COMMAND

	SQL Server may leave passwords in files afther install or patch

SYSTEMS AFFECTED

	SQL Server 7 & 2000

PROBLEM

	In Cesar Cerrudo advisory [CC070204], with  the  help  of  Aaron  Newman
	(Application Security, Inc.) and Raul Aguerrebehere :
	

	After installing Microsoft SQL Server or the latest SQL  Server  Service
	Packs, one or more  copies  of  the  file  setup.iss  are  not  properly
	removed from the operating system.
	

	Two copies of setup.iss are created depending  on  the  version  of  SQL
	Server.  Setup.iss  is  created  in  one  or  more  of   the   following
	directories:
	 

	%windir%

	%sqlserverinstance%\\install\\

	

	The copy of the file in the  %windir%  directory  is  created  with  the
	permissions \"Full Control\" granted  to  the  \"Everyone\"  group.  The
	other copy of the file are created without weak permissions.
	

	If SQL Server is set to Mixed Mode Authentication, the SQL Server  login
	and  password  used  by  the  installation  program  are  saved  in  the
	setup.iss files.
	

	If SQL Server Service is  set  to  run  under  a  Windows  user  account
	different than system account  during  the  installation  process,  that
	Windows user account and password are saved in the setup.iss files.
	

	The passwords are encoded using a weak algorithm. The  encoded  password
	can be easily broken without understanding the encoding algorithm  using
	the Installation process or the Service  Pack  with  chosen  plain  text
	attack.

SOLUTION

	 Patch

	 =====

	

	http://www.microsoft.com/technet/security/bulletin/MS02-035.asp

	

	 Workaround

	 ==========

	

	Delete the SQL  Server  setup.iss  files  created  when  SQL  Server  is
	installed or when a Service Pack  is  installed.  Change  the  passwords
	that might be exposed by this vulnerability.