mailing list archives
SQL Server 7 & 2000 Installation process and Service Packs write encoded passwords to a file
From: full-disclosure () lists netsys com (c c)
Date: Thu, 11 Jul 2002 09:32:37 -0700 (PDT)
Name: SQL Server 7 & 2000 Installation process and
Service Packs write encoded passwords to a file.
System Affected : Sql Server 7 & 2000, latest
Severity : High.
Author: Cesar Cerrudo.
Advisory Number: CC070204
When installing Microsoft SQL Server or the latest SQL
Server Service Packs, some files are created and not
properly removed. These files are designed to be used
for unattended installs. During the installation,
values such as Windows user accounts, login names and
passwords are saved in these files.
After installing Microsoft SQL Server or the latest
SQL Server Service Packs, one or more copies of the
file setup.iss are not properly removed from the
Two copies of setup.iss are created depending on the
version of SQL Server. Setup.iss is created in one or
more of the following directories:
The copy of the file in the %windir% directory is
created with the permissions "Full Control" granted to
the "Everyone" group. The other copy of the file are
created without weak permissions.
If SQL Server is set to Mixed Mode Authentication, the
SQL Server login and password used by the installation
program are saved in the setup.iss files.
If SQL Server Service is set to run under a Windows
user account different than system account during the
installation process, that Windows user account and
password are saved in the setup.iss files.
The passwords are encoded using a weak algorithm. The
encoded password can be easily broken without
understanding the encoding algorithm using the
Installation process or the Service Pack with chosen
plain text attack.
Any user with access to the setup.iss file could
decode the password and gain unauthorized access to
Vendor Status :
Microsoft was contacted on May 07, 2002. We worked
together and Microsoft released security bulletin and
Patch Available :
Delete the SQL Server setup.iss files created when SQL
Server is installed or when a Service Pack is
Change the passwords that might be exposed by this
Special thanks to Aaron Newman (Application Security,
Inc.) for his collaboration in testing and advisory
draft, and to Raul Aguerrebehere for his contribution
of many setup.iss files.
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
- SQL Server 7 & 2000 Installation process and Service Packs write encoded passwords to a file c c (Jul 11)