| VID |
28026 |
| Severity |
30 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The Microsoft SQL Server stores some installation passwords insecurely.
The installation process of the MS SQL Server could leave certain installation passwords would be stored in plaintext or use weak encryption in either the setup.iss installation file or the sqlstp.log and sqlspX.log log files. These files are written in two places. The first is in the %WINNT% directory - on most machines C:\Winnt. The second place is in %SQLSERVERINSTANCE%\install.
Because these files are created with improper permissions, any remote attacker who can interactively log onto the system running the SQL Server can access these files and recover the passwords. This may allow the attacker to gain full administrative access to the SQL Server.
For example, If you open the file setup.iss, you may see entries similar to the following text:
[ServerConnect-0]
NTAuthentication=0
SQLAuthentication=1
svPassword=0536f618eca8
The line starting with "svPassword=" contains the encoded value with an encoding algorithm that is simple to decode.
* References:
http://www.cert.org/advisories/CA-2002-22.html
http://www.kb.cert.org/vuls/id/338195
http://archives.neohapsis.com/archives/bugtraq/2002-07/0108.html
http://marc.theaimsgroup.com/?l=bugtraq&m=102640092826731&w=2
http://marc.theaimsgroup.com/?l=vuln-dev&m=102640394131103&w=2
http://www.appsecinc.com/resources/alerts/mssql/02-0009.html
http://www.securityfocus.com/bid/5203
http://www.iss.net/security_center/static/9524.php
* Platforms Affected:
Microsoft MSDE 1.0
Microsoft SQL Server 2000
Microsoft SQL Server 7.0
Microsoft Windows Any version |
| Recommendation |
1. Change the passwords that might be exposed by this vulnerability. The password for the sa login can be changed using the following command from the SQL query window:
exec sp_password NULL,'hard!2guess','sa'
2. Search for and delete all files containing any passwords. Microsoft has provided a utility, killpwd.exe, that will remove the passwords from any accessible directories. You can download this file from Microsoft Security Bulletin MS02-035 below and run it on the server:
http://www.microsoft.com/technet/security/bulletin/MS02-035.asp |
| Related URL |
CVE-2002-0643 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
