|
Encoded password written by service pack
July 10, 2002
To determine if your Microsoft SQL Server installations have this
vulnerability, download AppDetective™ for Microsoft SQL Server from:
http://www.appsecinc.com/products/appdetective/mssql/
Risk level: Medium
Summary:
When installing Microsoft SQL Server 2000 or installing a service pack for Microsoft SQL Server
7.0 or 2000, an encoded version of the password used is written to the file setup.iss. This
file's default permissions allow any user able to log on interactively to the operating system
to read the file and discover the password.
Details:
During the installation process of Microsoft SQL Server 7.0 or 2000, a Windows
username and password are entered to run the service under. This password is written
to the log file setup.iss.
During the installation process of service pack 4 for Microsoft SQL Server
7.0 or any service pack prior to 3 (which is not yet released) for Microsoft
SQL Server 2000, an encoded version of the SQL Server password used to connect
to the server is written to the log file setup.iss.
These two issues are related but different than issues in which previous service
packs wrote the password used into this files in clear text. This problem continued
but in a different form. Instead of the passwords being written in clear text, the
passwords are instead written using an encoding algorithm that is simple to decode.
The file the password is written to is setup.iss. This file is written in two places.
The first is in the %WINNT% directory - on most machines C:\Winnt. The second place is
in %SQLSERVERINSTANCE%\install.
The file is written by default with permissions that allowed any user that could
access the machine from the console to read the file and discover the password.
Access to login to the operating system the database runs on from the console should be restricted.
If you open the file setup.iss after installing a service pack, you may see entries similar to the following text:
[ServerConnect-0]
NTAuthentication=0
SQLAuthentication=1
svPassword=0536f618eca8
The line starting with "svPassword=" contains the encoded value. The encoding method works as follows:
1) The first two decimal digits represent the password length
2) The following two digits represent the first password character xor'ed with the key 00001111.
In the sample above the first encrypted character are 36. To get the clear text convert 36 to binary
00110110 and xor with 00001111. The result is 00111001 which is a decimal value is 57 and the ASCII character "9".
3) All following two digit pairs represent the following password characters xor'ed with a
positional key and the previous character. These values can be easily derived without
understanding the encoding algorithm by using a chosen plain text attack.
Fix:
There are several fixes to this problem.
First, change the password for the sa login or the Windows account. This is
highly recommended if you find the password has possibly been compromised already.
The password for the sa login can be changed using the following command:
sp_password NULL,'hard!2guess','sa'
Secondly, search for and delete all copies of the file setup.iss. Microsoft
has created a command utility called KillPwd.exe that searches the Microsoft
SQL Server setup files from any passwords and deletes any instance in which
it finds the password. It is recommended you download this file and run it on the server.
Credit:
This vulnerability was researched and discovered by Cesar Cerrudo (cesarc56@yahoo.com).
|
