Thread: Security note: MS SQL is current worm vector
According to incidents.org, a new worm that infects MS SQL servers is currently spreading fast, and it's being used to lauch distributed denial-of-service attacks against various sites: see http://www.incidents.org/diary/diary.php?id=82 The security flaw that the worm exploits is not, um, deep. It seems that Microsoft ships MS SQL with a default system-admin account having the fixed name "sa" and no password. If that hasn't been changed, anyone can do anything they want using the server machine. While Microsoft's carelessness about security is (justly) infamous, I'm not as inclined to say "Redmond is a bunch of bozos" as "there but for the grace of God go we". This is a heads-up that security issues *do* matter, even for databases. regards, tom lane
Yeah, by default Postgresql ships practically without any access controls. Fortunately most self compiled Postgresql installations don't have remote access enabled (I have long assumed that on most Unix or Unixlike systems local users = root users, so postgresql's lack of local user security by default isn't that big an issue). I have no experience with prepackaged Postgresql installations. Anyway most DB installations should be behind firewalls. That said many microsoft users may not even know they have a DB installation, let alone that they need to set a password ;). Cheerio, Link. At 12:20 AM 11/25/01 -0500, Tom Lane wrote: >According to incidents.org, a new worm that infects MS SQL servers >is currently spreading fast, and it's being used to lauch distributed >denial-of-service attacks against various sites: see >http://www.incidents.org/diary/diary.php?id=82 > >The security flaw that the worm exploits is not, um, deep. It seems >that Microsoft ships MS SQL with a default system-admin account having >the fixed name "sa" and no password. If that hasn't been changed, >anyone can do anything they want using the server machine. > >While Microsoft's carelessness about security is (justly) infamous, >I'm not as inclined to say "Redmond is a bunch of bozos" as "there >but for the grace of God go we". This is a heads-up that security >issues *do* matter, even for databases. > > regards, tom lane > >---------------------------(end of broadcast)--------------------------- >TIP 2: you can get off all lists at once with the unregister command > (send "unregister YourEmailAddressHere" to majordomo@postgresql.org) > >
This may impact syabse ASE istallations as well. AFAIR sybase use system acocunt sa and no password. dali -----Original Message----- From: pgsql-hackers-owner@postgresql.org [mailto:pgsql-hackers-owner@postgresql.org] On Behalf Of Tom Lane Sent: Sunday, 25 November 2001 18:20 To: pgsql-hackers@postgresql.org Subject: [HACKERS] Security note: MS SQL is current worm vector According to incidents.org, a new worm that infects MS SQL servers is currently spreading fast, and it's being used to lauch distributed denial-of-service attacks against various sites: see http://www.incidents.org/diary/diary.php?id=82 The security flaw that the worm exploits is not, um, deep. It seems that Microsoft ships MS SQL with a default system-admin account having the fixed name "sa" and no password. If that hasn't been changed, anyone can do anything they want using the server machine. While Microsoft's carelessness about security is (justly) infamous, I'm not as inclined to say "Redmond is a bunch of bozos" as "there but for the grace of God go we". This is a heads-up that security issues *do* matter, even for databases. regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
Lincoln Yeoh <lyeoh@pop.jaring.my> writes: > Yeah, by default Postgresql ships practically without any access controls. It ain't *that* bad. The default configuration is "no remote access, period", even if you give -i in the postmaster switches. True, there are no local access controls by default, but unless someone ignores the instructions and runs the postmaster as "bin" or another quasi-privileged user, there's no way I can see to use the database to break into root. (Barring site security holes, which could be exploited by any local user anyway.) MS SQL's problem is that any remote attacker who can reach the machine by TCP is instantly root, or whatever the equivalent concept is on NT. If you don't have the server port firewalled you're a sitting duck. I do wonder whether we shouldn't list "think about your access controls" as an explicit step in the installation instructions or server startup instructions. The default configuration is definitely uncool on multiuser machines, but a novice might not find that out till too late. regards, tom lane
