you'll learn that SEVERAL TIMES you're advised to give the 'sa' account a secure password (that is: a password difficult to guess) and NEVER USE the 'sa' account again, only in case of trouble. You're adviced to setup accounts in NT and to use these inside SQLserver, and how to use NT security over SQLserver security (thus, using NT accounts instead of SQLserver accounts, like the 'sa' account, over thrusted pipes.)

I simply don't understand why MS has to be blamed for typical misbehaviour of end-users. If an end user doesn't want to read the articles online or doesn't want to understand the issues concerning security and internet when installing and setting up corporate systems (we're not talking a deskop system here), why is it suddenly the vendor's problem? "Yes, dear RedHat helpdesk guy, I did rm -rf /* when I was logged in as root, why is it MY fault that everything is gone?".

--

Of course it wasn't news

[djweis]

Everyone knows that Microsoft only makes perfectly secure products. Only that Linux stuff has security holes, and people need reminded of it constantly (even if it's not a completely accurate reminder).

Re:Of course it wasn't news

[DavidTC]

Good god. Someone managed to make this sarcastic comment into a troll by having no ability to understand sarcasm.

Or are you just putting us on?

-David T. C.

This isn't anything new ..

[Smalldog]

MS SQL server has always shipped with it's knickers blowing in the wind. The blank password for sa has been default at least since version 6.0). It is widely known by anyone doing a SQL server install that the first thing you do is change the default password for sa, unfortunately, it all too often gets neglected. Likewise, changing the default port from 1433 and making sure the damn thing isn't connected direct to the Internet (we had a lot of fun on that one in security audits). I used to work as a developer/senior consultant in an MS shop and was horrified by how common it was for people to leave it default (blank password) during development, and then forget to change it when the system went into production or worse find that some schmuck actually coded it in and said "Oh, it'll be too hard to change it now, we'll have to leave it" (bear in mind that sa is kind of the SQL server equivalent of root - think what you'd do to a developer who thought it was OK to have his code run as root with a blank password and then hard-coded it into his code!) This sort of thing is endemic in a lot of MS-based shops - MS don't take security seriously and the "security-as-afterthought" attitude filters down. This is a direct result of what MS think of as "lowering the bar" to programming, but is perhaps better characterised as "Don't worry your fluffy little head about security, we'll take care of that for you (except when we don't)".

But thanks, the story brought back a few nostalgic memories of wide-mouthed clients going all goggle-eyed as we showed them how we'd just connected direct into their new system's database over a dial-up ISP connection ;-)

truly disgusting

[ShinGouki]

as the subject says... :P

so what have ESR and the p.r. crew been doing?

-dk

Re:NOT a vulnerability

[mdray]

Oh come on. Why is there nothing forcing you to change the password? In what situation would you need a blank SA password? You may be right that someone who doesn't know this shouldn't be installing SQL server, but it's just not the case in the big room outside. How many people give the summer boy the job of installing SQL server? The point is, if MS had forced you to change the password this wouldn't have happened. Plain and simple.

Would you leave a *NIX box on the net with a blank root password? I don't think so.

Re:*grin* Here's another...

[PotatoNO]

A good SQL implementation should let you quote everything, even numbers. Then you can simply backslash your quotes.

The error IS with the admins

[SClitheroe]

Don't they test this crap before putting it into production?

Wouldn't YOU change ALL the DEFAULT passwords in a newly configured system?

If you're getting paid to be a Sys Admin, then it is YOUR responsibility to check this kind of stuff before going into production.

Microsoft ISN'T going to do it for YOU.

In all honesty, I don't understand why this story even qualifies as news...

Re:The error IS with the admins

[slycer]

Of course the error is with the admins, that is not what this story was about. As far as I'm concerned the onus is on the person that sets up a piece of software to change (or at least look at) the defaults.

This story was about (and I agree with the slant), that the general media hopped all over Pirahna for including a default password, and have not mentioned the fact that SQL server (which hosts a bunch more sites than Pirahna) has a very similar vulnerability.

Or did you just skip all the Pirahna stuff at the start?

Geez, quit the bashing...

[jqs]

I'm not a big M$ guy but if you'd actually continue to look at the BugTraq postings this week, today even, they are talking about how this happenes everywhere including Oracle... I've setup many systems and application servers in my lifetime and anyone who doesn't change any default security settings like this is asking for what they get...

Re:Just let me get this straight...

[spitzak]

To complete the setup of the server, and create the storage space to STORE your data (read: You can't.. can NOT.. skip this step and expect it to work right, er, at all.) you have to login as 'sa' with no password.

Can anybody confirm this, and confirm that this is not true of pirana? Ie: is SQL useless unless the user logs in at least once, and is pirana usable without using the password.

Amoung all the noise here, this is the first coherent response that indicates that in fact the two pieces of software might be different.

Re:*grin* Here's another...

[kakibesar]

The cool part is if you exploit the Translate : f bug (see this link), you can view the page code and grab the login name, password and dbase name. In plain text.

It's all about what qualifies as "news"

[tuffy]

When RedHat has a vulnerability, it's news because such things are pretty rare. When Microsoft has a vulnerability, it's not news because it happens so damn often. To widely publicize it is like putting "Sun To Rise" as the morning headline...

Don't blame the users.

[Error27]

I have already seen a ton of posts about how only "stupid" admins don't change default passwords. And last time when it was piranha I saw the same thing.

But the truth is default passwords ARE a problem. Red Hat didn't have a default password on purpose. The guy who was supposed to check it came forward on slashdot and admitted that he had made a mistake. Default passwords are a "bug."

I see posts talking about how different pieces of software have shipped with default passwords for N+1 years. But really that doesn't prove anything except that we have grown accustomed to bugs. It's like, I was in a house where the roof had leaked for 10 years. The owners just put a bucket to catch the water when it rains. After a while you don't notice the bugs. But it's still a problem.

What's worse is how stupid a bug this is. I bet it took a Red Hat programmer less than half an hour to set up and RPM that asked the user for a password on install.

The "blame the user" attitude pisses me off. Computers are made for users not the Users designed for computers. There is no reason why reading email should destroy your system. There is no reason why trying to read a .doc should erase half your harddrive. Clicking an icon is another thing that shouldn't make your computer unbootable. At some point you have to take a stand and say, "Maybe not everything should run with root permisions. Maybe we shouldn't execute arbitrary commands. Maybe it wasn't the users fault at all. Maybe we should fix our bugs."

Re:Oh, come *on*

[davmct]

Right on the money with this post. ALL database installations by default have a "set" password for the admin account. If you didn't know what it was to start with, how are you going to log in and configure your database? ANYBODY installing a database server package should know this as a matter of common knowledge mixed with industry experience. The "urgency" over this matter is over-inflated at best. Any experienced database admin would have a flaky clue about the admin rights and password situation... If they don't change it, its either to a) ignorance b) stupidity c) laziness Either way, do you want that person in charge of your database/web server? Also, if you're worried about securing your data, WHY on earth would you host your data server on the same box as your web server? This just seems like a cardinal sin waiting to be exploited. Regardless, this "problem" isn't the result of poorly designed software, but rather, end-users who are dabbling without the necessary experience/training. Any business who is contemplating using a database over the internet had better realize that they need to hire a professional to do the job properly (whether in house or not is to their discretion). Your data is worth as much as it means towards the survival of your business, do you want to leave that in the hands of a bumbling idiot who's never done this sort of thing before? I don't think so. I'm done ranting.

what about mySQL?

[A+moron]

mySQL comes with a default password of nothing for its root user. No one seems to be concerned about it. I'm not.

The reason high-profile companies have gotten hacked is not because of a default password, it's because stupid admins don't change it.

Re:what about mySQL?

[Masem]

It's been a while since I had to reinstall mysql, but I'm pretty sure that not only in the manual but in a pre or post install script, the system YELLS at you that the password is default and to change it ASAP (If not inserted by mysql, then the .rpms and .debs have been set to do this).

This is a non story

[Ananymous+Coward]

If you did not know about sa/blank, then obviously you've never installed SQL server. Broadcasting it like its some kind of big new hole sounds like someone desperately searching for anti-Microsoft propaganda ("no Microsoft Operating Systems support pre-emptive multitasking",etc).

