copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » ESB-2002.339 -- Microsoft Security Bulletin MS02-035...
 

ESB-2002.339 -- Microsoft Security Bulletin MS02-035 -- SQL Server Installation Process May Leave Passwords on System (Q263968)
Date: 12 July 2002
References: ESB-2002.368  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

           ESB-2002.339 -- Microsoft Security Bulletin MS02-035
  SQL Server Installation Process May Leave Passwords on System (Q263968)
                               12 July 2002

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                Microsoft SQL Server 7
                        Microsoft Data Engine 1.0 (MSDE 1.0)
                        Microsoft SQL Server 2000 
Vendor:                 Microsoft
Operating System:       Windows
Impact:                 Administrator Compromise
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

- - ----------------------------------------------------------------------
Title:      SQL Server Installation Process May Leave Passwords on 
            System (Q263968)
Date:       July 10, 2002
Software:   Microsoft SQL Server 7.0, Microsoft Data Engine 1.0 
            (MSDE 1.0), or SQL Server 2000
Impact:     Elevation of privilege
Max Risk:   Moderate
Bulletin:   MS02-035

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS02-035.asp.
- - ----------------------------------------------------------------------

Issue:
======
When installing SQL Server 7.0 (including MSDE 1.0), SQL Server 2000,
or a service pack for SQL Server 7.0 or SQL Server 2000, the 
information provided for the install process is collected and stored 
in a setup file called setup.iss. The setup.iss file can then be 
used to automate the installation of additional SQL Server systems. 
SQL Server 2000 also includes the ability to record an unattended 
install to the setup.iss file without having to actually perform an 
installation. The administrator setting up the SQL Server can supply 
a password to the installation routine under the following 
circumstances: 

 - If the SQL Server is being set up in "Mixed Mode", a password 
   for the SQL Server administrator (the "sa" account) must be 
   supplied. 
 - Whether in Mixed Mode or Windows Authentication Mode, a User ID 
   and password can optionally be supplied for the purpose of 
   starting up SQL Server service accounts. 

In either case, the password would be stored in the setup.iss file. 
Prior to SQL Server 7.0 Service Pack 4, the passwords were stored in 
clear text. For SQL Server 7.0 Service Pack 4 and SQL Server 2000 
Service Packs 1 and 2, the passwords are encrypted and then stored. 
Additionally, a log file is created during the installation process 
that shows the results of the installation. The log file would also 
include any passwords that had been stored in the setup.iss file. 

A security vulnerability results because of two factors: 

 - The files remain on the server after the installation is 
   complete. Except for the setup.iss file created by SQL Server 
   2000, the files are in directories that can be accessed by 
   anyone who can interactively log on to the system. 
 - The password information stored in the files is either in clear 
   text (for SQL Server 7.0 prior to Service Pack 4) or encrypted 
   using fairly weak protection. An attacker who recovered the 
   files could subject them to a password cracking attack to learn 
   the passwords, potentially compromising the sa password and/or a 
   domain account password.

Mitigating Factors:
====================
 - The vulnerability could only be exploited by an attacker who 
   had the ability to interactively log onto an affected system. 
   However, best practices suggest that unprivileged users not be 
   allowed to interactively log onto business-critical servers, 
   including database servers. 
 - The vulnerability with regard to the sa password only affects 
   servers configured to use Mixed Mode. Customers using Windows 
   Authentication Mode (which is the recommended mode) would only 
   have credentials at risk if they had chosen to provide a domain 
   credential to be used in starting the SQL Server services. 
 - The passwords stored in the setup.iss and log files are those 
   provided at installation time and are not kept up-to-date when 
   password changes are made. As a result, if the administrator 
   changed a password, the information in the setup.iss and log 
   files would not allow any access. 
 - In the case of SQL 2000, setup.iss is stored in a directory 
   that only allows access by administrators and the user 
   installing SQL Server. 
 - If the setup.iss and log files containing domain user and/or sa 
   passwords are deleted, the passwords could not be retrieved.

Risk Rating:
============
 - Internet systems: Moderate
 - Intranet systems: Moderate
 - Client systems: Moderate

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-035.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Cesar Cerrudo

- - ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS 
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE 
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, 
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF 
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION 
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES 
SO THE FOREGOING LIMITATION MAY NOT APPLY.

- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPSyqv40ZSRQxA/UrAQF+9gf8CxgoomCtvyPspGIjBVhUq699n3vEip3r
u8bqNODXLoaiftSwGpoNMYzM28k6Jpuess7ojDHHO1kg1uvptGQvH/o3bPs5rmEe
zXOcUk3aYEREOCLcmTsFL/T4rAoCsAhn/d/Q3/2fvSJ4BX13pWXKAgEA1OdY8hbO
6DVZkE9nhXHLzEY83Zu+E1BGfZIvU6VjuOtayl7mcTVhmp39jD781tt2QUNBU+c0
1wkqXKr3MaDjxNy83Fg7gBGBy9kLF3xUW03tft2Qwpey6rhOxVAqeCkg6Pn1SpvG
Ekdsc+o676kZ8KAucH8gpfut3qksflpnv6k62rS7tDUyo2S6jglleQ==
=lgMk
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for member emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBPS71ICh9+71yA2DNAQEGEQP/dRL8KiA3sed59se8gq7g52Ml732GM8rW
I2NTD1jn5jemP4u+4aPlNpaf59Lp4DfE2C9g/OaOs7b/cqkUrEdj0ggoVZYN5wmV
lOqMssH5Xs2PM7SIeJAbM9Hb60X683rvtpdwgeZ8rGrzxSZ7ekk7Wy22m47MYeYr
zMBX5CuRhTE=
=2zQC
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/2191