Home
Vulnerability in Microsoft SQL Server 7.0 Encryption Used to Store Administrative Login ID

	ISS Security Advisory
March 14, 2000
Vulnerability in Microsoft SQL Server 7.0 Encryption Used to Store
Administrative Login ID

Synopsis:
Internet Security Systems (ISS) has identified a vulnerability in the
encryption used to conceal the password and login ID of a registered SQL
Server user in Enterprise Manager for Microsoft SQL Server 7.0. When
registering a new SQL Server in the Enterprise Manager or editing the SQL
Server registration properties, the login name that will be used by the
Enterprise Manager for the connection must be specified. If a SQL Server
login name is used instead of a Widows Domain user name and the 'Always
prompt for login name and password' checkbox is not set, the login ID and
password are weakly encrypted and stored in the registry.

When a DBA (database administrator) logs into a workstation with a roaming
profile, the login ID and password are stored in a registry key. This
information is stored as the file NTUSER.DAT (for Windows NT) or USER.DAT
(for Windows 95 or Windows 98) when the user logs off. An attacker can open
this file in a text editor to view the DBA login ID and password encrypted.
An attacker can reverse this encryption to gain access to the DBA login ID
and password.

Impact:
Remote and local attackers who acquire the system administrator password
have full control over the database server software as well as full access
to the content and integrity of the database.

Affected Versions:
Microsoft Enterprise Manager for SQL Server 7.0 is vulnerable.

Description:
The encryption used to conceal the password and login ID of a registered SQL
Server user in Enterprise Manager for SQL Server 7.0 can be reversed. The
encryption scheme used is an alphabetic substitution where each Unicode
character in the password is XOR'ed with a two byte value according to its
position in the string. If the 'Always prompt for login name and password'
checkbox is not set when registering a SQL Server, the login ID and password
is weakly encrypted and stored in the following registry key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSSQLServer\SQLEW\Registered Server X. 

By design, the HKEY_CURRENT_USER registry hive is meant to be available only
to the currently logged on user. That is, when a different Windows NT user
logs onto the system, a different copy of the HKEY_CURRENT_USER registry
hive is loaded. In practice, the HKEY_CURRENT_USER registry hive is saved
locally as the file NTUSER.DAT or USER.DAT when a user logs off. This
registry hive can be opened in Notepad and the encrypted login ID and
password can be easily located. If the DBA has a roaming profile, the
NTUSER.DAT file will be saved on every workstation the DBA logs into.

Recommendations:
To securely use SQL Server, Microsoft recommends using Windows Integrated
Security. In Windows Integrated Security mode passwords are never stored, as
your Windows Domain sign-on is used as the security identifier to the
database server. 


If a SQL Server login ID is specified for logging into a server in the
Enterprise Manager, Microsoft recommends using the option 'Always prompt for
login name and password' to prevent passwords from being stored in the
registry.

ISS SAFEsuite security assessment software, Database Scanner, contains a
security check for this vulnerability and is currently available for
customers in the latest version of Database Scanner, 3.0.1. 

Additional Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CAN-2000-0199 to this issue. This is a candidate for inclusion in the CVE
list (http://cve.mitre.org), which standardizes names for security problems.

Credits:
This vulnerability was discovered by Internet Security Systems (ISS). ISS
would like to thank Microsoft for their response and handling of this
vulnerability. 

Revision History: 
March 14, 2000:  Initial release.
June 12, 2000:  Added revision history and CVE assignment.

______

About Internet Security Systems (ISS)
Internet Security Systems is a leading global provider of security
management solutions for the Internet, protecting digital assets and
ensuring safe and uninterrupted e-business. With its industry-leading
intrusion detection and vulnerability assessment, remote managed
security services, and strategic consulting and education offerings, ISS
is a trusted security provider to more than 9,000 customers worldwide
including 21 of the 25 largest U.S. commercial banks, the top 10 U.S.
telecommunications companies, and all major branches of the U.S. Federal
Government. Founded in 1994, ISS is headquartered in Atlanta, GA, with
additional offices throughout North America and international operations
in Asia, Australia, Europe, Latin America and the Middle East. For more
information, visit the Internet Security Systems web site at www.iss.net
or call 888-901-7477.


Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved
worldwide.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part
of this Alert in any other medium excluding electronic medium, please
e-mail xforce@iss.net for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at: sensitive.php as
well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.