Thursday, 5 July 2007

Is SourceSafe "Safe"?

For some random reason, which I can't think of right now, I decided it would be fun to see how secure SourceSafe was, and whether access could be gained to the repository without a password. I am using Visual SourceSafe 6.0a (Build 8987) for this article.

To start with, I thought it would be useful to have a look at the SourceSafe Administration Tool, SSADMIN.EXE, and see if I could gain administrative access to it without having a password.

First of all, I load OllyDBG and open and run the SSADMIN.EXE application.

Finding the code that I was interested in was fairly straight forward:

  1. Entered a garbage password
  2. Clicked "OK" to attempt to log into the tool
  3. Saw the "Invalid password" dialogue screen
  4. Paused execution in OllyDBG
  5. Started debug in "Execute until user code" mode
  6. Went back to the tool and clicked "OK" on the dialog screen
  7. Breakpoint triggered in OllyDBG

It was then a simple case of setting a few breakpoints in different locations and attempting the login procedure a few times.

Eventually I managed to track down the procedure call to SSAPI where the password I had entered was coded and compared to the stored administrator password (which was coded).

I found the following code:

3DCE5 PUSH EAX
3DcE6 CALL SSAPI.3E6D0
3DCEB ADD ESP, 4
3DCEE CMP WORD PTR SS:[ESP+78], AX
3DCF3 JE SHORT SSAPI.3DD16

The call to a proc at 3DC36 seemed to be where the password was coded, which has been pushed onto the stack from EAX.
Stepping over the proc call causes EAX (or specifically AX) to have been changed, in this case to 0x6A10 (which seems to be the coded password).
At 3DCEE there is then a comparison between ESP+78 (which contains the value 0x6DAF) and AX (which now contains 0x6A10). These are definitely not equal, of course, so the JE at 3DCF3 is not taken and the result is that the "Invalid Password" dialog is displayed.

So, what will happen if which force the JE at 3DCF3 to be taken - surely this wouldn't be enough for the user to be allowed administrative access to the tool...?

Setting a breakpoint at 3DCF3, I re-enter the wrong password and am taken back to OllyDBG where the breakpoint has triggered, and again the jump will not be taken, which is quickly rectified by modifying the Z register to on (1), and now the jump will be taken.

I continue running the program, and now have full access to the tool!

So it turns out that gaining access to the SourceSafe Administration tool wasn't that difficult after all. The code portion in SSAPI is also used by SourceSafe itself too, so I can gain access to the repository using the same method.

Now all that remains is to decide whether to write an in-memory patcher for SSAPI or whether to permanently patch the SSAPI.dll...

2 comments:

Anonymous said...

Thank you for this documentation about VSS6.0. It's actually very interesting, how easy you gain access to the SourceSafe admin panel.

Did you ever try this (and all the other SourceSafe projects like encrypting/decrypting passwords) on the newest SourceSafe 2005?

I tried to use your tool on my SourceSafe 2005, and it didn't work.

It would be very helpful for me and for other companies, so we can avoid SourceSafe, and use something different.

Thank you very much for your blogs.

Best Regards,
Anonymous

Memia said...

Thanks for your comments on the article.

I've tried the tool against all versions of SourceSafe that I have, but that doesn't include 2005 - just up to version 6.0d.

At some point (when I get some time) I will attempt to see what I can do with the newest versions of SourceSafe. In the meantime, you are welcome to my source code if you would like to take the work further yourself - just drop me a mail (contact details at the bottom of the screen).