RE: New Paper: Microsoft SQL Server Passwords

From: Toni Lassila (toni.lassila@mc-europe.com)
Date: Mon Jul 08 2002 - 22:54:36 PDT

Next message: elvat_private: "Re: Linux kernels DoSable by file-max limit"

Previous message: turambar386at_private: "iPlanet Remote File Viewing"
Maybe in reply to: NGSSoftware Insight Security Research: "New Paper: Microsoft SQL Server Passwords"
Next in thread: Pauli Porkka: "RE: New Paper: Microsoft SQL Server Passwords"
Reply: Pauli Porkka: "RE: New Paper: Microsoft SQL Server Passwords"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----Original Message-----
> From: NGSSoftware Insight Security Research 
> [mailto:nisrat_private]
> Sent: Monday, July 08, 2002 17:33
> To: bugtraqat_private
> Subject: New Paper: Microsoft SQL Server Passwords
> 
> 
> Hi all, I've written a paper on how users' passwords, or
> rather their hashes, are stored in Microsoft's SQL Server. 
> The paper discusses the manner in which they are hashed and 
> how they can be more easily brute forced as two hashes
> are stored: a case sensitive password hash and an upper case 
> password hash are produced. Needless to say, when auditing 
> password strength, it is far easier to go after the UPPER cased
> version.

An added weakness that has not been widely noted:

If you select a case-insensitive collation for your SQL Server
installation, the user accounts and passwords will be case
insensitive as well. This means there is a good chance any
given SQL Server will have very weak passwords.

You can verify if you are operating with case-insensitive
passwords by running this query:

Select SERVERPROPERTY(N'Collation')

If the name of the collation setting contains 'CI' instead
of 'CS', all your SQL login passwords are case-insensitive.
To remedy this is not a simple task, though. I quote from BOL:


"After a collation has been assigned to any object other
than a column or database, you cannot change the collation
except by dropping and re-creating the object. This can be
a complex operation. To change the default collation for an
instance of Microsoft® SQL Server(tm) 2000 you must: 

Make sure you have all of the information or scripts needed
to re-create your user databases and all of the objects in them.

Export all of your data using a tool such as bulk copy.

Drop all of the user databases.

Rebuild the master database specifying the new collation.

Create all of the databases and all of the objects in them.

Import all of your data."


> this. (With a Windows account people have access to other 
> operating system services as well as SQL Server, but with just
> an SQL login they should only be able to access the SQL
> Services. The latter is the 'more safe' option in the author's
> opinion)

With this I simply disagree.

-- 
Toni Lassila        toni.lassila@mc-europe.com
Operations Engineer           +358 9 5655 1882

Next message: elvat_private: "Re: Linux kernels DoSable by file-max limit"
Previous message: turambar386at_private: "iPlanet Remote File Viewing"
Maybe in reply to: NGSSoftware Insight Security Research: "New Paper: Microsoft SQL Server Passwords"
Next in thread: Pauli Porkka: "RE: New Paper: Microsoft SQL Server Passwords"
Reply: Pauli Porkka: "RE: New Paper: Microsoft SQL Server Passwords"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 09 2002 - 15:24:16 PDT