Bugtraq mailing list archives
Fw: Steal Passwords Using SQL Server EM
From: mdrury () ADS-CORP COM (Martin Drury)
Date: Tue, 30 May 2000 12:17:50 -0400
Martin Drury mdrury () ads-corp com ----- Original Message ----- From: Gary Hottinger To: Martin Drury Sent: Tuesday, May 30, 2000 12:14 PM Subject: Re: Steal Passwords Using SQL Server EM Martin: I have checked this out as a test and it is as this guy says. A real hole! One way to avoid it is to put a password on the package when its created; this way only the owner who created the package can see the properties tab. Users can be given a password to load and execute but can't see the properties tab. But by default no passwords are created and the package is open for all to see. Very Interesting. Thanks, Gary ----- Original Message ----- From: Martin Drury To: ghottinger () ads-corp com Sent: Tuesday, May 30, 2000 8:58 AM Subject: Fw: Steal Passwords Using SQL Server EM Gary, I thought you might find this useful. Martin Drury mdrury () ads-corp com ----- Original Message ----- From: Justin Gunther To: BUGTRAQ () SECURITYFOCUS COM Sent: Friday, May 26, 2000 12:23 AM Subject: Steal Passwords Using SQL Server EM If you have access to a SQL Server database, as a normal user, you have the ability to view others passwords who have created a DTS package. Scenario: a.. Log into the SQL Server b.. Expand 'Data Transformation Services' c.. Click on 'Local Packages' d.. Right click on any package, and choose 'Design Package' e.. Rigth click on a connection object, and choose 'Properties' f.. A dialog will come up with text boxes containing the username and password. The password will be marked with asterisks. Run Revelation (http://www.snadboy.com), a program which will allow you to view the password g.. You now have this users username and password, you can access their database through enterprise manager or query analyzer, and if their user name and password is the same, their ftp account. At this time, I do not have access to an SQL Server as admin, so i cannot tell you whether the admins of sql server have left this open, or the user who created the DTS package is at fault. However, the current provider of my hosting, who has 50+ databases, and 15 of which have created a DTS package, making their databases accessible by this method.
Current thread:
- Steal Passwords Using SQL Server EM Justin Gunther (May 25)
- <Possible follow-ups>
- Re: Steal Passwords Using SQL Server EM Russ (May 30)
- Fw: Steal Passwords Using SQL Server EM Martin Drury (May 30)