Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NTBugtraq> 1998

Re: MS SQL Server 6.5 stores password in unprotected area of

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MS SQL Server 6.5 stores password in unprotected area of registry

To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: Re: MS SQL Server 6.5 stores password in unprotected area of registry
From: Kevin Hegg <kevinheggkshtechnology.com>
Date: Tue, 30 Jun 1998 11:22:03 -0400
In-Reply-To: <199806301115.HAA04857tetsuo.mspring.net>
Reply-To: kevinheggkshtechnology.com
Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>

Actually it is much worse than that. If you register a server under SQL
Enterprise Manager then whatever login and password you register is stored
in the registry. Typically a DBA will register using the 'sa' login, so that
also puts the 'sa' password in the registry. To view the login and password
go to HKCU/SOFTWARE/MICROSOFT/MSSQLSERVER/SQLEW/Registered Servers/SQL 6.5,
then select the target server, choose the 'View->Display Binary Data' menu
item, select the 'Byte Format' radio button, and scroll down through the
'Data:' list box and you will see the login and password (no programming is
required). And yes, Microsoft is aware of this.

--------------------
Kevin Hegg
KSH Technology, Inc.
kevinheggkshtechnology.com

> -----Original Message-----
> From: Windows NT BugTraq Mailing List
> [mailto:NTBUGTRAQLISTSERV.NTBUGTRAQ.COM]On Behalf Of Todd Sabin
> Sent: Monday, June 29, 1998 10:01 PM
> To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
> Subject: MS SQL Server 6.5 stores password in unprotected area of
> registry
>
>
> SQL Server creates an account named SQLExecutiveCmdExec during its
> installaion. This account is created with very limited rights on the
> machine, and is used by the SQLServer and SQLExecutive services to execute
> commands submitted to xp_cmdshell by users other than sa (if so
> configured).
>
> The problem is that SQL Server stores the password for this account in an
> unprotected section of the registry.  Under the key
> HKLM\SOFTWARE\Microsoft\MSSqlServer\SQLExecutive, there is a value of type
> REG_BINARY named CmdExecAccount.  The data for this value is the password
> for the SQLExecutiveCmdExec account, encrypted using the PKZip encryption
> algorithm and a fixed key.  It is possible to write a program which
> decrypts these passwords instantly.
>
> The risk here is probably not too great.  The SQLExecutiveCmdExec account
> is, by design, extremely limited in rights.  SQL Server is normally
> installed on servers; ordinary users won't be able to access the registry
> remotely, nor log in to the server to access it locally.  It's
> probably the
> case that it requires more rights to obtain the password than the password
> would give you.  Nevertheless, this is bad practice, and people
> ought to be
> aware of it.
>
> I notified Microsoft of this issue in October 1997, and asked again in
> March.  I was told that they 'have some people looking into the
> issue', but
> haven't heard anything since.
>
>
> Todd
>

Prev by Date: ASP vulnerability with Alternate Data Streams
Next by Date: 128 bit SSL HotFix
Prev by thread: Re: ASP vulnerability with Alternate Data Streams
Next by thread: Re: MS SQL Server 6.5 stores password in unprotected area of registry
Index(es):
- Date
- Thread