Indeed, when you install Windows 2000 unless you proactively provide an Administrator password, that too is blank. The same is true for many software including some linux distributions

Fred Moody 2, Slashdot 0

[Zico]

You're kidding, right? If the guy's looking for evidence that most Slashdotters are morons, all he has to do is read this story and the responses to it. Out of all the articles you could have posted to to complain about people calling Slashdot an idiot culture, why oh why would you choose this one? Yet again, Slashdot embarrasses itself bigtime.

Cheers,

Unbiased reporting is not possible

[FascDot+Killed+My+Pr]

During the Pirhana furor anyone who wrote any kind of negative story was told "not a backdoor, this is not really news, read the manual, etc". Maybe the explanation is not "they hate Linux and are out to get us" or "they are obviously in the pocket of MS" but instead "now they understand that a default password, while bad, is not really newsworthy". The REAL test of that hyposthesis will be the NEXT Linux default password issue. If it gets reported, then we know MS problems are being ignored while Linux problems are not.
--

Facts all backwards.

[Wonko42]

What's all this hoopla about this default password being "discovered" last Tuesday?? For the love of poop, this default password thing wasn't discovered! It's a freaking documented thing, and it's been in every version of Microsoft SQL Server that I've ever used. It goes without saying that anyone who neglects to change the default password is an idiot. How is this a new issue? Microsoft SQL Server has been around for years and years. There's nothing at all new about this. Saying that all this stuff came to light last Tuesday is complete baloney.

--

Re:Oh, come *on*

[davmct]

Actually, as SA I could log into your data server and run syscmd which would allow me to run DOS-level commands. (which means I could ftp files to your server and run them, etc. format your drive, delete your files).. yes, this could be potently dangerous.

Re:Oh, come *on*

[cyber-vandal]

Replace idiot with 'did a 2 week MCSE course and was hired by someone who buys into the whole 'MCSE is all you need to admin NT' bull'. I agree, the SQL server exploit is not, strictly speaking, MS's fault, but then again, the piranha issue wasn't either - contrast the media hysteria.
That's what this article is about.

It is documented - if you look for it....

[MonTemplar]

Luckily I got a copy of 'SQL Server Unleashed' before setting up the Small Business Server at work - changing the sa password is the first post-installation task in the chapter on installing SQL Server.

I daresay it's mentioned in Microsoft Press titles that cover SQL Server, and in the online Knowledgebase. But for them to blame the administrator when someone then breaks into the database server is still a cheek on their part.

Something as simple as this should be on a sheet of paper IN BIG LETTERS with every copy of SQL Server they ship!

Re:It is documented - if you look for it....

[NaughtyEddie]

Why not just ship a big fscking 24x18 poster with the letters RTFM? They could do a bulk deal, and ship it with every piece of software they sold, and people STILL wouldn't listen.

Lets look at 'news'

[dysartd]

As several have pointed out, this article, at its base, looks at the supposed unfair coverage Red Hat got in the news media.

Let's look at the first three letters of the word <i>news</i> - <i>NEW</i>. The default password "vulnerability" of MSSQL has been around for <b>years</b>, ever since MS bought it from Sybase. Piranha is <i>new</i>. Therefore qualifies for <i>news</i>.

<p>Kind of like having a debate on why the press gives so much coverage to has-run presidential candidate Joh McCain's skin cancer while there is little coverage that President Kennedy has been shot. Must be that since McCain doesn't take soft money and can't pay off the media.

This really gives SysAdmins a bad name

[epodrevol]

I dont know of many products that DONT ship with a default password, aside from operating systems. If you dont have enough sense to change ANY default admin account / password, then you deserve to get E-raped by h4X0rz. Every competent admin I know ALWAYS changes this sort of thing, its just in a large list of post install tweaks for any package. Closing X-server ports, removing the 'Everyone--Full Access' rights from NT shares/ directories.... Stuff like that. PLAY FIREARMS MOD FOR HALFLIFE! SCREW CS. http://www.firearmsmod.com paid for by the STonER clan

Reminds me of another time

[funk_phenomenon]

This reminded me of a vulnerability that occured a while back. This time it wasn't a sever, but email, personal information. Here's the original slashdot article on it. Basically Network Solution clients were given an email account with the username and password the same as the account name. This meant that if the person did not change their password people could use their email account for whatever they want, and/or read their mail (if they were that stupid). A little different than taking over a server, but the premise is still there.

Even the samurai
have teddy bears,
and even the teddy bears

Re:*grin* Here's another...

[Pfhreakaz0id]

Write a COM object and have it impersonate another NT account. Have it talk to the database.... BTw, I agree that the stupid passwords shouldn't be sent clear, but DON'T USE IT!
---

"Just last Tuesday?"

[barzok]

Someone's been sleeping at the wheel then. I heard about this about a year ago when we found a site my company was to start hosting or hooking into had left the "sa" account/password wide open.

You've got to be kidding me, right?

[James_G]

It's late on, so this probably wont even get moderated, but I have to respond to this.

This is the most ridiculous story I've seen posted for a while.. A system that ships with a blank password by default? OH NO! What a disaster!

"But clueless newbies might not know to change it!"

2 Points:

1. Anyone with half a clue knows to set a password on any system of this sort, but more importantly..

2. What would you rather have? A system that sets a default password of "microsoft" or something else? What difference does it make? As long as there's a default of something then it will be common knowledge. Ok so you could make the password be required before being allowed to continue, but anyone who knows enough about SQL server to set it up knows to change the password.

This is the biggest pile of FUD I've seen for a while, I would expect better from Slashdot.

Re:Well, default passwords aren't limited to m$

[noweb4u]

MySQL Limits their root account to localhost by default though too., so remote damage is out of the question.
And, mysql doesn't execute arbitrary commands :-)

Re:Well, default passwords aren't limited to m$

[pantherace]

One SQL, (openSQL, maybe) does have a default password of "change", "changeme", or "changepass" (something similar). It was used in the setup of slash (the code that gives us slashdot), at our local lug. If someone does not change that, it is their own fault, but it is an account that has to be logged on to, not the sa where you don't (if I understood right) have to log on.

Re:*grin* Here's another...

[pen]

The problem is that most developers don't have common sense. Security is only an afterthought there.

--

Re:*grin* Here's another...

[bablooo]

You're right. This is not a problem with SQL Server. But this is definitely a problem with ODBC and how ODBC interacts with any database. And you know who created ODBC in the first place.

Re:Oh, come *on*

[happystink]

I wasn't saying it was. The guy asked in his post if Piranha was, and said he thought it was. I corrected him. Does everything have to be an us-vs-them thing around here? Can I not state one fucking fact without someone making it into an argument.

sig:

Old news

[fence]

This is nothing new--

Sybase and it's derivitive, Microsoft SQL, have always shipped with a default sys-admin password of blank, or nothing.
---
Interested in the Colorado Lottery?

Common Security Methods.

[miss_america]

OK I know shipping with a default password is lame, but changing default passwords/useraccount is a common security measure. At least i think it is, and many others agree. Anyone feel any different?

Re:Well, default passwords aren't limited to m$

[egjertse]

Not only is MySQL root access limited to localhost by default, but after running the install script, a warning-message is issued instructing you to CHANGE the password IMMEDIATELY (yes, in caps). You're even given an example of the command used to change the password... If you still manage to overlook that - damage is limited to local users anyways (which should never be all that many on a database server...)

This is nothing new!!

[The_Spineless]

OK, I would just like to point out that this "issue" is not new with SQL Server 7.0. Version 6.5 was just released with the exact same "issue". So don't go playing this like it is something that was just discovered. Second, someone using SQL Server for a production database who doesn't have the sense to RTFM deserves to have their DB busted into. Sorry to get my panties in such a ruffle over this, but it is just another stupid, "Look what M$ is doing wrong" campain. People using SQL Server should know what they are doing, if they don't then they should get out of the kitchen because obviously they shouldn't be there in the first place. BTW - Have a great day :)

Does the password

[AppyPappy]

contain the words "Scott" or "Tiger". If so, Oracle can sue.

Re:The difference here...

[orblee]

No, Piranha is only installed under specific circumstances too. You need to install the clustering technology (and I think you have to buy the more expensive distribution to do so)

Back Orifface, you say?

[Everett+C.+Roop]

Talk about not being treated fairly by the press, I thought it was interesting that this article would mention Back Orifface. Maybe the malicious hacker would care to install MS SMS agent. It does the exact same thang as BO, but doesn't get picked up by the MS-friendly virus scanners (wait, isn't that *all* of them). How can MS release an app that can hide on your system and give someone free god-like access and not get the same crap from the media as CDC?

