Wed 2 Sep 2009
Passwords leakage from MS SQL Server
Posted by Slavik under MS SQL Server, security, sentrigo
[8] Comments
A member of Sentrigos’ security and research team, Assaf Nativ, found an interesting security issue in all versions of MS SQL Server. Turns out that SQL Server saves in memory in clear text user credentials (passwords) of users logging in using SQL Server native authentication. Users using Windows authentication are not affected. Although Microsoft recommends that only Windows authentication should be used, the reality is that many instances are configured to use mixed mode authentication with applications and administrators connecting to the instance using native authentication.
We, of course, reported this to MSRC about a year ago but received a response saying that this is not a security issue because it requires administrative privileges to exploit. Well, we respectfully disagreed and approached MSRC several times but without success in changing their mind.
I believe that this is indeed a security flaw that should be fixed for the following reasons:
- How many passwords do you use? For how many systems? You do the math
– most users reuse the same passwords between systems because it’s impossible to remember a separate strong password for all systems we use. Even administrators should not have access to end users’ set of passwords, as they can gain access to sensitive systems that were not open to them. - Most breaches are perpetrated by skilled insiders (e.g. administrators, programmers, etc). It is for this very reason that various standards and regulations mandate segregation of duties.
- Many applications are deployed with administrative privileges. Hackers using a single SQL injection vulnerability can now access administrative passwords which may be used to penetrate other systems on the network, escalating the breach. This is even worse in the case of SQL Server 2000 and 2005 where this can be done remotely.
We, at Sentrigo, were convinced that SQL Server administrators out there should be aware of the danger and also should have a way to mitigate it so we’ve decided to publicize it and release a free tool to remove the clear text passwords from memory.
What do you think about this issue? I’d love to hear your thoughts.
8 Responses to “ Passwords leakage from MS SQL Server ”
Trackbacks & Pingbacks:
-
[...] Passwords leakage from MS SQL Server – slaviks-blog.com Turns out that SQL Server saves in clear text user credentials of users logging in using SQL Server native authentication. [...]
-
[...] let’s begin our look at SQL Server blogs with Musings on Database Security and its post on passwords leakage from MS SQL Server. “Turns out that SQL Server saves in memory in clear text user credentials (passwords) of [...]
Frankly, cool finding – and this is the first I’ve heard of it.
But I don’t think it’s an issue. And I really mean that. Anyone with the ability to take advantage of this already has credentials enough to do wicked things with SQL Server if needed. Likewise, if code can get installed to do this as some sort of malicious payload, it’s already a part of the TCB and can CHANGE credentials, create its own, and so on.
So… while I think finding this was cool, I don’t think it’s a security issue.
@Michael
Hi Michael, thanks for the comment.
Well, think about all the test systems you know. How many users have admin privs on them? How many of them have the same privs on production? How many use the same password? And how many share the same password with other, personal systems like their banking account? I think that the main issue here is the fact that no one should ever see the passwords because they are reused.
Cheers,
Slavik
I definitely agree with you guys. This is a security issue. I think that the biggest point here is “Most breaches are perpetrated by skilled insiders”. What if adminA steals the credentials of adminB? What a mess…
I don’t understand why Microsoft corp. doesn’t acknowledge the issue. In my mind, the fix wouldn’t be that hard to implement.
Thumbs up for your effort trying to reason with Microsoft corp. But, only the Microsoft corp. clients can make Microsoft corp. move. It’s only by making the information available, what you just did, that MS will move.
Only my personal thoughts, for what they are worth.
Regards,
Statistique
@Statistique
Thanks for the kind words and I agree that MS customers should try and influence MS to fix the issue.
From my point of view, passwords should be never handled by the server except when created. Only hashes.
I definitely agree with you guys. This is a security issue. I think that the biggest point here is “Most breaches are perpetrated by skilled insiders”. What if adminA steals the credentials of adminB? What a mess…
I don’t understand why Microsoft corp. doesn’t acknowledge the issue. In my mind, the fix wouldn’t be that hard to implement.
Thumbs up for your effort trying to reason with Microsoft corp. But, only the Microsoft corp. clients can make Microsoft corp. move. It’s only by making the information available, what you just did, that MS will move.
Only my personal thoughts, for what they are worth.
Regards,
Statistique
I’ve Found a great MSSQL scanner that can locate any MSSQL server at your network (multi-subnet) it can also try to brute force the SA user account (or any other account) to make sure the password is not easy.
you can get it here: http://www.softpedia.com/get/Internet/Servers/Database-Utils/SQL-Locator.shtml