• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: NT SQL Server Password Vulnerability

Severity: MODERATE

Description:

SQL Server creates an account named SQLExecutiveCmdExec during its installaion. This account is created with very limited rights on the machine, and is used by the SQLServer and SQLExecutive services to execute commands submitted to xp_cmdshell by users other than sa (if so configured).

The problem is that SQL Server stores the password for this account in an unprotected section of the registry. Under the key HKLM\SOFTWARE\Microsoft\MSSqlServer\SQLExecutive, there is a value of type REG_BINARY named CmdExecAccount. The data for this value is the password for the SQLExecutiveCmdExec account, encrypted using the PKZip encryption algorithm and a fixed key. It is possible to write a program which decrypts these passwords instantly.

The risk here is probably not too great. The SQLExecutiveCmdExec account is, by design, extremely limited in rights. SQL Server is normally installed on servers; ordinary users won't be able to access the registry remotely, nor log in to the server to access it locally. It's probably the case that it requires more rights to obtain the password than the password would give you. Nevertheless, this is bad practice, and people ought to be aware of it.

Also, if you register a server under SQL Enterprise Manager then whatever login and password you register is stored in the registry. Typically a DBA will register using the 'sa' login, so that also puts the 'sa' password in the registry. To view the login and password go to HKCU/SOFTWARE/MICROSOFT/MSSQLSERVER/SQLEW/Registered Servers/SQL 6.5, then select the target server, choose the 'View->Display Binary Data' menu item, select the 'Byte Format' radio button, and scroll down through the 'Data:' list box and you will see the login and password (no programming is required).

Affected Products:

• Microsoft SQL Server 6.5

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.