Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 Site Related Forums
 Article Discussion
 Article: Worm squirming through SQL servers

Author  Topic 

AskSQLTeam
Ask SQLTeam Question

0 Posts

Posted - 2002-05-21 : 16:21:22
A new worm that targets Microsoft SQL servers has begun squirming through the Internet, experts said Tuesday. Called DoubleTap by vulnerability analysis firm SecurityFocus, the worm has already managed to infect 1,600 servers, said Elias Levy, chief technology officer for the San Mateo, Calif., company. Even though SecurityFocus is currently tracking almost 100 infections per hour, the worm's only way to infect a system is if the Microsoft SQL server's system administrator password is left blank, the default. If for some reason you have a blank sa password on a public SQL Server, please change it. Thanks for the link Justin.

Article Link.

byrmol
Shed Building SQL Farmer

1591 Posts

Posted - 2002-05-21 : 17:55:45
For F#$%K sake!

What is wrong with these people?

A SQL Server exposed to the web with a sa password of blank...

You get every thing you deserve........

DavidM

"SQL-3 is an abomination.."
Go to Top of Page

MichaelP
Jedi Yak

2489 Posts

Posted - 2002-05-21 : 18:06:04
I totally agree!
It's not like every FAQ out there doesn't say don't leave SA blank, unless it's some test server that's not connected to the net. Who has their production SQL server on the "outside world" anyway? I know ours isn't.

I also love people that have an IIS Server on the web without all the latest patches. I still see other servers "attacking" ours with nimda from time to time.

Michael

Go to Top of Page

chadmat
The Chadinator

1974 Posts

Posted - 2002-05-22 : 02:20:17
I like how it says "the default"!

What is the alternative?

First of all, you have to check a box that says "I know you are saying I shouldn't do this, but I'm an idiot, and I don't care if someone hacks me"

Are we supposed to set some generic password by default? Wouldn't that be just as bad (Everyone would know what it is)

Should it be unique, then nobody would be able to login to their server, because they forgot their GUID password!

I remember there was an article about 2 years ago that came out and said this was a HUGE security bug, because the default was blank.

Bug?

-Chad



Go to Top of Page

Merkin
Funky Drop Bear Fearing SQL Dude!

4970 Posts

Posted - 2002-05-22 : 02:49:45
Interesting take on it Chad, I hadn't really thought about it that way. I guess you are right in one respect, Oracle installs with some crappy password (tiger1 ?) that you have to go and change afterwards.

I guess the main reason it is a concern is the thousands of crappy administrators that select the "yes I am an idiot" option and install with a blank password. No one can deny that, you have all seen it....from people that should know better...including MCDBAs and even Microsoft Employees.

It is however, a real problem. I think it should force you to specify a password. Crap like this is what gives MS products a bad name, which in the case of SQL Server I feel is highly unfair. It is a great product that gets a bad reputation because of the stupidity of a large number of it's users.


Damian
Go to Top of Page

byrmol
Shed Building SQL Farmer

1591 Posts

Posted - 2002-05-22 : 03:23:01
quote:

It is a great product that gets a bad reputation because of the stupidity of a large number of it's users.



In some respects MS bought that on themselves.
The Interface is to damn good!


DavidM

"SQL-3 is an abomination.."
Go to Top of Page

Lavos
Posting Yak Master

200 Posts

Posted - 2002-05-22 : 05:13:23
Another problem is that people underestimate the security risk.

I know a guy (who knows the guy. I was hearing about it while it was going on. I'm not privy to what company it was for obvious reasons.) who did an audit on a company's network. Within 2 days he found the development sql server with the blank SA password. After a week of exploiting it to look for other holes, he told them about the blank password.

They laughed him off because it was a "development" machine that wasn't important. I didn't hear what their reaction was when he handed them a list of all the patches they were missing on all their machines as well as every password (except for 2, and those weren't that important.) in the domain.

Would he have found his way in eventually? Probably, but it all started with a blank SA password. (Though arguably the "real" problem was running SQL Server in the system account which gives anyone with sql server admin priveledges the same access level as the local administrator, or domain administrator if it's a domain controller.)


Personally, I think it should force a password to be entered for the SA account. Period. If the person installing the server forgets the password, then there are likely bigger problems to worry about beyond figuring out how to reinstall the server to gain access again. (That being said, I've changed my personal account's password late at night 5 minutes before going to sleep....., but I've never forgotten a root password or changed one flippantly, but then again I'm just a secretary.)

