|
COMMAND SQL Server may leave passwords in files afther install or patch SYSTEMS AFFECTED SQL Server 7 & 2000 PROBLEM In Cesar Cerrudo advisory [CC070204], with the help of Aaron Newman (Application Security, Inc.) and Raul Aguerrebehere : After installing Microsoft SQL Server or the latest SQL Server Service Packs, one or more copies of the file setup.iss are not properly removed from the operating system. Two copies of setup.iss are created depending on the version of SQL Server. Setup.iss is created in one or more of the following directories: %windir% %sqlserverinstance%\\install\\ The copy of the file in the %windir% directory is created with the permissions \"Full Control\" granted to the \"Everyone\" group. The other copy of the file are created without weak permissions. If SQL Server is set to Mixed Mode Authentication, the SQL Server login and password used by the installation program are saved in the setup.iss files. If SQL Server Service is set to run under a Windows user account different than system account during the installation process, that Windows user account and password are saved in the setup.iss files. The passwords are encoded using a weak algorithm. The encoded password can be easily broken without understanding the encoding algorithm using the Installation process or the Service Pack with chosen plain text attack. SOLUTION Patch ===== http://www.microsoft.com/technet/security/bulletin/MS02-035.asp Workaround ========== Delete the SQL Server setup.iss files created when SQL Server is installed or when a Service Pack is installed. Change the passwords that might be exposed by this vulnerability.