Re: ODBC Login information saved as plain text... :(

From: Deus, Attonbitus (Thor_at_HammerofGod.com)
Date: 07/23/03

  • Next message: Derek Soeder: "EEYE: Windows MIDI Decoder (QUARTZ.DLL) Heap Corruption" 
    Date: Wed, 23 Jul 2003 07:57:34 -0700
To: hanez <mailman@hanez.org>, bugtraq@securityfocus.com

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    At 01:30 AM 7/22/2003, hanez wrote:
    >(this is my second post of this mail because the first didn't
    >arrived to the list...)
    >
    >Hello All,
    >
    >i have found an interesting thing in Windows XP. When i create an
    >ODBC SYSTEM-DSN (Datasource available for all users) for accessing a
    >SQL-Server, it is saved in the Windows Registry. The Problem there
    >is, that Windows is saving the login information like username and
    >password as plain text in the registry keys and every user who has
    >access to this PC could read these entries.

    Please note that this has nothing to do with Windows XP, or Win2k,
    etc. It
    has to do with the ODBC driver you have chosen to use. See below.

    >I don't have big problems with this but i think that many developers
    >are using
    >this for building database driven applications. If these
    >applications are running on client PC's where noone should know the
    >passwords of the database server, every user could read the login
    >information in the Windows registry and then use an application like
    >MS-Access to get access to the tables stored on the server. I think
    >this is a very insecure thing! Users could get Information about the
    >structures of the tables on the database server and maybe if not
    >correct configured get write access to all tables... A horrible
    >thing i think...

    Then it is the developers fault. Using "mixed-mode" type
    applications is
    not a secure method of accessing a database. This would be no
    different
    than someone having a client-side application that made direct ADODB
    calls
    to a database and included the logon credentials in the connection
    string-
    same with .asp and so forth.

    >I have only tested this on my Windows XP workstation and one and
    >only Windows machine, so i could not test it on other versions of
    >this stupid OS. Like i'm knowing M$ it is a problem in all versions
    >of Windows. Windows simply is a big security problem...

    Not to be crass, but the "big problem" is that you have not performed
    adequate research. To be honest, this smacks of one of those BT
    posts
    specifically written to be able to say things like "stupid OS" and so
    forth. One should note that a Perl script written on Linux to access
    a SQL
    server back end would still have the creds stored in plain-text
    unless the
    developer chose to better secure it. And we won't even get into
    netmon
    sniffing of en-encrypted sessions. As far as the permissions go, of
    course
    all users can read a system DSN- IT IS A SYSTEM DSN! If the
    developer
    really cares, he can create User DSN's, which are created in the
    HKEY_USERS
    hive with restricted permissions and cloned to the HKEY_CURRENT_USER
    hive
    with admin/specific user permissions. But they don't do that. They
    create
    single user accounts and share them among all the users. Guess whose
    fault
    that is?? Yep, the DEVELOPER.

    >[HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\TESTDSN]
    >
    >"Driver"="C:\\WINDOWS\\System32\\myodbc3.dll"
    >
    >"Description"="MySQL ODBC 3.51 Driver DSN"
    >
    >"Database"="test"
    >
    >"Server"="192.168.0.1"
    >
    >"User"="user_name"
    >
    >"Password"="plain_password"
    >
    >"Port"="3306"
    >
    >"Option"="3"
    >
    >"Stmt"=""
    >//end

    This is because your MySQL ODBC driver was *written to do this.*
    This is
    how MySQL *wants* the data. In contrast, if you were using MS
    SQLServer,
    and insisted on using mixed-mode authentication, where you connect up
    with
    a specific user account and created such a system DSN, even when you
    connect up and test, the reg entry only stores the following:

    "Driver = %SystemDrive%\%WinDir%\System32\sqlsrv32.dll"
    "LastUser = Dude"
    "Server = ServerName"

    When you attempt to establish a connection via the System DSN, you
    are
    prompted for your username and password- again, this is a result of
    how the
    ODBC driver was written.
    This issue has nothing to do with Windows XP being a "stupid OS."
    That
    distinction lies elsewhere.

    hth

    T

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0

    iQA/AwUBPx6iYohsmyD15h5gEQKnRQCgnNiN7yAjkVsjtO0x+g7dv1LFaRcAoPPc
    k8fVkya1Od+tTAZyq1//Bqtm
    =16u1
    -----END PGP SIGNATURE-----

  • Next message: Derek Soeder: "EEYE: Windows MIDI Decoder (QUARTZ.DLL) Heap Corruption"

    Relevant Pages

    • Re: help with 2000i on win2k server (sp3 on database)
      ... See Leonard's post for the config options. ... If the server is mangling itself, then ANYTHING running on the server ... that I work with will support the database AND the application. ... As for Windows vs. Linux/NetWare, I can agree, but I also see MANY ...
      (comp.databases.btrieve)
    • Re: nt4.5 to w2003
      ... keep in mind that there basically is two different things you can do to move from an NT 4 (SAM Database) domain to an Active Directory Domain. ... You can choose to upgrade the domain from NT 4 to Windows 200x Active Directory. ... The thing to keep in mind here is that you have to Upgrade an NT 4 PDC to Windows 200x. ... You could download and install Virtual Server 2005 if you needed to upgrade an NT 4 machine to Windows 200x and your real hardware either does not support NT 4, or the NT 4 hardware you have does not really support Windows 200x. ...
      (microsoft.public.windows.server.migration)
    • Re: Setting up Linked server to MsAccess
      ... At the server level I have added my windows user group ... At the database level I have added my Server login ...
      (microsoft.public.sqlserver.security)
    • Problem with Sharepoint Windows Services on Win 2003 SBS Server
      ... The other day we had a server that crashed for some unknown reason. ... "Cannot connect to the configuration database. ... I should point out at this stage that the OS is Windows 2003 Small Business ... SharePoint Services 2.0 and tried re-installing MSDE by launching ...
      (microsoft.public.windows.server.sbs)
    • Re: Database Connection/ Results not working
      ... After you have created your database connection and renamed your page to .asp, ... You can not test any thing under Windows XP Home ... that requires a MS Web server, ...
      (microsoft.public.frontpage.client)