Repeat after me.

[blakestah]

Is it *REALLY* Microsofts fault, and should they *REALLY* call this a vulnerability, when the admin KNOWINGLY leaves a system account with a blank password exposed to the Internet in all its glory?


Repeat after me. Installations should be secure by default, insecure due to administrator action. The converse is NOT true.

So now, for penance, I suggest you go to OpenBSD and catch a clue on creating systems with security appropriate for being placed open on the net.

Same old situation

[Curious+G]

So what's really all that new about this? That the press is apparently taking sides? That happens all the time. That another Microsoft-specific security hole is not getting much attention while a similar open-source one is? That's what happens when the press takes sides.Same old, same old...
What I would like to see is an article in some major publication that points out that anyone dumb enough to *not* change a *default* password that allows a user "god-like powers" is going to be experiencing some problems whether they are using open-source or proprietary systems. If you don't change default behavior of your machines, that isn't really the fault of the company that shipped it to you. That's just bad policy.

Duh

[Slime]

This is no secret, it's well documented, and known, one of the first things you do is change the sa password.

If people fail even the basics of security, such as changing all admin passwords for any program that they are using then this is a non-issue, however if your a clueless setup.exe wanna-be admin, then not only are you going to be 0wn3d, you, your momma, grandma, and homo-sexual poodle deserve to be hacked.

Simple to understand

[GavK]

This is not exactly hard to understand.

1. Microsoft-bashing has gotten stale (For the media, I know you lot still love it)
2. The media have been ranting about how secure Linux is
3. There is nothing the media like more than bashing the thing they've built up

Of course there is the possibility (That I'm sure loads of people here will have already pointed out) that Microsoft funded the reports and paid for the suppression of the bad ones.

Then again, maybe it's just US election time... They don't have to actually report things when they can go on about Gore being less technically competent that Bush or vice-versa...

Actually I think Bill was on the grassy knoll...

Re:Oh, come *on*

[BlueWomble]

Here's some more in addition to the cisco one:

Oracle default system account SYSTEM/manager

VMS default system account SYSTEM/manager, default
service account FIELD/service

The list of systems that install with no system password or with a known system password is very very long.

People still distrust MS security.

[generic-man]

The article seemed to hint that MS is more trusted than Red Hat as a purveyor of software. In my opinion, few companies can be less trusted than Microsoft. They release new features like e-mail scripting, with no regard for security whatsoever. When this is exploited, it takes them several weeks to release a patch (all the while shooting out press releases that the patch is "coming soon"). Even the patch doesn't ensure a problem-free setup -- it breaks functionality with Palm Outlook conduits, for example.

Remember when we could laugh at e-mail forwards like "Do not open a message with 'Good times' in the subject"? Well, thanks to Microsoft innovations, these are now very real advisories. The IT department at the large office where I work put up hundreds of flyers to ensure that people didn't open these attachments. Many people still did, out of curiosity or just plain stupidity. The solution? Reconfigure the mail server to reject these things outright.

Microsoft has cost many people hours in overtime reconfiguring systems that were designed poorly from the get-go, and then has the gall to blame administrators. Good Lord, man, someone needs a whooping with the clue stick.

Re:People still distrust MS security.

[El+Huevo+Anales]

Not changing the default password is the fault of the user, not the manufacturer. It wouldn't matter if the password was blank or 600 characters, it would still be the default.

Re:People still distrust MS security.

[generic-man]

Certain people and departments *cough*HR*cough* in our company cannot fathom the possibility of typing the content of an e-mail in the e-mail body. Instead, everything from a six-line memo to a 9MB spreadsheet gets sent as an attachment.

I was talking to a co-worker who had been working here at the start of the Melissa virus outbreak. As the virus was first detected at our site, he received an urgent message saying "DO NOT OPEN ANY E-MAIL ATTACHMENTS!" For further information, he was referred to the enclosed Word document.

The virus security team now copies and pastes text into e-mail, the old-fashioned way. :)

Re:People still distrust MS security.

[mkarcher]

I don't understand why there hasn't been a virus attached to a message with the title "Do not open a message with the title..."

I can just imagine it, you check your e-mail and you find a message with the title: ``Do not open a message with the title "Do not open a message with the title..."''

And so it would continue recursively.

These opinions are my own and not necessarily

System Admins of late ...

[donpezet]

This is something that has really been bugging the hell out of me lately. I am a contract network admin. In a given week I will go to over 30 companies and assist their permanent admins when they are in over their heads. If there is one standard that I have noticed it is that 90% of all problems are directly related to the admins lacking training and the companies are not willing to invest in A) Training or B) Better Admins.

This loophole definitely falls in the 90% range of problems that I see. If a company has shoveled in an Admin who is _so_ unskilled as to leave a blank SA password, something you _must_ notice, then they deserve all they get. You pinch a few pennies here and you get bit in the end.

I was at a company a few weeks ago complaining that none of their workstations could log into thier domain. After examining their "Domain Controller" I found that it had been installed as a member server and not a primary domain controller. The reason? The Admin didn't know how to properly install Windows NT. The Fix? Format, reinstall, re-enter all created user accounts. Who's Fault? Not Microsoft's for not making a more clear determination between BDC, PDC, and member server... the Admin.

The same goes for any system. I don't care if it is Sun, Microsoft, or Apple.

It's time people took a little responsibility for their actions.

Re:Just let me get this straight...

[YoJ]

Here's another analogy. A young couple buys a new house. The manufacturer gives them the keys and a manual. The couple tries the keys, the keys work, so after they've moved in they lock up their house and go to a movie. They come back to find their house robbed. They read the manual and it turns out the keys they were given were standard manufacturers keys, the same for all the houses in the lot.

So who's to blame? The manufacturer for handing out generic keys? The couple for not reading the manual? I think it's pretty clear that the manufacturer should be to blame for not telling the couple the keys were generic when he handed them out.

Re:Changing it is the fun part.

[JonK]

Guess what: the people you're working with (and possibly you yourself, if you also knew there was no security in your systems) are morons.
--
Cheers

Re:So why haven't you read about it?

[JonK]

Even better:

sp_OACreate
sp_OAMethod
sp_OADestroy
sp_OASetProperty
sp_OAGetErrorInfo
sp_OAStop
sp_OAGetProperty

Moral of the story: pay the extra dollars/pounds/[insert unit of currency here] and hire someone who can find his or her arse with both hands rather than some slack-jawed student who reckons Linux is a real OS and mySQL is a real database.
--
Cheers

This isn't news.

[.....]

The (problem?) is that a Microsoft vulnerability isn't news, unless a *lot* of people get hurt by it (e.g., Melissa). Not to put down Microsoft, but it is fairly common knowledge, even among the ZDnet readership, that Microsoft products frequently ship with their pants down ^H^H^H^H^H^H^H with their security features disabled. So, where this is just more of the same, it's not news.

On the other hand, open source folks usually like to crow about the security of their systems. Consequently, a security hole (even one like this, where the vulnerability is due to incompetent administration) is news.

Re:This isn't news.

[demus]

> Oracle, poster child database of the OSS movement...

Huh?

Where can I get the source to Oracle 8i, do tell.

Re:This isn't news.

[Yamao]

We need a moderation for "Funny Sig."

This is considered "news"?

[adham]

Why is this breaking news?? Any "decent" MS SQL DBA should know about the blank "sa" password. If the server is important enough to have stuff stored on it, then the person installing or managing it should be competent enough to know to change the sa password.

Re:This is considered "news"?

[mistah_monkey]

No kidding. After I read the article, I was like "Oh.... Yeah. I knew that." It's not only in MS SQL 7.0, but it's also in 6.5. You're supposed to change it when you set the thing up. If you don't, well then, you suck.

Re:NOT a vulnerability

[Basje]

Hear hear. In mysql the user root has a default blank password. Is that a backdoor too?


----------------------------------------------

Old News

[jedm]

Take a look at this posting from January (yes, I took a look at some SQL Server installs back then to verify it). Basically the default install gives a username of sa with a blank password. You would be surprised at the number of machines that fall for this (even though it is a rather obvious bug -- most people log in as SA to set up their initial production server). Looks like this is the quick bug fixing we can expect from closed source software.

http://slashdot.org/articles/00/ 01/16/138234.shtml

Response to Fred Moody (who misquoted me, grrr).

[listuser]

Fred Moody was nice enough to quote me and completely take them out of context/etc. My response to him: http://www.securityportal. com/topnews/moody20000821.html.

