Users login

Create an account »


Users login

Home » Hacking News » Insecure Microsoft Data Engine Could Lead to Code Execution

Insecure Microsoft Data Engine Could Lead to Code Execution

by Nikola Strahija on May 23rd, 2002 Software: Microsoft Visio 2000 Enterprise Visio Enterprise Networking Tools 1.0 Visual Studio 6.0 Office 2000/XP (running on a Windows 9x system) Impact: Run code of attacker's choice Max Risk: Critical


Visio Enterprise 2000 and VENT 1.0 use MSDE as a database server tostore information. Visual Studio, Office and other 3rd party softwarecan also use MSDE as a database server.

The MSDE installation option included with Visio 2000 Enterprise andVENT 1.0 defaults to Mixed Authentication. Additionally, the defaultusername in these cases is 'sa' and the default password is blank.Installing MSDE for Visual Studio 6.0 also uses the same defaults. Theversion of MSDE available on Office 2000/XP media defaults to WindowsIntegrated Security when installed on a Windows NT/2000/XP computer.However, when this version of MSDE is installed on a Windows 9x/mecomputer, it also defaults to 'sa' and a blank password. A malicioususer could execute the code of his choice on a system running MSDE with'sa' and a blank password. Such code would execute using the securitycontext of the MSSQLSERVER service, which is LOCALSYSTEM in the case ofa default MSDE install.


I stumbled upon this vulnerability running SQLPoke on a LAN. Tools likethis and SQLPing can pinpoint effected systems. Once identified, amalicious user could then use SQL Query Analyzer or osql to execute anyOS command using the xp_cmdshell stored procedure.

Mitigating Factors:

This vulnerability can only be remotely exploited on Internet-facingcomputers that allow access to TCP port 1433 or by other machines on thesame Local Area Network.

Vendor Response:

I contacted the Microsoft Security Response Center about this issue on3-6-02. They published KB article Q321081 on4-9-02 to address the issue with Visio. They subsequently publishedQ322336 aboutMSDE in general on 5-8-02. Q322336 actually addresses how to fix theproblem more completely than Q321081, it talks about modifying theregistry to switch MSDE to Windows Integrated Security as opposed tojust changing the 'sa' password. Microsoft decided that this issue issimply a MSDE configuration problem and does not require a patch.Consequently, since there is no patch they also elected not to issue aSecurity Bulletin despite the level of risk involved to effectedsystems. The emergence of the DoubleTap/SQLSnake worm compelled me togo ahead and post this in order to make people aware of these new KBarticles.

Adrian Romo
Senior Consultant
Quilogy - The Art & Science of Business

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »