Slashdot Mirror
Default Behavior: Piranha vs. Microsoft SQL Server
Because unlike Red Hat, Microsoft is getting a pass by the media.
Piranha is web clustering/failover software that was released in April by Red Hat without much QA. It somehow went out the door with a default password ("Q") and without docs explaining in big bold caps that it must be changed. If you installed the Piranha RPM without reading the docs carefully, you had a security hole on your site.
The hole allowed an attacker to come in over port 80 and execute arbitrary commands as the Piranha user, which would have been the web user. Typically that's a nonprivileged "nobody" account. While this is never good, let's just note for the record that this is a read-only exploit unless the webserver is very poorly configured.
The media flipped, in a word, out.
Piranha: A Case StudyOn April 25, Computerworld announced that the "backdoor password ... could allow an attacker to compromise a Web server and deface and destroy a Web site." Informationweek and Internetweek both warned about "a back-door security flaw that carries ISS's highest danger rating." MSNBC/ZDNET ran the story as "Red Hat Linux open to backdoor password" and explained "there's a backdoor account in Red Hat's Linux that would let a computer intruder access and alter files." The Standard's early report on April 25 wasn't too bad but attacked -- as all reports did to some degree -- the strawman myth that open source is inherently secure. At least it didn't use the word "backdoor." Newsbytes was pretty much the same.
"Backdoor" implies that the flaw was deliberately inserted, by a thoughtless or even malicious programmer. Why did most stories incorrectly use that word? Mostly because that was how it was described in the press release. A security firm called Internet Security Systems found the flaw on April 24 and sent out a security advisory that used the term four times by the end of the first paragraph.
ISS also made some interesting statements when speaking to the press about the vulnerability. Oft-quoted was a line about open-source being both a blessing and a curse (the media loves "on the one hand, on the other hand"). I also liked this comment from their research director:
"There's limited quality assurance in the open-source environment," says Rouland, "because open-source software is basically a bunch of peoples' hobby."
Of the early stories about Piranha, the best one I found was Henry Kingman's ZDNet piece on April 24 (both early and accurate: amazing). CNET's on April 25 wasn't bad either, though they let ISS lay down the anti-open-source and pro-Microsoft propaganda a little thick.
In the days to come, the story didn't change much except to note that Red Hat -- correctly, as it turned out -- denied the seriousness of the vulnerability and tried to explain that it wasn't really a backdoor. Inter@ctive Week's Charles Babcock did such a piece on May 1.
Computer Reseller News still called it a backdoor on April 27. And NetworkWorldFusion's report and Informationweek's followup both came out on May 1, both got the important facts right, but both still called it a backdoor.
ClieNT Server News ran an article in their May issue explaining "Red Hat Red-Faced." I'm not about to pay to read the whole thing. The free synopsis that's available smirks at how "embarrassed" the company must be, and ends: "It seems that Red Hat left a back door in," dot, dot, dot.
The Standard had a second, fair piece that eschewed the term and even, after quoting the line about open-source being a "hobby," gently suggested otherwise.
But the gold stars go to just two good reports. SecurityFocus' Elias Levy, on May 1, turned the spotlight on ISS by pointing out how they "...can make headlines by using the right jargon, even when it's wrong." And Linux World News' Liz Coolbaugh, who had weighed in a few days earlier, questioning the media's coverage in her story "Red Hat Security Hole Not a 'Backdoor'."
If you find any more stories about Piranha, post them below. The Red Hat-bashing pretty much came to a halt a week later, when a little Microsoft-specific email virus named "ILOVEYOU" did a few billion dollars' worth of damage.
(Breaking news: all charges dropped; to quote 10,000 Maniacs, "who ya wanna blame?")
Microsoft SQL Server 7.0You've heard about the SQL Server vulnerability, right? The one found on Tuesday, six days ago?
Well, no, you probably haven't, unless you read NTBugtraq. Even the maintainer of SecurityPortal's Microsoft Security Digest missed it this week (don't worry: I dropped him a note, he added it).
As the cracker Herbless describes it:
"It has come to light that it is now common knowledge that MS-SQL has a blank 'sa' password by default. This seems to affect a _lot_ of servers on the internet."
A default password vulnerability? Sounds familiar, doesn't it?
Here's Herbless's description and exploit code, posted to BugTraq last Tuesday. And here's Microsoft's acknowledgement, posted on Thursday.
Herbless wasn't kidding when he said it affected a lot of servers. If you're running SQL Server 7.0, with a firewall that doesn't block its port, and you haven't changed the sysadmin password, you're vulnerable.
