Bugtraq mailing list archives

Fw: Steal Passwords Using SQL Server EM

From: mdrury () ADS-CORP COM (Martin Drury)
Date: Tue, 30 May 2000 12:17:50 -0400


Martin Drury
mdrury () ads-corp com
----- Original Message ----- 
From: Gary Hottinger 
To: Martin Drury 
Sent: Tuesday, May 30, 2000 12:14 PM
Subject: Re: Steal Passwords Using SQL Server EM

Martin:

I have checked this out as a test and it is as this guy says.  A real hole!  One way to avoid it is to put a password 
on the package when its created; this way only the owner who created the package can see the properties tab.  Users can 
be given a password to load and execute but can't see the properties tab.

But by default no passwords are created and the package is open for all to see.

Very Interesting.

Thanks,
Gary
  ----- Original Message ----- 
  From: Martin Drury 
  To: ghottinger () ads-corp com 
  Sent: Tuesday, May 30, 2000 8:58 AM
  Subject: Fw: Steal Passwords Using SQL Server EM

  Gary,
      I thought you might find this useful.
  Martin Drury
  mdrury () ads-corp com
  ----- Original Message ----- 
  From: Justin Gunther 
  To: BUGTRAQ () SECURITYFOCUS COM 
  Sent: Friday, May 26, 2000 12:23 AM
  Subject: Steal Passwords Using SQL Server EM

  If you have access to a SQL Server database, as a normal user, you have the ability to view others passwords who have 
created a DTS package.  

  Scenario:  
    a.. Log into the SQL Server 
    b.. Expand 'Data Transformation Services' 
    c.. Click on 'Local Packages' 
    d.. Right click on any package, and choose 'Design Package' 
    e.. Rigth click on a connection object, and choose 'Properties' 
    f.. A dialog will come up with text boxes containing the username and password. The password will be marked with 
asterisks.  Run Revelation (http://www.snadboy.com), a program which will allow you to view the password 
    g.. You now have this users username and password, you can access their database through enterprise manager or 
query analyzer, and if their user name and password is the same, their ftp account.
  At this time, I do not have access to an SQL Server as admin, so i cannot tell you whether the admins of sql server 
have left this open, or the user who created the DTS package is at fault.  However, the current provider of my hosting, 
who has 50+ databases, and 15 of which have created a DTS package, making their databases accessible by this method.

Current thread:

Steal Passwords Using SQL Server EM Justin Gunther (May 25)
- <Possible follow-ups>
- Re: Steal Passwords Using SQL Server EM Russ (May 30)
- Fw: Steal Passwords Using SQL Server EM Martin Drury (May 30)