OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: MS-SQL 'sa' user exploit code
From: Jon Keeter (jonkeeterYAHOO.COM)
Date: Sun Aug 20 2000 - 10:54:52 CDT

Not defending Microsoft, but a lot of Oracle
databases I see also still have the default
SYSTEM and SYS passwords, namely 'manager', and
'change_on_install'.

Also, Oracle password files are rarely used,
usually because they aren't set up on the initial
install, and if OS Authentication is used,
compromise of the user 'oracle' account or 'dba'
group, leads to the ability to use the svrmgrl
command to connect to the database with the
"connect internal" command and no password.

In addition, a lot of batch programs, especially
commercial job scheduling systems that run PL/SQL
packages or just connect to Oracle, use sqlplus
and the username/password connect string on the
command line, easily viewable by anybody with an
account on the machine while the process is
running.

--- Neil Pike <NeilPikeCOMPUSERVE.COM> wrote:
> This is "fixed" in SQL 2000, where the default
> is NT integrated security
> and you have to manually override this and
> confirm you want a "standard"
> login, and confirm again if you want it to have
> a blank password...
>
> But anyone who leaves the default in SQL 7 or
> below deserves all they get!
>
> > It has come to light that it is now common
> knowledge that MS-SQL has a
> blank
> > 'sa' password by default. This seems to
> affect a _lot_ of servers on the
> > internet.
>
> Neil Pike MVP/MCSE
> Protech Computing Ltd
>
>

=====
-
Jon Keeter
Sr. UNIX Consultant
Lighthouse Computer Services, Inc
888-542-8030 x123
PGP ID: 0x0D3723CD

__________________________________________________
Do You Yahoo!?
Yahoo! Mail – Free email you can access from anywhere!
http://mail.yahoo.com/