[15107] in bugtraq
Steal Passwords Using SQL Server EM
daemon@ATHENA.MIT.EDU (Justin Gunther)
Mon May 29 18:06:30 2000
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_001C_01BFC68F.7CA6EA80"
Message-Id: <002101bfc6ca$2b9bfdc0$b09eb2d1@gunny>
Date: Thu, 25 May 2000 21:23:36 -0700
Reply-To: Justin Gunther <jmgunther@EARTHLINK.NET>
From: Justin Gunther <jmgunther@EARTHLINK.NET>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_001C_01BFC68F.7CA6EA80
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
If you have access to a SQL Server database, as a normal user, you have =
the ability to view others passwords who have created a DTS package. =20
Scenario: =20
a.. Log into the SQL Server=20
b.. Expand 'Data Transformation Services'=20
c.. Click on 'Local Packages'=20
d.. Right click on any package, and choose 'Design Package'=20
e.. Rigth click on a connection object, and choose 'Properties'=20
f.. A dialog will come up with text boxes containing the username and =
password. The password will be marked with asterisks. Run Revelation =
(http://www.snadboy.com), a program which will allow you to view the =
password=20
g.. You now have this users username and password, you can access =
their database through enterprise manager or query analyzer, and if =
their user name and password is the same, their ftp account.
At this time, I do not have access to an SQL Server as admin, so i =
cannot tell you whether the admins of sql server have left this open, or =
the user who created the DTS package is at fault. However, the current =
provider of my hosting, who has 50+ databases, and 15 of which have =
created a DTS package, making their databases accessible by this method.
------=_NextPart_000_001C_01BFC68F.7CA6EA80
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2919.6307" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV>
<DIV><FONT size=3D2>If you have access to a SQL Server database, as a =
normal=20
user, you have the ability to view others passwords who have =
created a DTS=20
package. </FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=3D2>Scenario: </FONT></DIV>
<UL>
<LI><FONT size=3D2>Log into the SQL Server</FONT>=20
<LI><FONT size=3D2>Expand 'Data Transformation Services'</FONT>=20
<LI><FONT size=3D2>Click on 'Local Packages'</FONT>=20
<LI><FONT size=3D2>Right click on any package, and choose 'Design=20
Package'</FONT>=20
<LI><FONT size=3D2>Rigth click on a connection object, and choose=20
'Properties'</FONT>=20
<LI><FONT size=3D2>A dialog will come up with text boxes containing =
the username=20
and password. The password will be marked with asterisks. Run =
Revelation=20
(<A href=3D"http://www.snadboy.com)">http://www.snadboy.com)</A>, a =
program=20
which will allow you to view the password</FONT>=20
<LI><FONT size=3D2>You now have this users username and password, you =
can access=20
their database through enterprise manager or query analyzer, and if =
their user=20
name and password is the same, their ftp account.</FONT></LI></UL>
<DIV><FONT size=3D2>At this time, I do not have access to an SQL Server =
as admin,=20
so i cannot tell you whether the admins of sql server have left this =
open, or=20
the user who created the DTS package is at fault. However, the =
current=20
provider of my hosting, who has 50+ databases, and 15 of which have =
created a=20
DTS package, making their databases accessible by this =
method.</FONT></DIV>
<DIV> </DIV></DIV></BODY></HTML>
------=_NextPart_000_001C_01BFC68F.7CA6EA80--