As he described it to me, unlike Piranha's vulnerability which gave read-only access as an unprivileged user, this one typically gives access as "BUILTIN\System." I don't speak NT, so he had to describe to me what this is: "god-like powers ... greater that those of even the 'Administrator' user."
In other words, you have been 0wn3d.
You may be thinking that this is a vulnerability. Go back and read Microsoft's acknowledgement again. They say quite clearly, "The code does not exploit a vulnerability."
Does it confuse you that what was previously a "backdoor" is now not even a "vulnerability"? That threw me for a loop too -- as well as some of Microsoft's other disclaimers, which only make sense when you realize you're reading non-sequiturs about the newer version SQL Server 2000 (the vulnerability only affects SQL Server 7.0).
All will become clear, though, once you read this story from vnunet.com -- the only media story I've seen, by the way. The fault lies with the website administrators:
"Hacked websites 'didn't read the manual'
"Microsoft has blamed administrator error, rather than a bug in its software, for leaving hundreds of websites running SQL server open to attack this week."
Did they say hundreds? Yes, hundreds, at the very least. And did they say "hacked websites"? Yes -- this is not a theoretical vulnerability with no known attacks, like Piranha was.
All this month, Herbless has been cracking into websites like the National Transportation Safety Board and leaving edgy political messages (while backing up the original files and telling the admins how to close the holes). He confirmed to me that all his attacks, including the Fish and Wildlife Service, the UK's Adult Learning Inspectorate, and the Commonwealth Telecommunications Organisation, were done by exploiting Microsoft SQL Server.
Just to make the story that much better, according to Herbless, the default configuration of SQL Server 7.0 also has logging turned off -- in which case a successful attack would leave few if any tracks.
Sites are lucky if their webpages are hijacked; that way they know to fix the problem, format and reinstall. But some of those "hundreds" of websites running the vulnerable installation have surely been cracked by black hats who quietly installed Back Orifice or a similar remote-exploit program. They can set an SQL Server password, but it won't help them: they'll still be 0wn3d.
The proper fix would be to force the password to be changed before the software can be used, as piranha now does. Wayne Sowery of MIS Corporate Defence Solutions confirmed for me that "versions up to SQL Server 2000 do not ask for the SA password during installation ... we also tried various install options such as 'typical' and 'custom,' neither prompted for a new SA password." Incidentally, he too questions whether this is properly described as a "vulnerability," but I'm not sure what else it could be called.
The lesson here is that the media doesn't treat security reports very fairly. Some organizations have their own selfish reasons to push one agenda or another. (Like Slashdot? You bet. But you know where we stand.)
The motive doesn't have to be that devious, though sometimes, of course, it is. If a reporter gets to write a story that questions a core belief of Linux zealots -- whether or not it's actually a core belief, and whether or not they're actually zealots -- that will be much more attractive than simply reporting security news. The nitty-gritty of security news, after all, is rather dry.
So next time you see a biased polemic about system security, or even a small media feeding frenzy about the latest exploit, take a moment to ask why it's being reported outside of the admins' mailing lists. Open source software is still a new idea to many in the traditional news media, and that means that it's a hook for them to hang any kind of story on -- good or bad.
Oh well, at least we still have the chimpanzees we trained to do Visual Basic programming...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I guess I shouln't be surprised the the majority of posters here don't get that this article was about MEDIA BIAS. This article is not about the reletive merits of MS software versus GNU/Linux software (the writer does bring that in, but only as a minor dig).
Let me sum up for you who apparently can write but not read (well, maybe someone else can read this to you)...
Redhat software package ships with default password; media goes crazy over this so-called "back door" into the operating system.
Microsoft ships thier SQL server with no password for "se" user and no prompt to change it, allowing complete system compromise under common cirumstances; media is strangely quiet about this.
In other words, very similar problems, but MS doesn't get attacked by the media.
THAT is what the friggin' article is about!
The point of the article is that for RedHat, this was called "a major backdoor" and for MS, a "feature".
But here is a news flash for people. Oracle has *two* default u/p combos: sys/manager and system/change_on_install (cute, eh?). Both have administrator privs. Oracle 8i introduces the relatively poorly documented outln/outln login, though with far fewer privleges. Other oracle add on packages (Intermedia, iFS, whatnot) often add other default username/password combos with varying degrees of power.