----------------------
"O Theos mou! Echo ten labrida en te mou kephale!"
Go to Top of Page

KHeon
Posting Yak Master

135 Posts

Posted - 2002-05-22 : 07:40:30
About a month ago I participated in a performance audit (of sorts) for a potential client that runs an online store in SQL Server. Sad to say this, but there SQL Server is one of the unprotected (possibly one of the 1600 already comprimised). My boss started testing their security by using SQL Injection to see what he could learn about the db. I just jumped in, pinged the site (which happens to be running SQL Server and IIS) and then logged into their server through EM.

The sad thing is they didn't like the quote we sent them to *fix* what was wrong, and the sa password fix was a simple one. Nobody there had the expertise to know how to change it, so I'd imagine it's still *unlocked*.

I agree, Microsoft should require an sa password regardless.

Is there a way to rename the sa account? Kind of like you can with the NT Administrator account? I always create a local user account for SQL Server to log into, per the MS Curriculum.

Kyle Heon
PixelMEDIA, Inc.
Senior Application Programmer, MCP
kheon@pixelmedia.com
Go to Top of Page

AjarnMark
SQL Slashing Gunting Master

3246 Posts

Posted - 2002-05-22 : 14:35:52
quote:
I think it should force you to specify a password.


That sounds like a reasonable upgrade to appear in Yukon. I have to admit that I was thrilled to see it pop up the message that says you really ought to put a password on SA. That was definitely a step in the right direction on 2000.

I can honestly tell you that NOBODY knows the password to SA on our SQL Servers. How can I be so sure? Well, I'm the one that set it to some jumble of letters and numbers, and never memorized it. I then setup my personal sysadmin account and have never used SA since.

Go to Top of Page

Vincent
Starting Member

1 Post

Posted - 2002-05-28 : 14:43:11
I agree that Admins make mistakes, but before you beat on them too harshly, sometimes it's the vendor's fault (and not just MS)...

<from the SANS Institute - Internet Threat Update, 5/28/2002>

"- - You may be vulnerable and not realize it. Access 2000, Visio
Enterprise Network Tools, Microsoft Project Central, Visual Studio 6
(and possibly other development tools) all appear to have an embedded
version of SQL server (with no password set for the "SA" account)
as a default install. These tools are still being sold today, and we
have no reason to believe new buyers are immune to the vulnerability.
Even worse, other vendors have embedded the run-time version of SQL
Server 7 in their products. Dell, for example, installed it inside
its IT Assistant Version 6.0 product and does not install the software
required to change the password. Compaq Insight Manager Version 7 and
IBM Director Version 3.1 both use the runtime version of SQL Server.
If someone tells you, "Microsoft fixed the problem," please point
out to them that they may have been misinformed for a large segment
of the user community."

Check out http://www.incidents.org/diary/diary.php?id=156 for more info.

Go to Top of Page

Doug G
Constraint Violating Yak Guru

331 Posts

Posted - 2002-05-28 : 21:35:58
Access, anyway, does not install MSDE during a standard installation, so there is no "default" problem. You have to go out of your way to find the MSDE install files on your Access or Office Pro CD. You have the opportunity to set the sa password during the MSDE installation.


======
Doug G
======
Go to Top of Page

Wanderer
Master Smack Fu Yak Hacker

1168 Posts

Posted - 2002-05-29 : 05:47:12
Let's face ... the fact is that MS has always defaulted "open" to allow the simplest innstallation possible, and while chasing after the "grail" of "EASE OF USE", has up until recently been almost oblivious to the security implications.

I say until recently, because I hope that the widely publicised "secure computing" (or whatever the actual phrase is) drive by MS and Bill will seriously address these issues.

The idea that it defaults to blank was simply an extention of the policy of defaulting to make it easy to install. I must admit that this is one of the things that I dislike about some of the SQL (MS) approach to certain things. The danger is that anyone who can move a mouse can now do an installation.

In my opinion there are huge numbers of SQL servers etc. installed by people which have these dangerous defaults, and in fact I find in the organization I am working at that we recently pointed out 40 UNKNOWN SQL server installations - no licences, blank passwords, etc. Tracking down who did these, why and getting licences etc. is not a fun task!!!

