| SQL 7 Linked Server Passwords |
Reported November 15, 1999 by Blake Coverett
SQL Server 7 introduces the ability to link servers. If the remote server is also running SQL Server 7 security credentials can be passed through in some unspecified way. If the remote server is anything else, included SQL Server 6.5, linked logins must be setup to map local logins to the login name and password to be used on the remote server. These linked logins and passwords are stored in the master..sysxlogins table. The passwords are encrypted with a new, undocumented, built-in function called encrypt() before being stored in the password attribute of this table.
The SQL Server 7 encrypt() function uses an unknown byte-wise stream cipher with a fixed key. That is trivial to break with a chosen plaintext attack and such an attack is always available. The sample code below lists all the server, login, password combinations in the table. Note: deducing a way to decode this algorithm required only an examination of the output for selected inputs, no reverse engineering of the algorithm itself was required. It is not strictly an XOR against some fixed set of bytes, but still no excuse for not using a well-known block cipher, preferably with a machine specific key stored with the LSA secrets.
By default the master..sysxlogins table is only readable with dbo rights in master and there is no reason to expect administrators will have relaxed these permissions. There is no obvious exposure from unprivileged accounts, but the clear text of the passwords are visible to anyone with admin privileges in the database. This is a bad thing for all the classic reasons.
Microsoft is aware of this issue, however they have released no statement as of 1pm CST on November 4, 1999.
Discovered by Blake Coverett
Posted here at NTSecurity.net on November 15, 1999