From: cesarc56 at yahoo.com (Cesar)
Subject: Microsoft Commerce Server, SQL Server login password weak permissions

Security Advisory

Name:  Microsoft Commerce Server, administrative SQL
Server login password weak permissions.
System Affected :  Microsoft Commerce Server 2002 (not
tested in Commerce Server 2000 but it could be
vulnerable)
Severity :  High 
Remote exploitable : Yes
Author:    Cesar Cerrudo.
Date:    06/29/03
Advisory Number:    CC060305


Legal Notice:

This Advisory is Copyright (c) 2003 Cesar Cerrudo.
You may distribute it unmodified and for free. You may
NOT modify it and distribute it or distribute 
parts of it without the author's written permission.
You may NOT use it for commercial intentions (this
means include it in vulnerabilities databases,
vulnerabilities scanners, any paid service, etc.)
without the author's written permission. You are free
to use Microsoft details for commercial intentions.


Disclaimer:

The information in this advisory is believed to be
true though it may be false. The opinions expressed in
this advisory are my own and not of any company. The
usual standard disclaimer applies, especially the fact
that Cesar Cerrudo is not liable for any damages
caused by direct or indirect use of the information or
functionality provided by this advisory. Cesar Cerrudo
bears no responsibility for content or misuse of this
advisory or any derivatives thereof.


Overview:

Microsoft Commerce Server is a comprehensive
e-business platform that includes features for
different users: developers, system administrators,
and business managers. Commerce Server features
function together seamlessly, enabling you to provide
merchandising, catalog display, customer service, and
order management and receipt.
Microsoft Commerce Server uses Microsoft SQL Server as
a backend database server, a SQL Server login password
is saved in registry with weak permissions when
authentication is set to SQL Server authentication.


Details:

During installation process an administrative SQL
Server login and the type of authentication must be
set, also this can be set after installation using
Commerce Server Manager. If SQL Server authentication
is selected the login password is saved encoded in
Windows registry under the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Commerce Server

in a binary value named:

ADMINDBPS

The registry key has read permissions to users group
by default, users can read the value, decode it and
get an administrative SQL Server login password.


These weak permissions can be exploited by an attacker
in the next way:

-Get the encoded password from registry.
-Analyze the encoding algoritm and decode the
password.
Or
-Open Commerce Server Manager,
 then open "Properties" window and get the password
with password revealer tool.

After getting the clear text password the attacker can
take complete control over SQL Server and it could
lead to further OS compromise.


Workaround:

Use Windows Integrated Authentication to log on SQL
Server.
 or
Set proper ACL permissions that fit your needs on
registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Commerce Server


Vendor Fix:

Microsoft was contacted on 02/14/03 and after a LONG
time Microsoft decided that this can only be
exploitable locally and it can be prevented following
best prectices, Microsoft only will release a
Knowledge Base Article detailing this.
However this can be exploited remotely for example if
SQL Server, Terminal Server or Citrix are installed.


NEW SECURITY LIST!!!: For people interested in SQL
Server security, vulnerabilities, SQL injection, etc.
People on this list always get related SQL Server bugs
some days before general public!.
Join to get the latest SQL Server
vulnerabilities,threats at:
sqlserversecurity-subscribe@...oogroups.com
http://groups.yahoo.com/group/sqlserversecurity/












__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

Powered by blists - more mailing lists