|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
MS SQL Server 6.5 stores password in unprotected area of registry
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM - Subject: MS SQL Server 6.5 stores password in unprotected area of registry
- From: Todd Sabin <tasWEBSPAN.NET>
- Date: Mon, 29 Jun 1998 22:00:43 -0400
- Reply-To: Todd Sabin <tasWEBSPAN.NET>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
SQL Server creates an account named SQLExecutiveCmdExec during its installaion. This account is created with very limited rights on the machine, and is used by the SQLServer and SQLExecutive services to execute commands submitted to xp_cmdshell by users other than sa (if so configured). The problem is that SQL Server stores the password for this account in an unprotected section of the registry. Under the key HKLM\SOFTWARE\Microsoft\MSSqlServer\SQLExecutive, there is a value of type REG_BINARY named CmdExecAccount. The data for this value is the password for the SQLExecutiveCmdExec account, encrypted using the PKZip encryption algorithm and a fixed key. It is possible to write a program which decrypts these passwords instantly. The risk here is probably not too great. The SQLExecutiveCmdExec account is, by design, extremely limited in rights. SQL Server is normally installed on servers; ordinary users won't be able to access the registry remotely, nor log in to the server to access it locally. It's probably the case that it requires more rights to obtain the password than the password would give you. Nevertheless, this is bad practice, and people ought to be aware of it. I notified Microsoft of this issue in October 1997, and asked again in March. I was told that they 'have some people looking into the issue', but haven't heard anything since. Todd
- Prev by Date: Re: Vague ASP Vulnerability in WebSite and Netscape NT Servers
- Next by Date: Re: Vague ASP Vulnerability in WebSite and Netscape NT Servers
- Prev by thread: Re: Vague ASP Vulnerability in WebSite and Netscape NT Servers
- Next by thread: ASP vulnerability with Alternate Data Streams
- Index(es):