Security note: MS SQL is current worm vector

This may impact syabse ASE istallations as well. AFAIR sybase use system
acocunt sa and no password.

dali

-----Original Message-----
From: pgsql-hackers-owner@postgresql.org
[mailto:pgsql-hackers-owner@postgresql.org] On Behalf Of Tom Lane
Sent: Sunday, 25 November 2001 18:20
To: pgsql-hackers@postgresql.org
Subject: [HACKERS] Security note: MS SQL is current worm vector

According to incidents.org, a new worm that infects MS SQL servers is
currently spreading fast, and it's being used to lauch distributed
denial-of-service attacks against various sites: see
http://www.incidents.org/diary/diary.php?id=82

The security flaw that the worm exploits is not, um, deep. It seems
that Microsoft ships MS SQL with a default system-admin account having
the fixed name "sa" and no password. If that hasn't been changed,
anyone can do anything they want using the server machine.

While Microsoft's carelessness about security is (justly) infamous, I'm
not as inclined to say "Redmond is a bunch of bozos" as "there but for
the grace of God go we". This is a heads-up that security issues *do*
matter, even for databases.

regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo@postgresql.org)

Yeah, by default Postgresql ships practically without any access controls.

Fortunately most self compiled Postgresql installations don't have remote
access enabled (I have long assumed that on most Unix or Unixlike systems
local users = root users, so postgresql's lack of local user security by
default isn't that big an issue).

I have no experience with prepackaged Postgresql installations.

Anyway most DB installations should be behind firewalls. That said many
microsoft users may not even know they have a DB installation, let alone
that they need to set a password ;).

Cheerio,
Link.

At 12:20 AM 11/25/01 -0500, Tom Lane wrote:

Lincoln Yeoh <lyeoh@pop.jaring.my> writes:

Yeah, by default Postgresql ships practically without any access controls.

It ain't *that* bad. The default configuration is "no remote access,
period", even if you give -i in the postmaster switches. True, there
are no local access controls by default, but unless someone ignores
the instructions and runs the postmaster as "bin" or another
quasi-privileged user, there's no way I can see to use the database to
break into root. (Barring site security holes, which could be exploited
by any local user anyway.)

MS SQL's problem is that any remote attacker who can reach the machine
by TCP is instantly root, or whatever the equivalent concept is on NT.
If you don't have the server port firewalled you're a sitting duck.

I do wonder whether we shouldn't list "think about your access controls"
as an explicit step in the installation instructions or server startup
instructions. The default configuration is definitely uncool on
multiuser machines, but a novice might not find that out till too late.

regards, tom lane

On Sunday 25 November 2001 18:13, Tom Lane wrote:

Lincoln Yeoh <lyeoh@pop.jaring.my> writes:

Yeah, by default Postgresql ships practically without any access
controls.

(...)

I do wonder whether we shouldn't list "think about your access controls"
as an explicit step in the installation instructions or server startup
instructions. The default configuration is definitely uncool on
multiuser machines, but a novice might not find that out till too late.

It might be worth explicitly mentioning the following:

1) use initdb with the -W option, so that a superuser password
is set during db initialisation and before the server is started;
2) before starting the server change the appropriate settings
in pg_hba.conf from 'trusted' to 'password' (or whatever other
authentication system is to be used).

Particularly the point about initdb with -W isn't mentioned
in the "7.1 Administrator's Guide" (section 3.2, 'Creating
a database cluster'), which is probably the first port of call
for many first time admin/users.

Following these steps should exclude any possibility
of even local users gaining uncontrolled access to the
backend. (Motto: "Never Trust Anyone" ;-)

Yours

Ian Barwick

On Sunday 25 November 2001 18:13, Tom Lane wrote:

Lincoln Yeoh <lyeoh@pop.jaring.my> writes:

Yeah, by default Postgresql ships practically without any access
controls.

(...)

I do wonder whether we shouldn't list "think about your access controls"
as an explicit step in the installation instructions or server startup
instructions. The default configuration is definitely uncool on
multiuser machines, but a novice might not find that out till too late.

It might be worth explicitly mentioning the following:

1) use initdb with the -W option, so that a superuser password
is set during db initialisation and before the server is started;
2) before starting the server change the appropriate settings
in pg_hba.conf from 'trusted' to 'password' (or whatever other
authentication system is to be used).

Particularly the point about initdb with -W isn't mentioned
in the "7.1 Administrator's Guide" (section 3.2, 'Creating
a database cluster'), which is probably the first port of call
for many first time admin/users.

Following these steps should exclude any possibility
of even local users gaining uncontrolled access to the
backend. (Motto: "Never Trust Anyone" ;-)

Yours

Ian Barwick

On Sunday 25 November 2001 03:35 am, Lincoln Yeoh wrote:

Fortunately most self compiled Postgresql installations don't have remote
access enabled (I have long assumed that on most Unix or Unixlike systems
local users = root users, so postgresql's lack of local user security by
default isn't that big an issue).

I have no experience with prepackaged Postgresql installations.

The RPMset ships with TCP/IP socket listening off by default. I've had more
questions on 'why isn't it turned on by default like it was in 7.0' than any
other single subject. To all who asked -- _this_ is why.

However, since postmaster doesn't start or run as root, a compromise of
postmaster isn't going to result in catastrophic remote root. At worst your
database is compromised -- which is bad, but not as bad as your machine being
a stepping-stone for a DDoS.

This is, IMHO, one of the worst things about NT 'services' -- they have
entirely too many rights in the filesystem.
--
Lamar Owen
WGCR Internet Radio
1 Peter 4:11

On Sunday 25 November 2001 18:13, Tom Lane wrote:

Lincoln Yeoh <lyeoh@pop.jaring.my> writes:

Yeah, by default Postgresql ships practically without any access
controls.

(...)

I do wonder whether we shouldn't list "think about your access controls"
as an explicit step in the installation instructions or server startup
instructions. The default configuration is definitely uncool on
multiuser machines, but a novice might not find that out till too late.

It might be worth explicitly mentioning the following:

1) use initdb with the -W option, so that a superuser password
is set during db initialisation and before the server is started;

I have added documentation for the -W flag. You can see it at:

http://216.55.132.35/main/writings/pgsql/sgml/creating-cluster.html

2) before starting the server change the appropriate settings
in pg_hba.conf from 'trusted' to 'password' (or whatever other
authentication system is to be used).

Also mentioned.

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026