[NT] Hacking Sybase/MS-SQL for the NT Administrator

From: support@securiteam.com
Date: 05/14/02

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 14 May 2002 08:29:11 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Hacking Sybase/MS-SQL for the NT Administrator


The following is a short explanation on how to "hack" into a Sybase/MS-SQL
without having the SA password (note that we do have administrator access
on the machine, but not on the database).


The following is an explanation on how to get into a Sybase database on
systems that we already have fully authorized Administrator access on

Like Microsoft's SQL server, Sybase permits three modes of authentication:

 * Standard security mode is where Sybase maintains its own user database
-- with login names, passwords, and access rights -- and is probably the
default. In this mode, the NT user accessing the server is never
considered, so being an NT Administrator does not give you any special

 * Integrated security mode means that authenticated NT logons map to
Sybase logons, so once you've passed the NT domain logon process, that
credential gets you into the Sybase door as well. The mapping is not
automatic: the DB administrator has to set up the NT -> Sybase user
mappings explicitly and then grant rights to those mapped users. Its main
benefit seems to be elimination of a separate database login step.

 * Mixed security is a hybrid of the previous two.

In "Integrated" security mode, there is further a method of translating
otherwise unknown authentication attempts into a specific database user.
Not all NT users necessarily map to a valid Sybase user, so the
"DefaultLogon" is used to map unrecognized NT users into a single Sybase
user. This could be used to provide a kind of generic "guest" access, and
we believe that this is disabled by default.

We went into the registry under

Where "server_name" is the name of the database server in question. A
machine can run more than one database, and each is administered
separately (they even have different NT services to manage).

If we set in the key the LoginMode to "1" and the DefaultLogin to "sa" and
restart the associated NT service. We can run the Sybase SQL Central and
connect while running as an otherwise unknown NT user, while we will be
mapped to a "sa" account. This means that we are now an administrator of
the database.


The information has been provided by <mailto:steve@unixwiz.net> Stephen
J. Friedl.


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: .NET Search all mailboxes Exchange Server 2003 Full-text Index
    ... The fact is that the search interface was not designed to do database wide ... administrator needs to have access to the content within the user's mailbox. ... no Exchange or Domain Admins have permisssions to a user's ... The main reason is the security issue above. ...
  • Digital Certificate
    ... I have a secure multi-user Access 2003 database running on WinXP. ... only the Administrator has access. ... The Security Level is set to Medium. ... Digital Signature using selfcert.exe. ...
  • Digital Certificate prevents opening
    ... I have a secure multi-user Access 2003 database running on WinXP. ... only the Administrator has access. ... The Security Level is set to Medium. ... Digital Signature using selfcert.exe. ...
  • RE: how do I change ownership of and "unknown" owner
    ... The Administrator you are talking about should be the Administrator of the ... to do with NT or machine level security. ... "database recovery", "access" if you can't resort to back up copy. ... Microsoft Access Support ...
  • Clarifications on Sybase Alerts
    ... We have received a lot of feedback on the 3 Sybase alerts sent out on ... community has not experienced many security vulnerabilities, ... Therefore a non-privileged user can use this ... security hole to take complete control of a Sybase server. ...