If I tell you that Microsoft's SourceSafe application is not secure, most of you will say "duh," expecting any application that comes out of the Redmond giant to be insecure. But what you may not know is just how insecure it really is.

It's bad. Trust me on this. It's so bad that whatever algorithm they are using to hide the administrator password allows for multiple passwords to work correctly. If your password is "passw0rd" (a zero instead of an 'o') a dictionary attack won't find it, but the algorithm is so poor that it will find "current1", "denture1", "hydrous1", "lobster1", "poultry1", "rampart1", "stratos1", and "sweater1" which you can use instead. I have no idea why the creator of the dictionary added these words with a numeral 1 at the end, but it does work.

A dictionary attack is not guaranteed to be successful though and there are some passwords that will not be discovered by this type of attack. They are actually using a 16 bit hash, but a quick search and test shows that it's not a common one. I'll leave that as an exercise for a really bored reader.

When the VSS admin left the team at a company where I worked many years ago we found ourselves unable to make modifications to VSS security. So like any good team leader I searched the internet for a free hack to get in. C'mon - you know you've done it too. Google didn't exist back then and I couldn't find anything, so using the VSS object model I wrote a brute force password cracker that gave us the Admin password in less than a minute. Could it be that easy? It was.

Fast forward to today... I was looking through my old applications and came across that crack and thought now that Microsoft has released Team Foundation Server with it's database-backed source control it was finally time to release this tool to the general public. I did a quick search on the internet and was able to find a way to get into the VSS database, but it requires creating a second VSS database to steal it's password file and that's just too unnecessary. So a link to my VSS Password "Recovery" tool can be found at the bottom of this article. (It's been updated to use WTL and more efficient memory so its footprint is significantly smaller than my original application.)

A short time after I wrote that utility a fellow developer, who turned out to be one of the smartest managers I've ever had, revealed to me an even easier way to fool VSS. I won't spoil it here - you'll have to read on to see the Top Four VSS Password Hacks (his was #2).

Hack #1 - Creating A New VSS Database

This is the most common hack I've found on the internet and it's not too difficult but requires the creation of a second VSS database.

1. Create second database.
2. Rename the password file on the original database.
3. Copy the password file from the new database to the old database.

The problem with this solution is that you lose all the security settings for all users in your VSS tree. This means you have to spend time recreating those users and assigning security. There may also be a history problem as the check-in/out data includes user information which may no longer exist.

Hack #2 - You Are The Admin

Surprise surprise. VSS doesn't do any password checking if your logon name matches a user in the VSS user list. What does that mean to you? You already are the Admin - and anyone else for that matter.

1. Create a local account on your computer through the Local Users and Groups snap-in (found in Computer Management). Call it "Admin" to mimic the Admin account in VSS. This user can have guest priveledges if you want, but it must be able to log in locally.
2. Open VSS using "runas" and specify the Admin account you just created.

Hack #3 - Dictionary Attack

There are a couple of companies on the internet who will give you a usable password for the Admin account on your VSS installation. Heck - if I had bothered to check on this years ago I could have been making money all this time! (One service charges $250!) Well you don't have to pay for this service anymore because I'm giving the application away 100% free. You don't owe me a cent. You're welcome.

1. Launch the application by clicking VSSPassword.exe.
2. Enter (or browse to) your VSS database .ini location.
3. Decide whether to use the included dictionary file (default) or select your own.
4. Click Start.
5. Once a password is listed in the output window you can click stop or let it continue to find all possible iterations. I think you'll be amazed at how many there are for most passwords.

Hack #4 - Hex Editing the Accounts File

The password file, um.dat, is located in the Data directory under the root of the SourceSafe installation. If you open this file in any hex editor you'll be able to see the accounts your database supports. To the left of the Admin account are two bytes that represent a 16-bit hash/CRC/whatever of the account name and password - I think. There may be other factors involved there too, but it doesn't really matter for purposes of this fix.

After the 20 byte account name string is 2 bytes that represent the 16-bit hash/CRC/whatever of the password itself. To set the password to blank this value must be "90 6E" and the first two bytes must be set to "BC 7F" as in the representation below.

Hover over the image to magnify it and make it more legible.

You can easily do this yourself in the hex editor, or you can do it with my password recovery tool by simply clicking the "Reset Admin" button.

On a side note, just a day before I finished this article I found this site on the web that discusses these same solutions, so I guess I've been beaten to the punch. (Sigh.) At least I'm the only provider of a free tool that I've found - so go ahead and download it twice. Don't worry! I'll make more.

VSS Password Recovery Tool (163 K)