Full Disclosure mailing list archives
Microsoft Commerce Server, SQL Server login password weak permissions
From: Cesar <cesarc56 () yahoo com>
Date: Wed, 2 Jul 2003 11:42:23 -0700 (PDT)
Security Advisory Name: Microsoft Commerce Server, administrative SQL Server login password weak permissions. System Affected : Microsoft Commerce Server 2002 (not tested in Commerce Server 2000 but it could be vulnerable) Severity : High Remote exploitable : Yes Author: Cesar Cerrudo. Date: 06/29/03 Advisory Number: CC060305 Legal Notice: This Advisory is Copyright (c) 2003 Cesar Cerrudo. You may distribute it unmodified and for free. You may NOT modify it and distribute it or distribute parts of it without the author's written permission. You may NOT use it for commercial intentions (this means include it in vulnerabilities databases, vulnerabilities scanners, any paid service, etc.) without the author's written permission. You are free to use Microsoft details for commercial intentions. Disclaimer: The information in this advisory is believed to be true though it may be false. The opinions expressed in this advisory are my own and not of any company. The usual standard disclaimer applies, especially the fact that Cesar Cerrudo is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory. Cesar Cerrudo bears no responsibility for content or misuse of this advisory or any derivatives thereof. Overview: Microsoft Commerce Server is a comprehensive e-business platform that includes features for different users: developers, system administrators, and business managers. Commerce Server features function together seamlessly, enabling you to provide merchandising, catalog display, customer service, and order management and receipt. Microsoft Commerce Server uses Microsoft SQL Server as a backend database server, a SQL Server login password is saved in registry with weak permissions when authentication is set to SQL Server authentication. Details: During installation process an administrative SQL Server login and the type of authentication must be set, also this can be set after installation using Commerce Server Manager. If SQL Server authentication is selected the login password is saved encoded in Windows registry under the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Commerce Server in a binary value named: ADMINDBPS The registry key has read permissions to users group by default, users can read the value, decode it and get an administrative SQL Server login password. These weak permissions can be exploited by an attacker in the next way: -Get the encoded password from registry. -Analyze the encoding algoritm and decode the password. Or -Open Commerce Server Manager, then open "Properties" window and get the password with password revealer tool. After getting the clear text password the attacker can take complete control over SQL Server and it could lead to further OS compromise. Workaround: Use Windows Integrated Authentication to log on SQL Server. or Set proper ACL permissions that fit your needs on registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Commerce Server Vendor Fix: Microsoft was contacted on 02/14/03 and after a LONG time Microsoft decided that this can only be exploitable locally and it can be prevented following best prectices, Microsoft only will release a Knowledge Base Article detailing this. However this can be exploited remotely for example if SQL Server, Terminal Server or Citrix are installed. NEW SECURITY LIST!!!: For people interested in SQL Server security, vulnerabilities, SQL injection, etc. People on this list always get related SQL Server bugs some days before general public!. Join to get the latest SQL Server vulnerabilities,threats at: sqlserversecurity-subscribe () yahoogroups com http://groups.yahoo.com/group/sqlserversecurity/ __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Microsoft Commerce Server, SQL Server login password weak permissions Cesar (Jul 02)