Of course, people with a clue firewall the damn things, and only allow incoming connections to their web server, or even use a private network segment for them. This is why, IMO, the RedHat problem is bigger... Even though it is usually read-only, as a web server issue, it will *always* be vulnerable to the outside. DB servers rarely are, unless the admin is enough of a cluefuck to not change the default PW. er...
Why the hell did this get modded up so high?
... so please stop spreading the FUD.
... you have to understand SQL a bit
Basically, if someone is passing variables into a page (say index.asp?variable=5) then you can piggyback your own query after that (say index.asp?variable=5%20DELETE%20FROM%20sysobjects ). Or something.
This is a programmer problem, not a problem with SQL Server. In *many* cases, I use multiple SQL commands in one call through ODBC, for speed. I'm not positive, but I think this is kosher with the ANSI-SQL spec.
The problem occurs when you don't check the data you are sending to your SQL server through ODBC. For instance, if you let people pass in $value, thinking it's going to be a constraint for a WHERE clause, they could just as easily change that value and add something more sinister.
You think: "Hmmm, $value will be a number! I'll write, 'SELECT * FROM MyTable WHERE thenumber = $value'.
Meanwhile, Mr. Blackhat sends 'value=5; USE master; DELETE FROM sysobjects'.
Again, this is not specific to Microsoft or SQL Server
Of course
Indeed...
-thomas
"And like that
the default password is:
.seineew era sreenigne taH deR
------------
a funny comment: 1 karma
an insightful comment: 1 karma
a good old-fashioned flame: priceless
this sig limit is too small to put anything good h
I don't know what all you guys are complaining about. I always set my sa password to 'sa' right after I install my database. How hard is it to follow good security practices?
This is a manual virus. Copy it to your sig and help me spread!
This is how I got domain admin rights on the houston domain at microsoft. (that's where all the MSN servers reside) I love the blank password. Why'd they have to go and tell the DBA's about it ;(
/ADD /DOMAIN' will make you a domain admin.
This isn't new, it's been around for ages. It was there in the first MS SQL Sever version 4.21a.
It's ancient and it's beautiful.
Like all NT services, SQL can be run under a domain admin account. It frequently is. SQL also has a command called 'xp_cmdshell' that allows you to shell commands to the OS.
Executing an xp_cmdshell 'net group "domain admins" username
I love this.
--Shoeboy
'Rooting' an SQL db does not give you as much control over a machine as rooting the whole OS does
RTFM
xp_cmdshell
xp_regaddmultistring
xp_regdeletekey
xp_regdeletevalue
xp_regenumvalues
xp_regread
xp_regremovemultistring
xp_regwrite
--Shoeboy
Most of the sites that were in this sorry state were systems put together by MCSE consultants.
Now, I don't have hard evidence to back this up, but I think you'd be pretty unlikely to get that kind of sorry ass configuration from IBM, Oracle or Sun certified consultants using Unix systems. (Linux is another story, but they're not even nearly in the same league as Microsoft when it comes to professional services and turnkey solutions.)
The meatspace metaphor is more like hiring a certified contractor from the world's biggest burglar alarm company to install a home security system, and he leaves the default disable code in the system or installs the master override switch on the outside of your house. The alarm company may not be directly at fault, but there is a strong case for negligence/fraud regarding the "certification" program that is really just a marketing tool.
You can't blame the poor admin. Show me where, in the MSCE training manuals, it tells you that having a null password is a bad thing.
There's no such thing as Scotchtoberfest!
Lets take this little bit of humor into meatspace.. You open the biggest door to your house to get in, and leave it open. You settle in for a day, and then go out to party... but you leave the door open still. You are robbed blind and silly, and theres not even a broken window, because *you* left the door open.
Nope, more like you have a lock installed on your door made by a manufacturer who ships all locks keyed to the same key, and expects you to re-key the lock when you install it. You do lock the door behind you (but haven't rekeyed the lock) and somebody else using his copy of the key breaks into your house.
This puts 3, the company that made the lock, at least partly in the wrong, although it's probably still your fault for choosing that lock company in the first place.
-- Alastair
When you setup the software, it creates the sa account and asks you to set a password. It is blank by default. If you don't set one, you are an idiot.
But it doesn't matter if the default is blank or 30 characters long, if it's a default you should change it. This is true with any piece of software, MS or otherwise. And of course OSS is going to get bashed, since you have so many zealots SCREAMING about how secure OSS is, and how crappy MS is.
EHA
Viva Anales!
When RedHat has a vulnerability, it's news because such things are pretty rare. When Microsoft has a vulnerability, it's not news because it happens so damn often. To widely publicize it is like putting "Sun To Rise" as the morning headline...
