Database Journal
MS SQL Oracle DB2 Access MySQL PostgreSQL Sybase PHP SQL Etc SQL Scripts & Samples Links Database Forum

» Database Journal Home
» Database Articles
» Database Tutorials
MS SQL
Oracle
DB2
MS Access
MySQL
» RESOURCES
Database Tools
SQL Scripts & Samples
Links
» Database Forum
» Sitemap
Free Newsletters:
DatabaseDaily  
News Via RSS Feed


follow us on Twitter
Database Journal |DBA Support |SQLCourse |SQLCourse2
 

Featured Database Articles

Database News

Posted Jul 12, 2002

New SQL Server 7.0 and 2000 Security Patch Available

By Forrest Stroud


Microsoft recently released a SQL Server 7.0/2000 security patch for a privilege elevation vulnerability in an installation process that may leave passwords on system. An attacker who gained access to the files could compromise any passwords stored within them and potentially use them to gain control of either the SQL Server or the domain account.

The SQL Server installation routines can, under certain conditions, store passwords that were provided by the administrator doing the setup. However, they are not stored securely, with the result that it could be possible for an attacker to access and compromise the passwords. The passwords are only stored under two conditions: if SQL Server was configured in a mode that Microsoft recommends against using, or if the administrator chose a particular install-time option. Even in cases where one or more passwords were stored, the vulnerability could only be exploited by an attacker who could log onto an affected SQL Server interactively -- that is, at the system keyboard. If an administrator had changed a password after installation, the stored password would no longer allow any access.

A second vulnerability results because of two factors:

  • The files remain on the server after the installation is complete. Except for the setup.iss file created by SQL Server 2000, the files are in directories that can be accessed by anyone who can interactively log on to the system.

  • The password information stored in the files is either in clear text (for SQL Server 7.0 prior to Service Pack 4) or encrypted using fairly weak protection. An attacker who recovered the files could subject them to a password cracking attack to learn the passwords, potentially compromising the system administrator password and/or a domain account password.

The patch for the vulnerabilities exists in the form of a downloadable KillPwd utility, which searches the Microsoft SQL Server log and setup files for passwords and deletes any passwords that are found, whether encrypted or not. It does not, by default, delete passwords in the setup.iss file created by SQL Server 2000 installations, as the setup.iss file created by SQL 2000 installations is saved in a directory that only allows access by administrators and the user setting up SQL Server 2000. Microsoft also recommends deleting unattended installation file and log files or saving them to a well-protected offline storage area.

Microsoft has issued a moderate severity rating for the patch. The SQL Server 7.0 patch can be installed on all versions of SQL Server 7.0 (up to Service Pack 4) and SQL Server 2000 (up to Service Pack 2). The patch will be included in SQL Server 7.0 Service Pack 5 and SQL Server 2000 Service Pack 3.

Additional information on the SQL Server Security Patch (and download links) can be found at:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-035.asp


» See All Articles by Editor Forrest Stroud




Database News Archives

Comment and Contribute

 


(Maximum characters: 1200). You have characters left.

 

 




Latest Forum Threads
Database News Forum
Topic By Replies Updated
Efficient SQL Server Indexing by Design lcole 0 April 30th, 12:38 PM
Mine Oracle Database, SQL Server and Other Databases with Monarch Data Pump Pro V10.5 lcole 0 April 30th, 12:37 PM
Oracle Database and Oracle Fusion Middleware for Private Social Network Application lcole 0 April 30th, 12:31 PM
Oracle Database Maintains a Stronghold in the DBMS Market lcole 0 April 30th, 12:30 PM