OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Tumbleweed Worldsecure (MMS) BLANK 'sa' account password vulnerability
From: NT HATER (__nt__ANONYMOUS.TO)
Date: Thu Aug 10 2000 - 11:36:36 CDT


('binary' encoding is not supported, stored as-is) I've recently discovered the following vulnerability:
Product: Tumbleweed Messaging Management System (MMS) (Formerly Worldtalk
Worldsecure) http://www.tumbleweed.com/solutions/products/mms_products
Version: 4.3 - 4.5 (all builds)
Description: Product uses Microsoft's MSDE (Database engine) which is a stripped
down version of the Microsoft SQL server 7.0. During the setup stage, I was
never asked for the 'sa' account password, which led me to think that
application is either generating a random password every time it installs or the
password is the same for all installations. Well, after thurther research I
discovered that the password is left BLANK !!! This is a huge remotely
exploitable vulnerability. After I remotely connected to the database (with
'sa' account and NO PASSWORD) I was able to delete the databases (denial of
service, product becomes unusable) and modify the data (customer certificates,
configuration of the product, logs, etc.).

Tumbeweed refuses to acknowledge this vulnerability, which caused major outrage
among my customers. Therefore, I have no choice but to go public about this
vulnerability.

Please feel free to contact me with ANY questions regarding this issue, although
I would like to remain anonymous.

Thank you very much.

------------------------------------------------------------
Hey you! Claim your FREE anonymous email account:
Click Here -> http://www.anonymous.to