Changing it is the fun part.

[Hentai]

The place where I work has had this hole in place since it started using IIS a few years ago. Since then, we've grown to have two HUGE websites, both running off of a 300+ gig database, as well as a huge array of support programs. Guess what? ALL of them log in using sa with no password. Guess what? ALL of them have to be changed. Guess what? Noone wants to do it because if something broke in the process, we'd be dead in the water. Nevermind that we WILL be dead in the water when someone finally hacks us.

I'm in Dilbert Hell!

Re:Changing it is the fun part.

[Hentai]

And can I do what about this? Apparently, the first tech person was, indeed, a moron, and we've been cleaning up their mess ever since. I've personally re-written 70% of the ASP code for the web, and about 33% of the internal applications. EVERYONE agrees that this needs to be done, but management won't give us the go-ahead because they're afraid it'll kill the system.

Why does this make me a moron?

Re:Oh, come *on* - Better yet- user SYS

[paled]

Oracle User account - SYS
password: change_on_install

I think that Oracle covered their ass on that one.

Re:The difference here...

[Stephen+Samuel]

Don't tell me -- you used to work for MicroSoft before you started defending RedHat?

My understanding was that Piranha was NOT enabled by default (It may have ben installed, but default configs did not run it.)

Well, default passwords aren't limited to m$

[BillyG]

Oracle has two equally critical accounts, SYSTEM and SYS, with well-known default passwords of "manager" and "change_on_install". Fail to change those, and your Oracle db is just as open as a blank-password sa account on m$ sqlserver.

MySQL (I'm rusty here: correct me if I'm wrong) also defaults the root user to no password, like the m$ sa user.

Not defending m$: Just pointing out that this is fairly common practice, and that there is indeed some responsibility to "know what you're doing" when opening a database up to the world ...

how many people missed the point?

[rotor]

I've read so many comments now saying "So what if they left it blank? That's the administrator's fault for not changing it." I agree with that, but the point is, Red Hat got blasted recently for doing the same thing while Microsoft hardly gets mentioned for it.

I do think that MS should put a password change in the setup, but only because they've churned out so many MSCEs that don't know the reasons for what they do - just that they have to click X button when they need to do Y task and they have to apply service pack Z to get certain software to work.

I could be wrong, but...

[kurowski]

Wasn't Pirhana installed and turned on for default redhat installations? Were those big bold letters telling users to change the password included in the "installing redhat" section of the manual? If not, then it means that after installing RedHat Linux and following the instructions, I am open to this backdoor.

SQL Server isn't installed by default when you install NT. If you do install SQL Server, and read the "Installing SQL Server" section of the manual, it does tell you to change the password.

Of course, if the redhat manual did tell you to change the pirhana password in the "installing redhat" section, and if the SQL Server manual doesn't tell you to change the password in it's "installing sql server" section, then I've revealed my ignorance and should be moderated down to negative oblivion.

The lesson? Follow OpenBSD's secure by default motto/practices. How freaking hard is that?

Re:I could be wrong, but...

[happystink]

Nope, Piranha was definitely not installed by default on redhat servers. It's something you have to go out of your way to set up, like SQL server is apparently.

sig:

Re:I could be wrong, but...

[Xentax]

Does anyone actually use one of the 'default' Red Hat installations? I always use Custom, and I certainly don't need Pirhana for a lone gateway.

However, if you want MS SQL server on an NT box, you'll be using MS SQL server (self-evident, but it's part of the idea...). And as they pointed out, this is part of the default install procedure before the 2000 version.

I'm suprised more firewalls don't block the SQL server port by default...that only makes sense. Do people forget to firewall their syslog ports too?

Not a flame, just the constructive answer, I hope :)

Xentax

Revenge

[derrickh]

Just yesterday the IT guys at my job were giving me hell about installing MySQL on a server. They want -everything- to be on MSSQL. I just sent them an email about MSSQL security..along with proof that it could be broken into.
Revenge is so sweet.
D

The Power of the Media

[wishus]

The Power of the media lies not in how it tells its stories, but in which stories it chooses not to tell.

wishus
Vote for freedom!
---

Default Behavior: Piranha vs. Microsoft SQL Server

[Hellmongr]

They both bite. Get it? :)

Re:Just let me get this straight...

[concept14]

Lets take this little bit of humor into meatspace.. You open the biggest door to your house to get in, and leave it open. You settle in for a day, and then go out to party... but you leave the door open still. You are robbed blind and silly, and theres not even a broken window, because *you* left the door open. Who is at fault? (Other than the robber) 1. The person who built your house 2. The bank, for owning your house 3. The company that made the lock 4. Your sorry ass for leaving the door open I vote 4. Who's with me?

5. The insurance company, for publicizing a case just like this that happened in the neighborhood, but implying that only Open Source houses were vulnerable.

Re:*grin* Here's another...

[tswinzig]

No, again, this is a PROGRAMMER PROBLEM. You must handle your tainted data carefully, always. This kind of problem can occur in many instances.

Are you saying the system() call is also flawed?

-thomas

Fighting bias with reverse bias

[StaticLimit]

Slashdot once again defends Linux when someone claims there is a bug by shouting loudly that it's not a bug, but something that should be addressed by proper system administration...

Then turns around and blasts Microsoft for an identical issue (which of course is now a major bug!). And to top it off, the media gets blamed for bias... talk about your pot and your fscking kettle.

It's true... every remotely competant sysadmin has already changed the sa password and it's been common knowledge for years. It's a stupid vulnerablitiy that M$ should fix by prompting for an sa password as part of install. Its almost exactly like the RedHat non-bug, and as a result, is a non-bug now too. It IS a design flaw and it SHOULD be corrected.

- StaticLimit

Deserve what you get

[hammerdude]

Come one now.... Don't you think that if you are stupid enough not to change your sa password then you deserve what you get? If all these major e-business site are dumb enough not to change or delete their sa accounts then it like Darwins survival of the fittest. I've known about this for ages... BFD!

Everybody knows...

[-Harlequin-]

I have Lenord Choen stuck in my head:

"Everybody knows that the dice are loaded...
Everybody rolls with their fingers crossed.
Everybody knows that the war is over...
Everybody knows that the good guys lost.
Everybody knows that...

Funny thing about that song - no matter where you are or what you're doing, the lyrics seem uncannily relevant to what is happening.

(Maybe I need to burn me a Happy Album (with lashings of Optimism)).

Re:Everybody knows...

[heymanslowdown]

Try "Leonard Cohen." But regardless of your disregard for spelling names correctly, thanks for mentioning him and that song because they are both great. I always think about "Everybody Knows" every time I have to buy something from Microsoft, Wal-Mart, or Time-Warner, or anytime my ex comes over to pick up some of her stuff. You hit the nail on the head.

Oh, please!

[kdgarris]

So what if the admin password is blank by default? If the DBA doesn't know that tihs should be changed before putting it into a production enviroment, he shouldn't be the DBA.

Earlier versions of SQL Server had this behavior as well, and so does Sybase. Informix has a default password of "informix".

Linux has a default blank password for the root password as well, yet nobody calls this a "securiry exploit" if a sysadmin never changes the password.

-Karl

Re:Oh, come *on*

[graniteMonkey]

GraniteMonkey, posting anonymous so you don't get noticed.

Hey, at least I attach a handle to my posts. Until you've got a name, I'm ignoring you after this point.

Aww, damn you!

[BLKMGK]

Now you've gone and told everyone how to execute commands on the remote box :-) Yes, this has been an OLD problem for awhile - I find it during security reviews on a regualr basis. Even if they don't run with the Admin account (I've yet to see one setup liek that actually) the account that it DOES run under is powerful enough to do a Net Use and copy over the backup SAM file. RDISK -S- is your friend in this case since so many people never make Rescue disks - you have to do it for them! :-P

I was wondering how long the XP_CMDSHELL thing would remain in the dark once folks figured out that the password was shipped BLANK. Seriously - everyone who neve though to try a blank admin password raise your hands. Good, now smack yourself - that's the first password you always try. Password, SA, and Admin are also good ones for the truly clueless. I can't believe sites in an enviropnment as hostile as the 'net are so stupid as to not set an admin password.

Oh yeah - check out Oracle and Suybase while you're at it. Not much better there folks! Scott\Tiger anyone? That's the least of your worries. Some of those damned accounts are so poorly documented it's no small wonder that they aren't fixed. At least you can't get into a command shell as easily with those two - we've yet to find a command in either of those as powerful as XP_CMDSHELL....