On Sunday 25 November 2001 18:13, Tom Lane wrote: > Lincoln Yeoh <lyeoh@pop.jaring.my> writes: > > Yeah, by default Postgresql ships practically without any access > > controls. > (...) > I do wonder whether we shouldn't list "think about your access controls" > as an explicit step in the installation instructions or server startup > instructions. The default configuration is definitely uncool on > multiuser machines, but a novice might not find that out till too late. It might be worth explicitly mentioning the following: 1) use initdb with the -W option, so that a superuser password is set during db initialisation and before the server isstarted; 2) before starting the server change the appropriate settings in pg_hba.conf from 'trusted' to 'password' (or whatever other authentication system is to be used). Particularly the point about initdb with -W isn't mentioned in the "7.1 Administrator's Guide" (section 3.2, 'Creating a database cluster'), which is probably the first port of call for many first time admin/users. Following these steps should exclude any possibility of even local users gaining uncontrolled access to the backend. (Motto: "Never Trust Anyone" ;-) Yours Ian Barwick
On Sunday 25 November 2001 03:35 am, Lincoln Yeoh wrote: > Fortunately most self compiled Postgresql installations don't have remote > access enabled (I have long assumed that on most Unix or Unixlike systems > local users = root users, so postgresql's lack of local user security by > default isn't that big an issue). > I have no experience with prepackaged Postgresql installations. The RPMset ships with TCP/IP socket listening off by default. I've had more questions on 'why isn't it turned on by default like it was in 7.0' than any other single subject. To all who asked -- _this_ is why. However, since postmaster doesn't start or run as root, a compromise of postmaster isn't going to result in catastrophic remote root. At worst your database is compromised -- which is bad, but not as bad as your machine being a stepping-stone for a DDoS. This is, IMHO, one of the worst things about NT 'services' -- they have entirely too many rights in the filesystem. -- Lamar Owen WGCR Internet Radio 1 Peter 4:11
On Sunday 25 November 2001 18:13, Tom Lane wrote: > Lincoln Yeoh <lyeoh@pop.jaring.my> writes: > > Yeah, by default Postgresql ships practically without any access > > controls. > (...) > I do wonder whether we shouldn't list "think about your access controls" > as an explicit step in the installation instructions or server startup > instructions. The default configuration is definitely uncool on > multiuser machines, but a novice might not find that out till too late. It might be worth explicitly mentioning the following: 1) use initdb with the -W option, so that a superuser password is set during db initialisation and before the server isstarted; 2) before starting the server change the appropriate settings in pg_hba.conf from 'trusted' to 'password' (or whatever other authentication system is to be used). Particularly the point about initdb with -W isn't mentioned in the "7.1 Administrator's Guide" (section 3.2, 'Creating a database cluster'), which is probably the first port of call for many first time admin/users. Following these steps should exclude any possibility of even local users gaining uncontrolled access to the backend. (Motto: "Never Trust Anyone" ;-) Yours Ian Barwick
> On Sunday 25 November 2001 18:13, Tom Lane wrote: > > Lincoln Yeoh <lyeoh@pop.jaring.my> writes: > > > Yeah, by default Postgresql ships practically without any access > > > controls. > > > (...) > > I do wonder whether we shouldn't list "think about your access controls" > > as an explicit step in the installation instructions or server startup > > instructions. The default configuration is definitely uncool on > > multiuser machines, but a novice might not find that out till too late. > > It might be worth explicitly mentioning the following: > > 1) use initdb with the -W option, so that a superuser password > is set during db initialisation and before the server is started; I have added documentation for the -W flag. You can see it at: http://216.55.132.35/main/writings/pgsql/sgml/creating-cluster.html > 2) before starting the server change the appropriate settings > in pg_hba.conf from 'trusted' to 'password' (or whatever other > authentication system is to be used). Also mentioned. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026