Ita erat quando hic adveni.
During the Pirhana furor anyone who wrote any kind of negative story was told "not a backdoor, this is not really news, read the manual, etc". Maybe the explanation is not "they hate Linux and are out to get us" or "they are obviously in the pocket of MS" but instead "now they understand that a default password, while bad, is not really newsworthy". The REAL test of that hyposthesis will be the NEXT Linux default password issue. If it gets reported, then we know MS problems are being ignored while Linux problems are not.
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
Oracle has two equally critical accounts, SYSTEM and SYS, with well-known default passwords of "manager" and "change_on_install". Fail to change those, and your Oracle db is just as open as a blank-password sa account on m$ sqlserver.
...
MySQL (I'm rusty here: correct me if I'm wrong) also defaults the root user to no password, like the m$ sa user.
Not defending m$: Just pointing out that this is fairly common practice, and that there is indeed some responsibility to "know what you're doing" when opening a database up to the world
"does anyone other than me find it a little wrong that the default password was actually published instead of a description of the vulnerability without the password?" As a subscriber of the SecurityFocus lists I have noticed that the media often doesn't even get a drift of a problem such as this until it has been thouroughly discussed, solved and broadcast to the thousands of other list subscribers. Like it or not few of these subscribers are our ever beloved crackers. Simply put, the media is just publishing already common (in the security world anyway) knowledge.
The fact that there might be someone out there clueless enough to omit this essential step is a far greater security concern than the fact that MS didn't include the changing of the sa password in the install wizard. Bottom line is, if you expect to be secure, you have to have people who know what they are doing. Someone has to read between the lines of all the GUI's and wizards and actually know what is going on.
No, Thursday's out. How about never - is never good for you?
There's also another nasty "non-vulnerability" being repo rted on BugTraq related to IIS and the built-in web server in Windows 2000.
An undocumented HTTP request header of "Translate: f" will cause the web server to return the source code of an ASP page! And often, this source code contains juicy tidbits like SQL server passwords, not to mention the business logic behind the web site.
Upgrading to W2K SP1 is enough to fix this bug, but with Microsoft's history of NT4 service packs, it's understandable that nobody is in a hurry to upgrade.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
As the folks at 2600 will tell you, companies like MS won't fix dangerous security holes like this unless there's a scare. IT folks see the security vulnerablity story and say "whatever, it'll be in the next service pack." If they see the password is public knowledge, though, they call M$ and throw a nutty. My guess is Redmond's working on it and won't admit there's a problem until they can say "...and here's the solution." Makes them look good, you know?
-jpowers
-jpowers
Unfortunately, MS went and made the installation more user-friendly when they put together Small Business Server, of which SQL Server is a part. So they dropped, amongst other things, the need to set sa password. Luckily, I'd read up in advance of getting the system. Doh!
-MT.
You seem to be missing the point.
If you omit the section 'Piranha: A Case Study' above, you could be right.
This is not about whether an having a default password is leaving open a backdoor, but about the media treatment of Linux and NT.
Linux (well, a linux service) has a theoretical problem, only allowing read-only access, and no reports of it ever actually being exploited: Linux is "basically a bunch of peoples' hobby."
Windows (you know the drill) has a real problem, allowing root equivalent access, it *IS* actually being exploited: Eerie silence.
Why?
Is this a media conspiracy against Linux?
Probably not. Probably just lazy journalism.
The minute that MS heard about piranha, they will have gone into spin frenzy, putting words into journalists mouths, and basicly writing the reports for them. We can't stop this happening - we just have to do it ourselves.
Linux just needs better PR.
Why have you forsaken us, ESR?
cheers,
G
So why haven't I read about it? Because I get all my news from slashdot, and this is the first they posted it :-)
:-)
Seriously, this exploit has been known for many weeks now. Probes for MS-SQL ports have equalled all other probes on our honeypots. When we did put up an MS-SQL server and recorded the responses, it seems there are already several kits out there looking for a blank sa password. Silly us, we set the sa password to sa, and nobody guessed
You are right about the press giving micr~1.oft a free ride. But wait until a this exploit gets some better kits. 'Rooting' an SQL db does not give you as much control over a machine as rooting the whole OS does, and the general lack of SQL knowledge out there will limit what script kiddies can do. But given the widespread use of M$SQL server for web engines, there should be some spectacular hacks in the coming months.
