Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
SQL Vulnerability Leaves Passwords In The Clear, Researchers Say
- From: Howell, Paul
- Date: Fri Sep 04 08:04:37 2009
At
http://www.darkreading.com/insiderthreat/security/vulnerabilities/showAr
ticle.jhtml?articleID=219501099&cid=RSSfeed
SQL Vulnerability Leaves Passwords In The Clear, Researchers Say
With no patch forthcoming from Microsoft, Sentrigo launches workaround
for flaw
Sep 02, 2009 | 05:02 PM
By Tim Wilson
DarkReading
A vulnerability in Microsoft SQL Server could enable any user with
administrative privileges to openly see the unencrypted passwords of all
other users, researchers said today.
Researchers at database security vendor Sentrigo say that in SQL Server
2000 or 2005, administrators can view all of the passwords used since
the server went online by reviewing its process memory. Under SQL Server
2008, the problem has been partially fixed, but an administrator with
local access and a simple debugger could still view the passwords,
Sentrigo says.
The vulnerability is most likely an insider threat because it requires
administrative privileges, says Slavik Markovich, CTO of Sentrigo.
However, it is also possible for a hacker to take advantage of the flaw
by exploiting SQL injection, he says.
The flaw may not directly affect the data in the database, since an
administrator would have access to that data already, Slavik says. But
many people reuse their passwords for other applications, and it is
possible that the vulnerability might lead to the compromise of other
users' work or personal accounts.
"Worst case, it might lead to one administrator stealing bank account
data from another administrator," Slavik says. "People are not supposed
to reuse their passwords, but it's a reality that they do."
The Sentrigo researchers found the vulnerability last September and
informed Microsoft, Slavik says. However, after nearly a year of
discussion, Microsoft has indicated that it considers the issue to be
"minor" and has no plans to issue a specific patch, he says.
"We did not agree with Microsoft's classification of this vulnerability
as a minor issue, and felt that it was in the best interest of SQL
Server users to make the vulnerability public and provide a utility to
remove the passwords from memory," Sentrigo says. "If we discovered this
information, there is a high likelihood others [who may not be as
ethical] could find it as well and abuse it."
Sentrigo feels that the vulnerability is a danger because so many users
employ the same passwords for multiple applications, and because so many
breaches are engineered by privileged users and administrators.
"Many applications are deployed with administrative privileges,"
Sentrigo observes. "Hackers using a simple SQL injection vulnerability
can now access administrative passwords, which may be used to penetrate
other systems on the network, escalating the breach. This is even worse
in the case of SQL Server 2000 and 2005, where this can be done
remotely.
"Since Microsoft doesn't have immediate plans to fix this vulnerability,
we felt that the knowledge regarding its existence -- together with a
free utility to repair it -- should be available to the public sooner
than later," Sentrigo says.
One well-known security researcher, who requested anonymity, disagrees.
"This seems like a nonissue," the researcher says. "Anyone with the
ability to read process memory would also have the ability to just hook
the authentication code and capture passwords that way. For once,
Microsoft is right to ignore it."
Sentrigo acknowledges that administrators have the authority to reset
passwords, but "there is a big difference between being able to reset a
password to either a system-generated password which the administrator
would not see (or to a password the administrator chooses) and actually
seeing a user's personal password," the researchers say. "The latter
involves much greater risk, including access to additional systems the
password may be used on, potentially enabling access to user's private
data, such as bank or brokerage accounts."
The Sentrigo fix, which the company has dubbed Passwordizer, replaces
the password data with asterisks, making it impossible for
administrators to read the passwords in memory. The utility is available
now for free and works on any version of SQL Server.
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