Re:Oh, come *on*

[graniteMonkey]

Alright, that wasn't so anonymous :)

NOT a vulnerability

[Pinball+Wizard]

I can't recall a single book I've read on SQL Server that did not instruct the reader to change the sa password immediately after installing. That is one of the most basic principles and if you don't know that, you have no business installing SQL Server at the professional level.

The fact that there might be someone out there clueless enough to omit this essential step is a far greater security concern than the fact that MS didn't include the changing of the sa password in the install wizard. Bottom line is, if you expect to be secure, you have to have people who know what they are doing. Someone has to read between the lines of all the GUI's and wizards and actually know what is going on.

Re:NOT a vulnerability

[patreides]

> Someone has to read between the lines of all the GUI's and wizards and actually know what is going on.

Really? That's kinda hard to do unless you get a book on every single service you run on your machine. Either that or get a simple solution that tells you what it's doing, a.k.a. unix. I believe OpenBSD includes "no default passwords" in its boast "Three years without a remote hole in the default install!"

A system should be secure without intervention. I shouldn't have to make any change and my system should be at least reasonably secure. If I have to have a checklist sticky note on the NT jewel case for every system I install, the NOS is obviously not doing its job. You can make almost any OS secure if you change enough things and apply enough patches, but this is not a measure of security.

I don't know much about NT, but the account should be disabled by default, and these books you refer to should say "The absolute first thing you must do is enable the account and change the password."
I feel the same way about piranha; the account should have been disabled, thus requiring a password to be set (since disabling an account is just setting the password to "*")

Re:NOT a vulnerability

[Pinball+Wizard]

I have a SQL Server powering a website on the internet. The website is also sitting behind an OpenBSD Firewall.

Now, no one from Microsoft is going to tell me that using an OpenBSD firewall is going to make my website more secure. Yet this is the type of thing that a good sysadmin will be able to do. You have to understand enough not to be dependent on any particular vendor.

Conversely, when I first became a sysadmin, I learned the concepts rather than the actual commands first. Regardless of what system you use(I started on AIX), the basic tasks are the same. You have to monitor the system, add/replace hardware, add/delete users, maintain a backup scheme, etc. etc. The actual commands or buttons you push are trivial. The concepts are what is important.

i HAVE read about it before...

[god_of_the_machine]

OK now... I'm convinced that the "default password" is a design flaw... but the media HAS reported on this, I remember reading about it months ago on MSNBC. Check out the article where they say: "Not only were the sites storing the credit cards in plain text in a database connected to the Web -- the databases were using the default user name and in some cases, no password. [CLIP] It included about 20 Web sites which either had no password protection at all on their database servers -- in each case, they were running Microsoft's SQL Server software "

So maybe it's not a technical article... but the media has reported on this vulnerability of SQL Server... and the criticism is from Microsoft-sponsored MSNBC, no less.

-rt-

Loath though I am to defend M$...

[stecol]

This is not their issue. This is about companies rushing to the web without people qualified to perform the work. If you are going to use a relational database as part of your application, you need a DBA. Period. A DBA is not someone who was in the same room once when Access was installed. SQL Server has always had this. Any DBA worth the title knows to set the sa password as soon as the server is installed. This is not unique to MS SQL Server. Sybase (from whence MS SQL Server came) has the same exact issue. Oracle also has default passwords set for the SYS and SYSTEM accounts. It is common practice. These accounts must be active and used during the installation process. It is nothing new and certainly not news. If you have your NT admin or an application developer install and configure a production database server you deserve what you get. If someone calling him/her self a DBA does this they deserve to be tarred and feathered - certainly stripped of the title. MS's only complicity here is that they do foster the mistaken belief that anyone can install and administer SS7 - that there is less need for a qualified and experienced DBA.

That's not all...

[Megane]

There's also another nasty "non-vulnerability" being repo rted on BugTraq related to IIS and the built-in web server in Windows 2000.

An undocumented HTTP request header of "Translate: f" will cause the web server to return the source code of an ASP page! And often, this source code contains juicy tidbits like SQL server passwords, not to mention the business logic behind the web site.

Upgrading to W2K SP1 is enough to fix this bug, but with Microsoft's history of NT4 service packs, it's understandable that nobody is in a hurry to upgrade.

be afraid, be very afraid...

[amon]

$ sudo zgrep :1433 /var/log/messages* | wc -l
373

i've set my ipchains rules to log connection attempts to port 1433, which is the port of the M$ SQL server. Thats just a 7 days worth of syslog.

uh.

[g_mcbay]

The default 'sa' password for SQL Server has been blank since as long as I can remember. _I_ know this and I try to avoid databases as much as possible. I only deal with them when my code is data driven, and I almost always have someone else acting as DBA.

This isn't new, which is probably why nobody is up in arms as you'd like them to be. Its also only a vulnerability depending upon your point of view. Personally, I don't view default passwords as a problem assuming the people working with the systems have an ounce of common sense. Of course, after the dot-com rush, there's a lot of people in the business who clearly don't have common sense.

If you want to bash Microsoft, you also have to bash Interbase (Inprise's OSS db), which has a default db superuser password as well. Printed right in the documentation, just like Microsoft's.

My point here isn't to defend Microsoft, but just to note that default passwords for superusers of operating systems and other software (including databases) has a long history within the industry. And whether or not such default passwords are a security problem or not is the stuff of long debates and flamewars.

An actual case

[HamNRye]

We purchased clustering software from a third party vendor that used SQL server extensively. (Name omitted for obvious reasons) The way their system was set up the "sa" passwd could not be changed. Other programs were hard coded to use this default passwd.

I asked the vendor two very important questions:
1) Why am I allowing all of these other machines to connect as the sysadmin anyway??
2) When will this be fixed?

The answer to both? "Um..."

I know many of you will say that this is a case that won't happen often, but I beg to differ:
One of our Sun based systems has a "default" root password. Changing your root passwd has the unfortunate side effect of none of the users being able to log in. The company that sold us the software has no idea why this is, and we were the first site to report this vulnerability. (?backdoor?) This is a vendor that has been in business for 20 years, and our systems are 5-6 years old. Of course this does mean that I could wreck the publishing industry some day...

Of course, an attach to an NT workstation on port 139 and a "net users" can yield up a domains worth of unames, and trying each with a blank password is almost guaranteed to get you into most corporate domains. Extract the SAM DB and get a copy of L0phtcrack...

Some days this stuff is just too easy...

Outlaw blank passwords!!!!!

Always change and default passwords while the vendor is still in the building!!! If you veer recieve a machine that is vulnerable in the way mentioned above, refuse delivery. Tell the vendor that you will not sign off on the install until these are fixed, and also that they will not get paid....

You are already ahead of 80% of admins out there.

~Hammy
"Good, Bad, I'm the guy with the root access." ~AOD

A response from the piranha team

[kbarrett]

Speaking as a lead developer on Red Hat's piranha team, I found the whole situation extremely educational.

First there was ISS. In all their communications to us, you got the impression that they believed they found the "holy grail" of security holes. Even though they assured us in private phone calls that they understood this was not a backdoor, they announced it that way anyway. I would think that more than anyone, an organization that wants to serve as a public source of security information would use accurate terminology in their reporting. The general public certainly isn't able to.

As it has been pointed out here, this was not a backdoor, and the situation only allowed read-only access to unconfigured data. You had to change the password in order to configure the product. It was documented that you needed to change the password, and piranha's GUI would not allow you to enter valid data into the configuration until you did change it.

Then there was the press. The first public media to report the story was Microsoft owned MSNBC. What does that say? Then later stories came out saying that this was the terrible risk of using open source, or indicated that Red Hat's R&D is poor. I have worked in R&D several Fortune 500 companies, and Red Hat is not worse than any of them (and in several cases they are much better). I can tell you that (and this is going to sound corny) Red Hat takes security reports VERY seriously! They are always given priority and It's standard operating procedure to check them and (if needed) release patches as fast as possible. We had a piranha patch done within 24hrs and out-the-door within 48. This is the ADVANTAGE of open source, and is much better than being forced to wait for a single source of proprietary software to even admit there is a problem, let alone quickly provide a solution. Thanks for recognizing we did this.

Many people looked at piranha before it was released; this was something that simply did not occur to anyone. After all; piranha doesn't set this password, it's the default behavior of the os/applications when you create an account via the mechanism that was called.

