Thread: Security note: MS SQL is current worm vector

Security note: MS SQL is current worm vector

From
Tom Lane
Date:
According to incidents.org, a new worm that infects MS SQL servers
is currently spreading fast, and it's being used to lauch distributed
denial-of-service attacks against various sites: see
http://www.incidents.org/diary/diary.php?id=82

The security flaw that the worm exploits is not, um, deep.  It seems
that Microsoft ships MS SQL with a default system-admin account having
the fixed name "sa" and no password.  If that hasn't been changed,
anyone can do anything they want using the server machine.

While Microsoft's carelessness about security is (justly) infamous,
I'm not as inclined to say "Redmond is a bunch of bozos" as "there
but for the grace of God go we".  This is a heads-up that security
issues *do* matter, even for databases.
        regards, tom lane


Re: Security note: MS SQL is current worm vector

From
Lincoln Yeoh
Date:
Yeah, by default Postgresql ships practically without any access controls.

Fortunately most self compiled Postgresql installations don't have remote
access enabled (I have long assumed that on most Unix or Unixlike systems
local users = root users, so postgresql's lack of local user security by
default isn't that big an issue).

I have no experience with prepackaged Postgresql installations.

Anyway most DB installations should be behind firewalls. That said many
microsoft users may not even know they have a DB installation, let alone
that they need to set a password ;).

Cheerio,
Link.

At 12:20 AM 11/25/01 -0500, Tom Lane wrote:
>According to incidents.org, a new worm that infects MS SQL servers
>is currently spreading fast, and it's being used to lauch distributed
>denial-of-service attacks against various sites: see
>http://www.incidents.org/diary/diary.php?id=82
>
>The security flaw that the worm exploits is not, um, deep.  It seems
>that Microsoft ships MS SQL with a default system-admin account having
>the fixed name "sa" and no password.  If that hasn't been changed,
>anyone can do anything they want using the server machine.
>
>While Microsoft's carelessness about security is (justly) infamous,
>I'm not as inclined to say "Redmond is a bunch of bozos" as "there
>but for the grace of God go we".  This is a heads-up that security
>issues *do* matter, even for databases.
>
>            regards, tom lane
>
>---------------------------(end of broadcast)---------------------------
>TIP 2: you can get off all lists at once with the unregister command
>    (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
>
>



Re: Security note: MS SQL is current worm vector

From
"Dalibor Andzakovic"
Date:
This may impact syabse ASE istallations as well. AFAIR sybase use system
acocunt sa and no password.

dali

-----Original Message-----
From: pgsql-hackers-owner@postgresql.org
[mailto:pgsql-hackers-owner@postgresql.org] On Behalf Of Tom Lane
Sent: Sunday, 25 November 2001 18:20
To: pgsql-hackers@postgresql.org
Subject: [HACKERS] Security note: MS SQL is current worm vector


According to incidents.org, a new worm that infects MS SQL servers is
currently spreading fast, and it's being used to lauch distributed
denial-of-service attacks against various sites: see
http://www.incidents.org/diary/diary.php?id=82

The security flaw that the worm exploits is not, um, deep.  It seems
that Microsoft ships MS SQL with a default system-admin account having
the fixed name "sa" and no password.  If that hasn't been changed,
anyone can do anything they want using the server machine.

While Microsoft's carelessness about security is (justly) infamous, I'm
not as inclined to say "Redmond is a bunch of bozos" as "there but for
the grace of God go we".  This is a heads-up that security issues *do*
matter, even for databases.
        regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command   (send "unregister YourEmailAddressHere" to
majordomo@postgresql.org)



Re: Security note: MS SQL is current worm vector

From
Tom Lane
Date:
Lincoln Yeoh <lyeoh@pop.jaring.my> writes:
> Yeah, by default Postgresql ships practically without any access controls.

It ain't *that* bad.  The default configuration is "no remote access,
period", even if you give -i in the postmaster switches.  True, there
are no local access controls by default, but unless someone ignores
the instructions and runs the postmaster as "bin" or another
quasi-privileged user, there's no way I can see to use the database to
break into root.  (Barring site security holes, which could be exploited
by any local user anyway.)

MS SQL's problem is that any remote attacker who can reach the machine
by TCP is instantly root, or whatever the equivalent concept is on NT.
If you don't have the server port firewalled you're a sitting duck.