Go to Top of Page

Doug G
Constraint Violating Yak Guru

331 Posts

Posted - 2002-06-01 : 01:15:26
quote:
The idea that it defaults to blank was simply an extention of the policy of defaulting to make it easy to install. I must admit that this is one of the things that I dislike about some of the SQL (MS) approach to certain things. The danger is that anyone who can move a mouse can now do an installation.


How else are you going to get the server installed? The installer needs to have admin access to set up the server. Every DB I've ever worked on has had a default admin password for installation, and when server admins don't change the default admin password, be it blank or whatever, the server is open season for hackers. This has been going on since before there was a Microsoft.


======
Doug G
======
Go to Top of Page

Argyle
Yak Posting Veteran

53 Posts

Posted - 2002-06-03 : 16:45:41
Why not create a worm that instead of damaging the sql servers, sets a new strong random password and then saves it to a textfile on the C: drive. Or why not check if any operators are configured on the SQL server and email them a message that it's a bad idea to use a blank password :P

Go to Top of Page

Merkin
Funky Drop Bear Fearing SQL Dude!

4970 Posts

Posted - 2002-06-03 : 19:17:46
Because unfortunately, that would land you in prison as quickly as the guy who wrote the original worm if they got him.

"It is a friendly worm" is not a defence.

Damian
Go to Top of Page

Wanderer
Master Smack Fu Yak Hacker

1168 Posts

Posted - 2002-06-04 : 06:15:36
quote:
Every DB I've ever worked on has had a default admin password for installation, and when server admins don't change the default admin password, be it blank or whatever, the server is open season for hackers.


I don't say that MS is the only culprit. It is an unfortunate truth that the more visible you are, the better target you make, and that fact, combined with some of the less-than-impressive moves made by MS in the past have made them target #1 for people trying to show them up.

I do believe that there should quite simply be no way you allow a default password - let's face it - DBMS software is not a game that you are installing, or something to play around with. If you are installing a DBMS, you are almost certainly doing it for something that you consider a serious activity (be it supporting a business, or storing your own private data etc.).

MS can take the lead here by saying - YOU WILL use a password, it will be a moderately secure one in the sense that it will be 8 or more characters ( probably more, as brute force available increases - buut for arguments sake, lets say 8). YOU WILL not use only alphanumerics, but need to include some additional characters "(!_ "etc. etc. to esnure that this isn't a simple password open to dictionary attacks. I don't believe that anyone who is installing this product will jump up-and-down about this kind of measure, and it would be proof that they are taking the concept of "secure computing" further than simply trying to improve the quality of their code (by removing buffer overflows etc.), and showing that they are lloking at security as a concept that should be integral to any professional information system, and something that is applied to every part of that process.

If someone is just playing around with SQL server at home, developing code etc., and has absolutely no interest in security, they will write down the password anyway. And as has been mentioned before, we should really be trying to use sa as little as possible (it makes sense to me, anyway) - create users that have the authority that they need, and use those as much as possible.

Hmmmm - hopefully I haven't jumped up-and-down too much on the soap box here, but I do think that this is an important point that deserves proper discussion. I look forward to responses/comments et al.

ciao

Go to Top of Page

chadmat
The Chadinator

1974 Posts

Posted - 2002-06-06 : 02:51:18
Wanderer,

I agree with you to some extent. Security should be taken more seriously, but that is a two way street. It should be taken seriously first and foremost by the adiministrator of the machine. That is just a kop out to say, "Well, it came with a blank PW, so it's not my fault"

It is up to the administrator to set and maintain proper security.

Your car comes with a lock, but if you don't use it, and it gets stolen, you have nobody to blame but yourself. You can't cry that the manufacturer should automatically lock it for you.

-Chad

Go to Top of Page

izaltsman
A custom title

1139 Posts

Posted - 2002-06-06 : 11:37:31
quote:

Your car comes with a lock, but if you don't use it, and it gets stolen, you have nobody to blame but yourself. You can't cry that the manufacturer should automatically lock it for you.



I am with Chad on this. I would hate it if Microsoft tried to dictate how strong my passwords should be. Only the person administering the server can make this decision based on his business requirements.

It would be nice though if a configurable Password Policy tool of some sort existed for SQL Authentication (something that would enforce minimum password length, force change of passwords with age etc).

Go to Top of Page
   

- Advertisement -