Is the media biased? I think so. Almost no one called us to get the correct information, and the few that did are the only ones that presented a more balanced story. I think some do not want to alienate their main source of income -- MS product advertisers. Others may just be lazy.

Even a month ago, when the High Availability Server product was announced, some reports couldn't help but add something like "piranha, the software that had a security backdoor problem back in Feb" -- as if this was still important. You can find some in tail end of the HA web site doc area at http://people.redhat.com/kbarrett/HA/documentation .html

I'm happy to see I'm not the only one that sees these things. It must mean that Linux is being effective, or else they wouldn't waste so much time or effort on it.

---

Keith Barrett (kgb)
Red Hat HA Team

No

[jpowers]

As the folks at 2600 will tell you, companies like MS won't fix dangerous security holes like this unless there's a scare. IT folks see the security vulnerablity story and say "whatever, it'll be in the next service pack." If they see the password is public knowledge, though, they call M$ and throw a nutty. My guess is Redmond's working on it and won't admit there's a problem until they can say "...and here's the solution." Makes them look good, you know?

-jpowers

media getting smarter?

[oddtodd]

maybe the media doodz remembered the fiasco of their overreaction to the Pirahna story and realized the winbloz exploit was basically the same thing

Re:La Charte de la Bouillabaisse Marseillaise

[Rogain]

13 million varieties of cheese-dicks! Down with the french, deport them to algeria, then they'll get what they deserve!!!

BUILTIN/System not the same as a user account

[tenor]

The BUILTIN/System account is a password within SQL Server, not a password within the NT logon environment. Don't get me wrong, you could wipe out an entire e-commerce site's database in a few minutes, but that is not the same thing as being Administrator. You can not, for example, delete files on a local hard drive. Although now that I think about it, since SQL Server uses COM, you could write a vicious ActiveX control to delete the files. Not sure how you would upload the activeX control to the database, but I'm sure a motivated individual would have few problems :)

Re:BUILTIN/System not the same as a user account

[djweis]

The hole will let you run arbitrary commands as the user that is running the sql server, usually administrator. Yes, you can delete files from the server. It's an administrator-privileged command shell.

Never underestimate the stupidity of Micrsoft

[MonTemplar]

Unfortunately, MS went and made the installation more user-friendly when they put together Small Business Server, of which SQL Server is a part. So they dropped, amongst other things, the need to set sa password. Luckily, I'd read up in advance of getting the system. Doh!

Re:Never underestimate the stupidity of Micrsoft

[El+Huevo+Anales]

You're right of course, but who's stupid enough to leave the default password for any piece of software?

EHA

Not a vulerability?

[Hammer]

First of all,RedHats Piranha is a separate package.
Secondly, this is not really a software deficiency. It is a user (admin) knowledge risk. The effect of sloppy user on M$ is far worse, but you should as a webadmin know at least basics of security.
Most importantly this is a media spin issue mainly controlled by the Evil Empire (tm). Everything remotely bad about Linux is inflated beyond proportion. Anything bad about M$ is silenced if possible or at least spun to look trivial.

We need to get good Spin Doctors working for OSS...

Re:So why haven't you read about it?

[anticypher]

It was with this one particular release of M$SQL that the sa password was left blank during install, with no prompt or warning. Prior versions had a less user friendly install which would prompt for an sa password, ensuring most sites were protected. So idiots installing this latest release would leave the password blank. It has been on the market for a few months now, and the script kiddies have had a scanning kit for at least 2 months.

Those of us who watch security probing trends, noticed a huge increase in scanning on ports 1433 and 1434. When there was an M$SQL server sitting on 1433, the script checked for a blank password. It took a month of detective work by the white hats to come up with a reason for the sudden increase in this particular exploit. Now the egg is on micr~1.oft's face, but their PR department has squashed most news coverage, which is the reason for this /. rant^H^H^H^Harticle.

the AC

Re:media contradiction... of course

[cr@ckwhore]

You make my point! Thanks

Re:Oh, come *on*

[guran]

true (though it is possible to have an MCSE *and* a brain)

And the only thing worse than a foolish sysadmin is a foolish sysadmin with a foolish boss.

DUH

[dodgedodge]

If a SysAdmin is too stupid to change the DEFAULT PASSWORD on *any* system, they get what they deserve.

Re:Pixies!

[Evangelion]

Actually, Concrete Blond was the one doing Everybody Knows on the Pump Up The Volume Cd. The Pixies were on there as well, tho...


--

Missing the point

[barracg8]

You seem to be missing the point.

If you omit the section 'Piranha: A Case Study' above, you could be right.

This is not about whether an having a default password is leaving open a backdoor, but about the media treatment of Linux and NT.

Linux (well, a linux service) has a theoretical problem, only allowing read-only access, and no reports of it ever actually being exploited: Linux is "basically a bunch of peoples' hobby."

Windows (you know the drill) has a real problem, allowing root equivalent access, it *IS* actually being exploited: Eerie silence.

Why?

Is this a media conspiracy against Linux?
Probably not. Probably just lazy journalism.
The minute that MS heard about piranha, they will have gone into spin frenzy, putting words into journalists mouths, and basicly writing the reports for them. We can't stop this happening - we just have to do it ourselves.

Linux just needs better PR.
Why have you forsaken us, ESR?

cheers,
G

I'll tell you why...

[Rombuu]

So why haven't you read about it?

How about because most pieces of software for the past 30 years have shipped with default passwords?

Re:I'll tell you why...

[Platinum+Dragon]

How about because most pieces of software for the past 30 years have shipped with default passwords?

Ok, so why was the Pirhana default password a story then? By your lights, that shouldn't have been reported either.

I think the Pirhana thing hit big due to the discovery of the "seineew era sreenigne epacsteN" thing in a chunk of MS software that I can't recall right now just a few days earlier, kind of a tit-for-tat thing. In any event, I think M$ needs all the media help it can get, in the face of antitrust, ILOVEYOU and the delays in getting any kind of a patch out, among other things.

On second thought, fudge 'em. About time they got dragged into the light. Maybe someone will also rake Red Hat and other Linux distributors over the coals a bit for their gaping-wide default installs:)

The story does make a good point about what kind of stories the media picks up on and how such things are reported, although I tend to cringe whenever I see a "Linux vs. Windows" story on /. nowadays; I know there's a potential flamewar sure to brew and lower the collective intelligence around here by another half-point.

Umm dont forget SQL 6.0 and 6.5

[Lumpy]

6.0 and 6.5 had that default setup. all SQL admins worth a salt know this as fact. you install SQL server and you get user sa set up as the administrator with a blank password. HELL: there is a program we installed that assumed that fact and would log-into the SQL server 6.5 as sa with no password hard coded in! (They bitched when we didnt have that password empty, and charged us several $$$$ to modify the code.)

This sucker probably ain't French

[kalifa]

This is just a copy/paste of this American page, or any other one, since this text is widely available on the web. Probably because this guy has a problem with the French, and anything goes to degrade their image. Of course, several francophobic morons are reacting exactly as expected.

So why haven't you read about it?

[anticypher]

So why haven't I read about it? Because I get all my news from slashdot, and this is the first they posted it :-)

Seriously, this exploit has been known for many weeks now. Probes for MS-SQL ports have equalled all other probes on our honeypots. When we did put up an MS-SQL server and recorded the responses, it seems there are already several kits out there looking for a blank sa password. Silly us, we set the sa password to sa, and nobody guessed :-)

You are right about the press giving micr~1.oft a free ride. But wait until a this exploit gets some better kits. 'Rooting' an SQL db does not give you as much control over a machine as rooting the whole OS does, and the general lack of SQL knowledge out there will limit what script kiddies can do. But given the widespread use of M$SQL server for web engines, there should be some spectacular hacks in the coming months.

Other large commercial DBs require you to set the sa password as part of the installation process.

the AC

Never underestimate the stupidity of the Admin

[v4mpyr]

As much as I hate Microsoft, I would have to say that this problem is more of the admins' fault than anything. Personally I'd rather spend a few minutes ReadingTFM than days trying to recover a lost system.

*grin* Here's another...

[jedm]

Micro$oft considers it a feature that you can piggyback queries passed through an ODBC connection. What does this mean? This means that websites using ODBC connections to run queries (translation: dynamic pages) are extremely vulnerable to "tinkering" with. Basically, if someone is passing variables into a page (say index.asp?variable=5) then you can piggyback your own query after that (say index.asp?variable=5%20DELETE%20FROM%20sysobjects ). Or something. Of course you have to have permissions, and you have to understand SQL a bit -- but hey. 'tis a bit scary. See the link to phrack, the relevant info is down towards the bottom. Again, this is old -- as in from SQL Server 6.5 days.