I do wonder whether we shouldn't list "think about your access controls"
as an explicit step in the installation instructions or server startup
instructions.  The default configuration is definitely uncool on
multiuser machines, but a novice might not find that out till too late.         regards, tom lane


Re: Security note: MS SQL is current worm vector

From
Ian Barwick
Date:
On Sunday 25 November 2001 18:13, Tom Lane wrote:
> Lincoln Yeoh <lyeoh@pop.jaring.my> writes:
> > Yeah, by default Postgresql ships practically without any access
> > controls.
>
(...)
> I do wonder whether we shouldn't list "think about your access controls"
> as an explicit step in the installation instructions or server startup
> instructions.  The default configuration is definitely uncool on
> multiuser machines, but a novice might not find that out till too late.

It might be worth explicitly mentioning the following:

1) use initdb with the -W option, so that a superuser password  is set during db initialisation and before the server
isstarted;
 
2) before starting the server change the appropriate settings  in pg_hba.conf from 'trusted' to 'password' (or whatever
other authentication system is to be used).
 

Particularly the point about initdb with -W isn't mentioned
in the "7.1 Administrator's Guide" (section 3.2, 'Creating
a database cluster'), which is probably the first port of call 
for many first time admin/users.

Following these steps should exclude any possibility
of even local users gaining uncontrolled access to the
backend. (Motto: "Never Trust Anyone" ;-)

Yours

Ian Barwick


Re: Security note: MS SQL is current worm vector

From
Lamar Owen
Date:
On Sunday 25 November 2001 03:35 am, Lincoln Yeoh wrote:
> Fortunately most self compiled Postgresql installations don't have remote
> access enabled (I have long assumed that on most Unix or Unixlike systems
> local users = root users, so postgresql's lack of local user security by
> default isn't that big an issue).

> I have no experience with prepackaged Postgresql installations.

The RPMset ships with TCP/IP socket listening off by default.  I've had more 
questions on 'why isn't it turned on by default like it was in 7.0' than any 
other single subject. To all who asked -- _this_ is why.

However, since postmaster doesn't start or run as root, a compromise of 
postmaster isn't going to result in catastrophic remote root.  At worst your 
database is compromised -- which is bad, but not as bad as your machine being 
a stepping-stone for a DDoS.

This is, IMHO, one of the worst things about NT 'services'  -- they have 
entirely too many rights in the filesystem.
-- 
Lamar Owen
WGCR Internet Radio
1 Peter 4:11


Re: Security note: MS SQL is current worm vector

From
Ian Barwick
Date:
On Sunday 25 November 2001 18:13, Tom Lane wrote:
> Lincoln Yeoh <lyeoh@pop.jaring.my> writes:
> > Yeah, by default Postgresql ships practically without any access
> > controls.
>
(...)
> I do wonder whether we shouldn't list "think about your access controls"
> as an explicit step in the installation instructions or server startup
> instructions.  The default configuration is definitely uncool on
> multiuser machines, but a novice might not find that out till too late.

It might be worth explicitly mentioning the following:

1) use initdb with the -W option, so that a superuser password  is set during db initialisation and before the server
isstarted;
 
2) before starting the server change the appropriate settings  in pg_hba.conf from 'trusted' to 'password' (or whatever
other authentication system is to be used).
 

Particularly the point about initdb with -W isn't mentioned
in the "7.1 Administrator's Guide" (section 3.2, 'Creating
a database cluster'), which is probably the first port of call 
for many first time admin/users.

Following these steps should exclude any possibility
of even local users gaining uncontrolled access to the
backend. (Motto: "Never Trust Anyone" ;-)

Yours

Ian Barwick


Re: Security note: MS SQL is current worm vector

From
Bruce Momjian
Date:
> On Sunday 25 November 2001 18:13, Tom Lane wrote:
> > Lincoln Yeoh <lyeoh@pop.jaring.my> writes:
> > > Yeah, by default Postgresql ships practically without any access
> > > controls.
> >
> (...)
> > I do wonder whether we shouldn't list "think about your access controls"
> > as an explicit step in the installation instructions or server startup
> > instructions.  The default configuration is definitely uncool on
> > multiuser machines, but a novice might not find that out till too late.
> 
> It might be worth explicitly mentioning the following:
> 
> 1) use initdb with the -W option, so that a superuser password
>    is set during db initialisation and before the server is started;

I have added documentation for the -W flag.  You can see it at:
http://216.55.132.35/main/writings/pgsql/sgml/creating-cluster.html


> 2) before starting the server change the appropriate settings
>    in pg_hba.conf from 'trusted' to 'password' (or whatever other
>    authentication system is to be used).

Also mentioned.

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026