Autor: Chris Knipe Data: A: Andre Grueneberg CC: exim-users Assumpte: Re: [Exim] Re: Testers Needed?
Hi,
> CK> PS: Yes yes, the code is currently a TOTAL MESS!!!! What do you
> CK> expect when you have to sit in Windows Notepad and programm C for
> CK> Linux? :)
>
> ...you'd better say: take an MS-SQL exploit and change it?!
Correct. The exploit was NOT related towards MS-SQL diretly, rather it was
arround the issue that various DBs allowed for the sa account (System
Administrator) to have blank passwords. The explot was released on
15/08/2000 by Herbless. The code primarily allowed for the execution of
remote commands on the NT Server, allowing the attacker to take down your
system should push come to pull.
I took his code as a framework to make it easier for me to understand the
principals, and also took out all of the harmfull code which is used to
exploit or damage the servers. For one, the xp_shellcmd procedure is not
allowed, which disables the use of remote command utilities all together.
The code at this stage, can ONLY execute lookups on the SQL Server and
return the data, that's it. I have contacted Herbless on the 17th allready
I think, thanking him for his code, and informing him that I will be using
his code as a basis for further development towards Linux and MS-SQL
Development. He had no complaints about it, so I went ahead.
As I did state however, this is for testing purposes only. I am more
interested towards seeing that it works, and that it is stable. After such
time, other routes will be taken towards possible development and
deployment, which possibly may be included into Exim.