Re:*grin* Here's another...

[Pfhreakaz0id]

Ummm, that's why you use integrated security and shouldn't use the named login/password mode.
---

Re:*grin* Here's another...

[Shoeboy]

Very nice, I wasn't aware of this one.
Did you know that SQL Server passwords are transmitted in plain text across the network unless you are using multiprotocol encryption?
That's another nice one.
--Shoeboy

The reason I haven't read about it is...

[marcus]

...because we all know about it already.

This is hardly news and any sysadmin that leaves a system up and open with documented default passwords deserves to be shot, not the vendor that shipped the software.

What's the BFD?
What do you want MS to fix?

There is a reason why nobody talked about this

[piku]

Thanks to you Slashdot, now all those websites that could be at risk will be flooded with attempts to compromize their servers. Had you just let this alone nobody would even know about the exploit. But just because its Windows you have to jump all over it and its result will be a ton of websites wiped clean.

I can't vouch for the Red Hat website issue, but you should think before you speak. Now you are just as bad as those other sites blowing the issue out of proportion.

Software Usability

[Aaron+Denney]

Yes, any competent sysadmin would change the password immediately. There are just not enough competent sysadmins though.

You can code software to better deal with common misconfigurations though. In this case the proper thing to do is not perform the normal functions until a password is set. Simple, and it makes it very difficult to have this kind of misconfiguration.

Just let me get this straight...

So ISS (not to be confused with MS-IIS) does a brilliant bit of textwank, and gets away looking like the perverbial cat with the famed yellow bird..

I don't know the details of the situation, I admit.

Now someone finally realizes that the sa account in MS-SQL 7.0 ships with no password.. so did 6.5 BackOffice Edition.

To complete the setup of the server, and create the storage space to STORE your data (read: You can't.. can NOT.. skip this step and expect it to work right, er, at all.) you have to login as 'sa' with no password.

So from the very start, the admin KNOWS that there is no password, because hes already logged in to finish configuration.

Is it *REALLY* Microsofts fault, and should they *REALLY* call this a vulnerability, when the admin KNOWINGLY leaves a system account with a blank password exposed to the Internet in all its glory?

Lets take this little bit of humor into meatspace.. You open the biggest door to your house to get in, and leave it open. You settle in for a day, and then go out to party... but you leave the door open still. You are robbed blind and silly, and theres not even a broken window, because *you* left the door open.

Who is at fault? (Other than the robber)

1. The person who built your house
2. The bank, for owning your house
3. The company that made the lock
4. Your sorry ass for leaving the door open

I vote 4. Who's with me?

Obviously an installation package flub.

[AFCArchvile]

Why didn't Microsoft just patch the installer to prompt the administrator to enter a password? Kinda like every Linux distribution prompts you to enter a root password.

I think that this is just a classic omission on the part of the Microsoft (and Red Hat) software engineers. This is the reason why much of the software released as 1.0 is actually beta quality.

If I had my way, I'd add on a "gamma" software stage; the requirements of this stage being:

Full functionality,

Passed the 99 runtime test (ran the latest build at least 99 times without a single hitch)

Not quite tested on all systems (hence, the gamma)

Is anyone surprised?

[stinky+monkey]

A huge security hole and MS doesn't plan on doing anything... except charge you money for an upgrade that might fix it. We'll never see that one coming... .

It's closed source!

[The+Salamander]

"There's limited quality assurance in the closed-source environment," says Harton, "because closed-source software is basically a just bunch of peoples' job."

I guess I can see where this could happen...

[chuckw]

It sucks, but I can see where this could happen. Same thing happened with the space shuttle launches. In the beginning they were a big deal. Now, they are anecdotes on the 11pm news. I think the same thing is happening with security. We're seeing the YAMV (Yet Another Microsoft Vulnerability). It happens so often that it just isn't interesting anymore. Unfortunately, this is the type of story that really demands attention and it simply isn't getting it.

--
Quantum Linux Laboratories - Accelerating Business with Linux
* Education
* Integration
* Support

The difference here...

[man_of_mr_e]

I think the difference here is that SQL Server is not installed in a default OS installation. Generally speaking, if you're installing SQL Server, you are intentionally doing so and "should" know what you're doing.

Didn't red hat install pirannah by default? I know it certainly installs appache by default.

media contradiction... of course

[cr@ckwhore]

As we all know, the media contradicts itself on a daily basis. They even go as far as to *gasp* LIE! What really surprises me is the lack of coverage about this latest Micro$oft security hole! You're absolutely right that Red Hat and the open source community as a whole came under frivolous attack over the piranha issue. The Microsoft SQL 7.0 default password problem is probably more dangerous and more widespread then piranha. For that we can thank the widespread use of Micro$oft's top of the line, high quality, efficient, bug free NT operating system. (sarcasm detected)

Let's look at how the media is contradicting themselves on this issue.

Remember the extreme media coverage during the Microsoft trials? Remember how it was in the top stories for weeks? Understand how it is the FEDERAL GOVERNMENT that is fighting Micro$oft? Why is the media giving them a free pass now, when we all know that the media is the little darling child of the FEDERAL GOVERNMENT? Does this make any sense?!?! NO!!

An anology: today you're supposed to stop at red lights and go on green. Tomorrow is a different day... perhaps we will stop on green and go on red. See what I mean?

Conclusion: The media has simply stuck itself in another contradiction that the mass blithering idiotic public won't see or understand. I like the theory that somehow Micro$oft is being carried under the wings of the media to hide this major security flaw. But of course, that doesn't make sense because the media is on the Government's side attacking Micro$oft... one would think that they would be all over this like a pack of rapid dogs! Where's the sanity?

Perhaps we can assume that Micro$oft has the ability to buy media coverage, or buy the lack of it. Perhaps they paid the media to focus on piranha. Perhaps they paid the media to ignore SQL 7.0. Perhaps I'm not a micro$oft fan... actually, it's definite and I haven't been for a long time.

--cr@ckwhore

Absolutely

[jpowers]

Any admin who's servers got owned this way is fired. Just go home, you're done.

Take it one step further: Any sysadmin who's servers got owned this way raise your hand. Quite a few. Whoever paid some third party to set up their server for you, raise your hand. Less but still a lot. Who's going to buy from that company again? No hands? You did go to college!

Now do the rest of us a favor and post the names of those third parties here on this thread. I need a new server for our office up the street, and my last vendor, Entex, are no longer in the running for our contracts.

-jpowers

mySQL default root priveleges

[x-empt]

Well it is true, no password.

But its only from the local system. And on any production server you should NEVER have shells given out. Simple as that, plus most admins that run mysql (unlike MS SQL) read the manual well.

Re:mySQL default root priveleges

[readams]

That's true, but you can only log in as the root user from localhost -- it won't accept a remote login unless you change some configuration options.

this is old news

[handcraft]

i'm suprised this is just coming out now since 6.5 has had the same behavior for over a year. i've had the unfortunate experienc of working with both 6.5 and 7. both have a default sa password of "" and neither one prompt for the person installing to change the password. i can't tell you how may times i have been able to get into a mssql db because the person installing didn't know to set the sa password.

should we really be suprised by ms's lack of security?

If you use the default password...

you deserve to be fired.

As the poster says, during the installation of SQL Server you are _clearly_ given the chance to change the password (an item that is easily changed using the Enterprise Manager at any time).

This is not a security flaw. It constitutes an installation issue at best... (ie should the software force proper password safety on you to begin with)...

flame on if you want... for those who know SQL Server, this is nothing new. All you have to do is look at all the damn samples in MSDN where userid=sa and password is blank to see this is nothing new. This has been the case for as long as I remember...

sheesh... what the hell are you doing going live with a default root password anyways...

Re:La Charte de la Bouillabaisse Marseillaise

[kalifa]

It was not 50 varieties of soft cheese, but more than 800. Now it's probably above 1000.

You over-estimate MS Product buyers

[Cy+Guy]

A significant percentage of people buy MS products because they trust them. They believe that MS has already done everything they can to provide the customer with the most perfect product (alot of) money can buy.

Therefore, if a MS product does something by default, a typical MS users feels its best left unchanged. After all, MS must know much more about computers than they do. That's why they're so successful, right?

