Windows Management and Scripting

A wealth of tutorials Windows Operating Systems SQL Server and Azure

  • Enter your email address to follow this blog and receive notifications of new posts by email.

    Join 721 other subscribers

  • SCCM Tools

    itxsolutions on codeplex

  • Twitter Updates

  • Alin D

    Alin D

    I have over ten years experience of planning, implementation and support for large sized companies in multiple countries.

    View Full Profile →

«
»

SQL Vulnerability Leaves Passwords In The Clear

Posted by Alin D on May 19, 2011

A vulnerability in Microsoft SQL Server could enable any user with administrative privileges to openly see the unencrypted passwords of all other users, researchers said today.

In SQL Server 2000 or 2005, administrators can view all of the passwords used since the server went online by reviewing its process memory. Under SQL Server 2008, the problem has been partially fixed, but an administrator with local access and a simple debugger could still view the passwords.

The vulnerability is most likely an insider threat because it requires administrative privileges. However, it is also possible for a hacker to take advantage of the flaw by exploiting SQL injection..

The flaw may not directly affect the data in the database, since an administrator would have access to that data already. But many people reuse their passwords for other applications, and it is possible that the vulnerability might lead to the compromise of other users’ work or personal accounts.

Many applications are deployed with administrative privileges.

Hackers using a simple SQL injection vulnerability can now access administrative passwords, which may be used to penetrate other systems on the network, escalating the breach. This is even worse in the case of SQL Server 2000 and 2005, where this can be done remotely.

One well-known security researcher, who requested anonymity, disagrees. “This seems like a nonissue,” the researcher says. “Anyone with the ability to read process memory would also have the ability to just hook the authentication code and capture passwords that way. For once, Microsoft is right to ignore it.”

There is a big difference between being able to reset a password to either a system-generated password which the administrator would not see (or to a password the administrator chooses) and actually seeing a user’s personal password.

he latter involves much greater risk, including access to additional systems the password may be used on, potentially enabling access to user’s private data, such as bank or brokerage accounts.

This entry was posted on May 19, 2011 at 18:03 and is filed under Security. Tagged: , , , , , , . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a comment

«
»