SQL 7 Weak Password Protection
Reported March 15, 2000 by
ISS
VERSIONS EFFECTED
  • Microsoft SQL Server 7.0

DESCRIPTION

Internet Security Systems (ISS) reported a problem with SQL Server 7.0 where the software weakly protects passwords under certain conditions.

According to the report, "when registering a new SQL Server in the Enterprise Manager or editing the SQL Server registration properties, the login name that will be used by the Enterprise Manager for the connection must be specified. If a SQL Server login name is used instead of a Widows Domain user name and the "Always prompt for login name and password" checkbox is not set, the login ID and password are weakly encrypted and stored in the registry."

In addition, when a database administrator logs onto  a workstation with the use of a roaming profile that user"s password is stored in a file called NTUSER.DAT (on NT) or USER.DAT (on Win9x.) The files can be viewed with a text editor where the encrypted passwords can be obtained and cracked.

According to ISS, "The encryption scheme used is an alphabetic substitution where each Unicode character in the password is XOR"ed with a two byte value according to its position in the string. If the "Always prompt for login name and password" checkbox is not set when registering a SQL Server, the login ID and password is weakly encrypted and stored in the following registry key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSSQLServer\
SQLEW\Registered Server X

VENDOR RESPONSE

Microsoft recommends the use of Windows Integrated Security in conjunction with SQL Server. Under that form of security, passwords are not stored and thus cannot be easily obtained in files or the registry in the manner mentioned above.

In addition, it is wise to have any application always prompt for a password, as opposed to allowing the system to store that information for ease of use. In most cases that concern passwords, ease of use equates to ease of penetration.

CREDITS
Discovered by ISS