MS even explains how the default blank password is a feature in that it facilitates 'Integrated Mode' i.e. letting NT manage access security. They say in their response to Bugtraq, that its only users who choose to run in 'Mixed Mode' (which they don't reccommend) that are at risk from the blank password. See http://www.microsoft.com/t echnet/SQL/Technote/secure.asp for more.

Of course they also say that there is a forced change of the password in SQL Server 2000.

Also note that Oracle has something four default usernames with default passwords, and that these are published in most books on Oracle. I think the real concern is that there is a known vulnerability in SQL Server that lets you gain control of the OS itself from within SQL Server, and I don't think MS response to Bugtraq has addressed this, other than to say you should have a firewall (like this will protect you from users within your own organization).

Hallo Shoeboy

Have you read this?

Re:Hallo Shoeboy

[Shoeboy]

Read it, loved it, mailed it to my coworkers.
--Shoeboy

The Real Story ...

[Derwen]

Of course the other posters are right when they say that there is no story here (i. It's up to the SysAdmns; ii. of course media bias exists and the press are just beginning to get clued up on free software). The real gem is this quote:

"There's limited quality assurance in the open-source environment," says Rouland, "because open-source software is basically a bunch of peoples' hobby."

in a story posted minutes after this story about IBM, and its plans to open source something as useful as Websphere.
Some of ISS's pages aren't opening right now (/. effect?) so I can't see if Mr. Rouland has shot himself in the other foot yet ;-)
Derwen

Oh, come *on*

[aiken_d]

I'm all for hysterical handwringing about how the press just *loves* Microsoft's, and how unfairly open source is being treated in the same media, but this is ridiculous.

Here's why this is article is either very slanted (to the point of distortion, not just the usual bias we all know and love on /.), or very ignorant, or both:

1) SQL 7 does not listen on port 80.

2) The blank SA password has been the standard since MS acquired the software from Sybase for version 4.21, something like 8 years ago.

3) You know what -- cisco equipment has a blank password by default! Oh no! Every single Cisco router and switch has a built in vulerability! Quick, call the press.

4) Anyone who is qualified to configure a SQL server knows this is just part of the install. Just like Cisco equipment.

The Piranha thing was somewhat worse because it wasn't intentional, it listens on port 80, and if I recall correctly it was installed implitly, so people might not know it was on their system. I'd welcome corrections there if I'm wrong.

Even given that the two situations are analagous (which I still maintaint that they are *not*), what about all the hysterical handwringing about how unfair the press coverage of Piranha was? Maybe the press learned. Sheesh. Is there some "if the press screwed something up one time, they are obligated to make the same mistake other stories to maintain a level field for zealots to do battle on" standard that I wasn't briefed on?

-b

Re:Oh, come *on*

[happystink]

piranha was not installed by default, you had to install it specifically. so yeah, you're wrong on that part.

sig:

Re:Oh, come *on*

[BlowCat]

MS SQL is not installed by default either. You have to buy it first.

Re:Oh, come *on*

[sheldon]

Amen brother!

Expectations...

[thrillbert]

When you buy a wooden door (Red Hat in this case) you expect it to keep people out. The really paranoid will set up deadbolts and chains to ensure this.

Of course, when you buy a screen door (M$ products), you only expect the mosquitoes and flies to be kept out.

As someone else posted, the only reason this was big news is because it is not seldom that you find a stupid Linux admin that will leave a default password, but we know there are plenty of NT 'admins' that can barely follow directions.

As for ISS... I guess they're trying really hard to join the ranks of jp and his team of monkeys...

and Oracle

[stu_coates]

Oracle has also shipped with default passwords for a while now (as long as I've been involved with it anyway.)

A lot of the systems that I've come across still have system/manager and sys/change_on_install as their configurations...

Media whoring and sloppy reporting.

[Hizonner]

Why do some vulnerabilities get trumpeted all over the press, and some get ignored? It's not Microsoft favoritism... for the most part, the press likes to bash Microsoft as much as the next institution.

It's a matter of whether it's a slow news day and of whether somebody issues a press release. ISS issued a press release about the Piranha thing, and probably had PR people calling up reporters. This is much more effective in getting press attention than posting something to NTBUGTRAQ, because most reporters aren't reading NTBUGTRAQ, and don't understand what they're reading if they are.

The story had "legs" because it could be used to "attack the myth of open source invulnerability" (it means zero to a reporter whether anybody actually believes a "myth"). This undoubtedly helped to get some of the mags to pick it up. Once a few pick it up, a feeding frenzy always ensues.

The bad actor here, if there is one, is ISS, which is a company that seems to be mostly in business to call attention to itself by picking random vulnerabilities, often widely known to others, and screaming about them. As far as I can tell, ISS is largely a firm of media whores. Not that that doesn't describe much of the rest of the security industry just as well.

The problem on the press side is lazy, ignorant, sloppy reporters eager to grab some bogus issue and make a big deal out of it, not malevolent ones eager to kiss Microsoft's ass.

There should be a check list!

[Midnight+Thunder]

You are right there, though the media did not take that into account when the plastered Red Hat. Now you have Red Hat as being amongst the few companies out there providing an installer that addresses the problem. Although MS was targeted in this article, I reckon this should be something that *all* DB producers should watch out for. Maybe there should be a checklist of common security issues that DB administrators should address before making the database available to the network.

I agree, not a problem

[Pfhreakaz0id]

Hey, I said at the time of the Red Hat thing that I thought it was overblown.
I also agree that software installs SHOULD ask for an admin password. In the case of SQL server, doing so is not that big of a deal. The install should say
1: What do you want for the sa password.
2: Pick an NT account/group for admin rights. AND make them pick at least one.
That way, SOMEONE is an admin and can change the sa password
---

Re:Pixies!

[Evangelion]

They did? Do you know what album it was on?

They did a great cover of I Can't Forget on I'm Your Fan (tribute album).

Also, Don Henley did a pretty decent cover of Everybody Knows on Tower of Song (another tribute album).

Still, my favourite is Tori Amos covering Famous Blue Raincoat.

Anyway, do you know where I might find that Pixies cover of EK?

--

big problem

[wardk]

As a consultant, I am at 2-5 sites per year. I have seen firsthand multiple production systems, and production systems connected to the internet still utilizing the default null sa password. This is widespread.

Typically, the current admins are aghast at it, and it's "that way since I got here". Changes are then not made as it affects too many proccesses. (code: too much work to do it right)

There's lots of excuses for it, none hold water, yet it remains. cracker paradise.

why even "nobody" access is a problem

[joey]

Great article. I do have one tiny little quibble this this:

Typically that's a nonprivileged "nobody" account. While this is never good, let's just note for the record that this is a read-only exploit unless the webserver is very poorly configured.

Access to any user on the system, even nobody, is still a very serious matter. Even if your web server is otherwise perfectly locked-down. Why?

Well, it automatically turns any other local exploits into effectively remote exploits. So an exploit in some dumb little suid game on your system, which would normally only let local users get root, suddenly mushrooms into an exploit that gives anyone root.

An attacker need only get in as user nobody, install a real backdoor, and wait. Eventually a local exploit will be found, and they can finish cracking the system.
--

Why the disparity happens

[sterno]

What you are seeing isn't so much a media bias against Redhat and for Microsoft. This all comes down to a matter of newsworthiness. Everybody knows Microsoft is full of gaping security holes, so when another one comes along it isn't big news. On the other hand, when RedHat has a hole it is big news because Linux is so supposedly secure.

Really this strong coverage of redhat and weak coverage of Microsoft is just further illustration of how shoddy Microsoft's products are.

---

A simple explanation?

[John+Jorsett]

It may not necessarily be that a) the media are incompetent or b) in the thrall of Microsoft. When a journalist gets a story like this, s/he is going to call Microsoft for comment. Msft spends gazillions on PR personnel, so you can bet the journalist is going to be inundated with their side of the story, which a horde of in-house personnel will have carefully crafted. Linux/Red Hat doesn't have such a PR machine poised to suppress such fires.

Actually...we have read about it

[uberman]

On january 16h MSNBC reported a similar issue related to the MSSQL server's "sa" account, and default/blank/poor passwords being used on several e-commerce sites..

http://www.msnbc.com/news/357305.asp

Slashdot also linked it:

http://slashdot.org/articles/00/01/16/138234.sht ml

uberman, thinking there's a need for widespread auditing of so-called ecommerce consultant's work