Security Advisory Name: SQL Server 7 & 2000 Installation process and Service Packs write encoded passwords to a file. System Affected : Sql Server 7 & 2000, latest Service Packs. Severity : High. Author: Cesar Cerrudo. Date: 07/11/2002 Advisory Number: CC070204 Overview: When installing Microsoft SQL Server or the latest SQL Server Service Packs, some files are created and not properly removed. These files are designed to be used for unattended installs. During the installation, values such as Windows user accounts, login names and passwords are saved in these files. Details: After installing Microsoft SQL Server or the latest SQL Server Service Packs, one or more copies of the file setup.iss are not properly removed from the operating system. Two copies of setup.iss are created depending on the version of SQL Server. Setup.iss is created in one or more of the following directories: %windir% %sqlserverinstance%\install\ The copy of the file in the %windir% directory is created with the permissions "Full Control" granted to the "Everyone" group. The other copy of the file are created without weak permissions. If SQL Server is set to Mixed Mode Authentication, the SQL Server login and password used by the installation program are saved in the setup.iss files. If SQL Server Service is set to run under a Windows user account different than system account during the installation process, that Windows user account and password are saved in the setup.iss files. The passwords are encoded using a weak algorithm. The encoded password can be easily broken without understanding the encoding algorithm using the Installation process or the Service Pack with chosen plain text attack. Any user with access to the setup.iss file could decode the password and gain unauthorized access to SQL Server. More Details: http://www.appsecinc.com/resources/alerts/mssql/02-0009.html Vendor Status : Microsoft was contacted on May 07, 2002. We worked together and Microsoft released security bulletin and a fix. Patch Available : http://www.microsoft.com/technet/security/bulletin/MS02-035.asp Workaround : Delete the SQL Server setup.iss files created when SQL Server is installed or when a Service Pack is installed. Change the passwords that might be exposed by this vulnerability. Thanks!: Special thanks to Aaron Newman (Application Security, Inc.) for his collaboration in testing and advisory draft, and to Raul Aguerrebehere for his contribution of many setup.iss files. __________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com
