Reported July 11, 2002, by Microsoft.
VERSIONS AFFECTED
· Microsoft SQL Server 2000, all editions.
· Microsoft SQL Server 7.0, including Microsoft Data Engine (MSDE 1.0)
DESCRIPTION
A vulnerability exists in SQL Server 2000 and SQL Server 7.0 (including MSDE 1.0) that can let an attacker compromise the vulnerable server. This vulnerability stems from the fact that the system stores the systems administrator password in the setup.iss and log files and doesn't remove the password when the installation is complete. Anyone capable of doing an interactive logon can access this password and these files.
VENDOR RESPONSE
The vendor, Microsoft, has released Security Bulletin MS02-035 (SQL Server Installation Process May Leave Password on System) to address this vulnerability and recommends that affected users download and apply the appropriate patch mentioned in the bulletin. These patches are cumulative and address all previously discovered vulnerabilities in the affected product.
CREDIT
Discovered by Cesar
Cerrudo and Mark Litchfield
of Next Generation Security Software.