NT SQL Server Password Vulnerability

SQL Server creates an account named SQLExecutiveCmdExec during its installaion. This account is created with very limited rights on the machine, and is used by the SQLServer and SQLExecutive services to execute commands submitted to xp_cmdshell by users other than sa (if so configured).

The problem is that SQL Server stores the password for this account in an unprotected section of the registry. Under the key HKLM\SOFTWARE\Microsoft\MSSqlServer\SQLExecutive, there is a value of type REG_BINARY named CmdExecAccount. The data for this value is the password for the SQLExecutiveCmdExec account, encrypted using the PKZip encryption algorithm and a fixed key. It is possible to write a program which decrypts these passwords instantly.

The risk here is probably not too great. The SQLExecutiveCmdExec account is, by design, extremely limited in rights. SQL Server is normally installed on servers; ordinary users won't be able to access the registry remotely, nor log in to the server to access it locally. It's probably the case that it requires more rights to obtain the password than the password would give you. Nevertheless, this is bad practice, and people ought to be aware of it.

Also, if you register a server under SQL Enterprise Manager then whatever login and password you register is stored in the registry. Typically a DBA will register using the 'sa' login, so that also puts the 'sa' password in the registry. To view the login and password go to HKCU/SOFTWARE/MICROSOFT/MSSQLSERVER/SQLEW/Registered Servers/SQL 6.5, then select the target server, choose the 'View->Display Binary Data' menu item, select the 'Byte Format' radio button, and scroll down through the 'Data:' list box and you will see the login and password (no programming is required).


Privacy Statement
Copyright 2010, SecurityFocus