[15124] in bugtraq
Fw: Steal Passwords Using SQL Server EM
daemon@ATHENA.MIT.EDU (Martin Drury)
Wed May 31 23:07:07 2000
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_001F_01BFCA31.12FC5C00"
Message-Id: <002201bfca52$9ce75ac0$78779dd0@adscorp.com>
Date: Tue, 30 May 2000 12:17:50 -0400
Reply-To: Martin Drury <mdrury@ADS-CORP.COM>
From: Martin Drury <mdrury@ADS-CORP.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_001F_01BFCA31.12FC5C00
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Martin Drury
mdrury@ads-corp.com
----- Original Message -----=20
From: Gary Hottinger=20
To: Martin Drury=20
Sent: Tuesday, May 30, 2000 12:14 PM
Subject: Re: Steal Passwords Using SQL Server EM
Martin:
I have checked this out as a test and it is as this guy says. A real =
hole! One way to avoid it is to put a password on the package when its =
created; this way only the owner who created the package can see the =
properties tab. Users can be given a password to load and execute but =
can't see the properties tab.
But by default no passwords are created and the package is open for all =
to see.
Very Interesting.
Thanks,
Gary
----- Original Message -----=20
From: Martin Drury=20
To: ghottinger@ads-corp.com=20
Sent: Tuesday, May 30, 2000 8:58 AM
Subject: Fw: Steal Passwords Using SQL Server EM
Gary,
I thought you might find this useful.
Martin Drury
mdrury@ads-corp.com
----- Original Message -----=20
From: Justin Gunther=20
To: BUGTRAQ@SECURITYFOCUS.COM=20
Sent: Friday, May 26, 2000 12:23 AM
Subject: Steal Passwords Using SQL Server EM
If you have access to a SQL Server database, as a normal user, you =
have the ability to view others passwords who have created a DTS =
package. =20
Scenario: =20
a.. Log into the SQL Server=20
b.. Expand 'Data Transformation Services'=20
c.. Click on 'Local Packages'=20
d.. Right click on any package, and choose 'Design Package'=20
e.. Rigth click on a connection object, and choose 'Properties'=20
f.. A dialog will come up with text boxes containing the username =
and password. The password will be marked with asterisks. Run =
Revelation (http://www.snadboy.com), a program which will allow you to =
view the password=20
g.. You now have this users username and password, you can access =
their database through enterprise manager or query analyzer, and if =
their user name and password is the same, their ftp account.
At this time, I do not have access to an SQL Server as admin, so i =
cannot tell you whether the admins of sql server have left this open, or =
the user who created the DTS package is at fault. However, the current =
provider of my hosting, who has 50+ databases, and 15 of which have =
created a DTS package, making their databases accessible by this method.
------=_NextPart_000_001F_01BFCA31.12FC5C00
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.3017.1000" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV> </DIV>
<DIV>Martin Drury<BR><A=20
href=3D"mailto:mdrury@ads-corp.com">mdrury@ads-corp.com</A></DIV>
<DIV style=3D"FONT: 10pt arial">----- Original Message -----=20
<DIV style=3D"BACKGROUND: #e4e4e4; font-color: black"><B>From:</B> <A=20
href=3D"mailto:ghottinger@ads-corp.com" =
title=3Dghottinger@ads-corp.com>Gary=20
Hottinger</A> </DIV>
<DIV><B>To:</B> <A href=3D"mailto:mdrury@ads-corp.com"=20
title=3Dmdrury@ads-corp.com>Martin Drury</A> </DIV>
<DIV><B>Sent:</B> Tuesday, May 30, 2000 12:14 PM</DIV>
<DIV><B>Subject:</B> Re: Steal Passwords Using SQL Server EM</DIV></DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2>Martin:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>I have checked this out as a test and =
it is as this=20
guy says. A real hole! One way to avoid it is to put a =
password on=20
the package when its created; this way only the owner who created the =
package=20
can see the properties tab. Users can be given a password to load =
and=20
execute but can't see the properties tab.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>But by default no passwords are created =
and the=20
package is open for all to see.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Very Interesting.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Thanks,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Gary</FONT></DIV>
<BLOCKQUOTE=20
style=3D"BORDER-LEFT: #000000 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: =
0px; PADDING-LEFT: 5px; PADDING-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A href=3D"mailto:mdrury@ads-corp.com" =
title=3Dmdrury@ads-corp.com>Martin=20
Drury</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20
href=3D"mailto:ghottinger@ads-corp.com"=20
title=3Dghottinger@ads-corp.com>ghottinger@ads-corp.com</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Tuesday, May 30, 2000 =
8:58 AM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Fw: Steal Passwords =
Using SQL=20
Server EM</DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2>Gary,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2> I thought you =
might find this=20
useful.</FONT></DIV>
<DIV>Martin Drury<BR><A=20
href=3D"mailto:mdrury@ads-corp.com">mdrury@ads-corp.com</A></DIV>
<DIV style=3D"FONT: 10pt arial">----- Original Message -----=20
<DIV style=3D"BACKGROUND: #e4e4e4; font-color: black"><B>From:</B> <A=20
href=3D"mailto:jmgunther@EARTHLINK.NET" =
title=3Djmgunther@EARTHLINK.NET>Justin=20
Gunther</A> </DIV>
<DIV><B>To:</B> <A href=3D"mailto:BUGTRAQ@SECURITYFOCUS.COM"=20
title=3DBUGTRAQ@SECURITYFOCUS.COM>BUGTRAQ@SECURITYFOCUS.COM</A> </DIV>
<DIV><B>Sent:</B> Friday, May 26, 2000 12:23 AM</DIV>
<DIV><B>Subject:</B> Steal Passwords Using SQL Server EM</DIV></DIV>
<DIV><BR></DIV>
<DIV>
<DIV><FONT size=3D2>If you have access to a SQL Server database, as a =
normal=20
user, you have the ability to view others passwords who have =
created a=20
DTS package. </FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=3D2>Scenario: </FONT></DIV>
<UL>
<LI><FONT size=3D2>Log into the SQL Server</FONT>=20
<LI><FONT size=3D2>Expand 'Data Transformation Services'</FONT>=20
<LI><FONT size=3D2>Click on 'Local Packages'</FONT>=20
<LI><FONT size=3D2>Right click on any package, and choose 'Design=20
Package'</FONT>=20
<LI><FONT size=3D2>Rigth click on a connection object, and choose=20
'Properties'</FONT>=20
<LI><FONT size=3D2>A dialog will come up with text boxes containing =
the=20
username and password. The password will be marked with =
asterisks. Run=20
Revelation (<A =
href=3D"http://www.snadboy.com)">http://www.snadboy.com)</A>, a=20
program which will allow you to view the password</FONT>=20
<LI><FONT size=3D2>You now have this users username and password, =
you can=20
access their database through enterprise manager or query analyzer, =
and if=20
their user name and password is the same, their ftp =
account.</FONT></LI></UL>
<DIV><FONT size=3D2>At this time, I do not have access to an SQL =
Server as=20
admin, so i cannot tell you whether the admins of sql server have left =
this=20
open, or the user who created the DTS package is at fault. =
However, the=20
current provider of my hosting, who has 50+ databases, and 15 of which =
have=20
created a DTS package, making their databases accessible by this=20
method.</FONT></DIV>
<DIV> </DIV></DIV></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_001F_01BFCA31.12FC5C00--