Other large commercial DBs require you to set the sa password as part of the installation process.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
Micro$oft considers it a feature that you can piggyback queries passed through an ODBC connection. What does this mean? This means that websites using ODBC connections to run queries (translation: dynamic pages) are extremely vulnerable to "tinkering" with. Basically, if someone is passing variables into a page (say index.asp?variable=5) then you can piggyback your own query after that (say index.asp?variable=5%20DELETE%20FROM%20sysobjects ). Or something. Of course you have to have permissions, and you have to understand SQL a bit -- but hey. 'tis a bit scary. See the link to phrack, the relevant info is down towards the bottom. Again, this is old -- as in from SQL Server 6.5 days.
So ISS (not to be confused with MS-IIS) does a brilliant bit of textwank, and gets away looking like the perverbial cat with the famed yellow bird..
I don't know the details of the situation, I admit.
Now someone finally realizes that the sa account in MS-SQL 7.0 ships with no password.. so did 6.5 BackOffice Edition.
To complete the setup of the server, and create the storage space to STORE your data (read: You can't.. can NOT.. skip this step and expect it to work right, er, at all.) you have to login as 'sa' with no password.
So from the very start, the admin KNOWS that there is no password, because hes already logged in to finish configuration.
Is it *REALLY* Microsofts fault, and should they *REALLY* call this a vulnerability, when the admin KNOWINGLY leaves a system account with a blank password exposed to the Internet in all its glory?
Lets take this little bit of humor into meatspace.. You open the biggest door to your house to get in, and leave it open. You settle in for a day, and then go out to party... but you leave the door open still. You are robbed blind and silly, and theres not even a broken window, because *you* left the door open.
Who is at fault? (Other than the robber)
1. The person who built your house
2. The bank, for owning your house
3. The company that made the lock
4. Your sorry ass for leaving the door open
I vote 4. Who's with me?
I think that this is just a classic omission on the part of the Microsoft (and Red Hat) software engineers. This is the reason why much of the software released as 1.0 is actually beta quality.
If I had my way, I'd add on a "gamma" software stage; the requirements of this stage being:
Full functionality,
Passed the 99 runtime test (ran the latest build at least 99 times without a single hitch)
Not quite tested on all systems (hence, the gamma)
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
"There's limited quality assurance in the closed-source environment," says Harton, "because closed-source software is basically a just bunch of peoples' job."
in a story posted minutes after this story about IBM, and its plans to open source something as useful as Websphere.
Some of ISS's pages aren't opening right now (/. effect?) so I can't see if Mr. Rouland has shot himself in the other foot yet
Derwen
http://fsfeurope.org/
I'm all for hysterical handwringing about how the press just *loves* Microsoft's, and how unfairly open source is being treated in the same media, but this is ridiculous.
/.), or very ignorant, or both:
Here's why this is article is either very slanted (to the point of distortion, not just the usual bias we all know and love on
1) SQL 7 does not listen on port 80.
2) The blank SA password has been the standard since MS acquired the software from Sybase for version 4.21, something like 8 years ago.
3) You know what -- cisco equipment has a blank password by default! Oh no! Every single Cisco router and switch has a built in vulerability! Quick, call the press.
4) Anyone who is qualified to configure a SQL server knows this is just part of the install. Just like Cisco equipment.
The Piranha thing was somewhat worse because it wasn't intentional, it listens on port 80, and if I recall correctly it was installed implitly, so people might not know it was on their system. I'd welcome corrections there if I'm wrong.
Even given that the two situations are analagous (which I still maintaint that they are *not*), what about all the hysterical handwringing about how unfair the press coverage of Piranha was? Maybe the press learned. Sheesh. Is there some "if the press screwed something up one time, they are obligated to make the same mistake other stories to maintain a level field for zealots to do battle on" standard that I wasn't briefed on?
-b
If I wanted a sig I would have filled in that stupid box.
As a consultant, I am at 2-5 sites per year. I have seen firsthand multiple production systems, and production systems connected to the internet still utilizing the default null sa password. This is widespread.
Typically, the current admins are aghast at it, and it's "that way since I got here". Changes are then not made as it affects too many proccesses. (code: too much work to do it right)
There's lots of excuses for it, none hold water, yet it remains. cracker paradise.
Well, it automatically turns any other local exploits into effectively remote exploits. So an exploit in some dumb little suid game on your system, which would normally only let local users get root, suddenly mushrooms into an exploit that gives anyone root.
An attacker need only get in as user nobody, install a real backdoor, and wait. Eventually a local exploit will be found, and they can finish cracking the system.
--
see shy jo