SQL Server 7 & 2000 Installation process and Service Packs write encoded passwords to a file

From: c c (cesarc56at_private)
Date: Thu Jul 11 2002 - 08:11:09 PDT

Next message: Jonas Koch: "Tiny Software and Sygate contact"

Previous message: David Jacoby: "Re: Can anyone identify this backdoor?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Security Advisory

Name:    SQL Server 7 & 2000 Installation process and
Service Packs write encoded passwords to a file.
System Affected :    Sql Server 7 & 2000, latest
Service Packs.
Severity :    High.
Author:    Cesar Cerrudo.
Date:    07/11/2002 
Advisory Number:    CC070204


Overview:

When installing Microsoft SQL Server or the latest SQL
Server Service Packs, some files are created and not
properly removed. These files are designed to be used
for unattended installs. During the installation,
values such as Windows user accounts, login names and
passwords are saved in these files.


Details:

After installing Microsoft SQL Server or the latest
SQL Server Service Packs, one or more copies of the
file setup.iss are not properly removed from the
operating system.

Two copies of setup.iss are created depending on the
version of SQL Server. Setup.iss is created in one or
more of the following directories:
%windir%
%sqlserverinstance%\install\

The copy of the file in the %windir% directory is
created with the permissions "Full Control" granted to
the "Everyone" group. The other copy of the file are
created without weak permissions.

If SQL Server is set to Mixed Mode Authentication, the
SQL Server login and password used by the installation
program are saved in the setup.iss files.

If SQL Server Service is set to run under a Windows
user account different than system account during the
installation process, that Windows user account and
password are saved in the setup.iss files.

The passwords are encoded using a weak algorithm. The
encoded password can be easily broken without
understanding the encoding algorithm using the
Installation process or the Service Pack with chosen
plain text attack.

Any user with access to the setup.iss file could
decode the password and gain unauthorized access to
SQL Server.


More Details:

http://www.appsecinc.com/resources/alerts/mssql/02-0009.html


Vendor Status :

Microsoft was contacted on May 07, 2002. We worked
together and Microsoft released security bulletin and
a fix. 


Patch Available : 

http://www.microsoft.com/technet/security/bulletin/MS02-035.asp

Workaround : 

Delete the SQL Server setup.iss files created when SQL
Server is installed or when a Service Pack is
installed.
Change the passwords that might be exposed by this
vulnerability.


Thanks!: 

Special thanks to Aaron Newman (Application Security,
Inc.) for his collaboration in testing and advisory
draft, and to Raul Aguerrebehere for his contribution
of many setup.iss files.


__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com

Next message: Jonas Koch: "Tiny Software and Sygate contact"
Previous message: David Jacoby: "Re: Can anyone identify this backdoor?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 11 2002 - 12:30:27 PDT