Everhart, Glenn
From:	Kirk [khelfand@sqlauditor.com]
Sent:	Monday, June 08, 1998 3:11 PM
To:	ntsecurity@iss.net
Subject:	[NTSEC] Re: MS-SQL server security

TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net
Contact ntsecurity-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

Bret,

Windows NT attempts to try to require operating system authentication,
however due to exploits that are brought out by programs such as Red Button,
SQL Server named pipes connections (standard logins only, I don't believe
this applies to integrated logins) can be established using NULL
connections, that is requiring no operating system authentication.

To demonstate establishing a SQL Server named pipes connection without
operating system authentication, install an NT workstation in its own
workgroup and create a local user. Use the Red Button program to get the
info of the SQL Server you want to connect to. As the brick wall in  the
graphic of the remote server disappears, click the connect button of w/isql
(having already entered the login id and password). A connection should be
established.

This allows hackers to attack a SQL Server in standard or mixed security
mode from untrusted machines. Because SQL Server has no lockout facililty
and does not allow the sa account to be disable or changed, dictionary
attacks can be launched against the sa account. Once the sa account is
compromised, the procedure xp_cmdshell can be used to run operating system
commands or xp_regread can be used to read the encrypted NT passwords out of
the registry.

------------------------------------
Kirk Helfand    | Voice (212) 535-5087 | Fax (212) 744-7824
DbSecure - pioneers in database security
www.sqlauditor.com
-----------------------------------


- -----Original Message-----
Date: Mon, 01 Jun 1998 22:30:16
From: Technical Incursion Countermeasures <lists@ticm.com>
Subject: [NTSEC] MS-SQL server security

TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net
Contact ntsecurity-owner@iss.net for help with any problems!
- --------------------------------------------------------------------------
-

A reference - http://www.sqlauditor.com/page6.html appears to imply that
MS-SQL server does not apply any authentication to connections via named
pipes... Is this so?

I can't beleive it.

Cheers,
Bret
Technical Incursion Countermeasures
consulting@bwa.net                      http://www.ticm.com/
ph: (+61)(08) 9454 2487(UTC+8 hrs)      fax: (+61)(08) 9454 6042

The Insider - a e'zine on Computer security
http://www.ticm.com/info/insider/index.html

------------------------------