-----BEGIN PGP SIGNED MESSAGE-----

             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

           Microsoft SQL Server Admin Login Encryption Vulnerability

March 21, 2000 17:00 GMT                                          Number K-026
______________________________________________________________________________
PROBLEM:       A vulnerability has been identified in the Microsoft SQL Server 
               7.0 encryption used to store administrative login id. 
PLATFORM:      All Microsoft Windows 95, Windows 98, and NT platforms that an 
               SQL DBA (database administrator) could log into with a roaming 
               profile. 
DAMAGE:        Remote and local attackers can decrypt the weakly encrypted 
               file containing the DBA login ID and password. 
SOLUTION:      Follow the procedures given in the bulletin below to prevent 
               passwords from being stored. 
______________________________________________________________________________
VULNERABILITY  The risk is medium. A DBA would have to log into a workstation 
ASSESSMENT:    that the attacker has access to, and the login procedure needs 
               to create a weakly encrypted file with the DBA login id and 
               password. 
______________________________________________________________________________

[ Start Internet Security Systems Advisory ]

- -----BEGIN PGP SIGNED MESSAGE-----

ISS Security Advisory
March 14, 2000

Vulnerability in Microsoft SQL Server 7.0 Encryption Used to Store
Administrative Login ID

Synopsis:

Internet Security Systems (ISS) has identified a vulnerability in the
encryption used to conceal the password and login ID of a registered SQL
Server user in Enterprise Manager for Microsoft SQL Server 7.0. When
registering a new SQL Server in the Enterprise Manager or editing the SQL
Server registration properties, the login name that will be used by the
Enterprise Manager for the connection must be specified. If a SQL Server
login name is used instead of a Widows Domain user name and the 'Always
prompt for login name and password' checkbox is not set, the login ID and
password are weakly encrypted and stored in the registry.

When a DBA (database administrator) logs into a workstation with a roaming
profile, the login ID and password are stored in a registry key. This
information is stored as the file NTUSER.DAT (for Windows NT) or USER.DAT
(for Windows 95 or Windows 98) when the user logs off. An attacker can open
this file in a text editor to view the DBA login ID and password encrypted.
An attacker can reverse this encryption to gain access to the DBA login ID
and password.

Impact:  

Remote and local attackers who acquire the system administrator password
have full control over the database server software as well as full access
to the content and integrity of the database.

Affected Versions:

Microsoft Enterprise Manager for SQL Server 7.0 is vulnerable.

Description:

The encryption used to conceal the password and login ID of a registered SQL
Server user in Enterprise Manager for SQL Server 7.0 can be reversed. The
encryption scheme used is an alphabetic substitution where each Unicode
character in the password is XOR'ed with a two byte value according to its
position in the string. If the 'Always prompt for login name and password'
checkbox is not set when registering a SQL Server, the login ID and password
is weakly encrypted and stored in the following registry key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSSQLServer\SQLEW\Registered Server X. 

By design, the HKEY_CURRENT_USER registry hive is meant to be available only
to the currently logged on user. That is, when a different Windows NT user
logs onto the system, a different copy of the HKEY_CURRENT_USER registry
hive is loaded. In practice, the HKEY_CURRENT_USER registry hive is saved
locally as the file NTUSER.DAT or USER.DAT when a user logs off. This
registry hive can be opened in Notepad and the encrypted login ID and
password can be easily located. If the DBA has a roaming profile, the
NTUSER.DAT file will be saved on every workstation the DBA logs into.

Recommendations:

To securely use SQL Server, Microsoft recommends using Windows Integrated
Security. In Windows Integrated Security mode passwords are never stored, as
your Windows Domain sign-on is used as the security identifier to the
database server. 


If a SQL Server login ID is specified for logging into a server in the
Enterprise Manager, Microsoft recommends using the option 'Always prompt for
login name and password' to prevent passwords from being stored in the
registry.

ISS SAFEsuite security assessment software, Database Scanner, contains a
security check for this vulnerability and is currently available for
customers in the latest version of Database Scanner, 3.0.1. 

Credits:

This vulnerability was discovered by Internet Security Systems (ISS). ISS
would like to thank Microsoft for their response and handling of this
vulnerability. 

_____

About Internet Security Systems (ISS)
ISS is a leading global provider of security management solutions for
e-business. By offering best-of-breed SAFEsuite (tm) security software,
industry-leading ePatrol (tm) managed security services, and strategic
consulting and education services, ISS is a trusted security provider to its
customers, protecting digital assets and ensuring the availability,
confidentiality and integrity of computer systems and information critical
to e-business success. ISS' lifecycle e-business security management
solutions protect more than 5,000 customers including 21 of the 25 largest
U.S. commercial banks, 9 of the 10 largest telecommunications companies and
over 35 government agencies. Founded in 1994, ISS is headquartered in
Atlanta, GA, with additional offices throughout North America and
international operations in Asia, Australia, Europe, Latin America and the
Middle East. For more information, visit the ISS Web site at www.iss.net or
call 888-901-7477.

Copyright (c) 2000 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent of
the X-Force. If you wish to reprint the whole or any part of this Alert in
any other medium excluding electronic medium, please e-mail xforce@iss.net
for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well
as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force (xforce@iss.net)
of Internet Security Systems, Inc.

- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOM66ZjRfJiV99eG9AQGpvwQApvXATzDbR07MiRO1pfUh9+A08FU1HdZg
ZBbonp/uMfPkDLTRPQ/W/XfYdCMfNlZVoseepvBZ2FlAJtALdAq8n5cFuxynN0m1
fQOsgYIwOjlgNGcnKdRK7hoqBNw4T2JuekwmgecpWzvYMOYXlmtmbCQhnJOx3HU6
nsvR/uJUogk=
=HOA2
- -----END PGP SIGNATURE-----


[ End Internet Security Systems Advisory ] 
______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Internet Security Systems 
(ISS) for the information contained in this bulletin.
______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), use one of the following methods to contact CIAC:

    1.  Call the CIAC voice number 925-422-8193 and leave a message, or

    2.  Call 888-449-8369 to send a Sky Page to the CIAC duty person or

    3.  Send e-mail to 4498369@skytel.com, or

    4.  Call 800-201-9288 for the CIAC Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
                        (or http://ciac.llnl.gov -- they're the same machine)
   Anonymous FTP:       ftp.ciac.org
                        (or ciac.llnl.gov -- they're the same machine)
   Modem access:        +1 (925) 423-4753 (28.8K baud)
                        +1 (925) 423-3331 (28.8K baud)

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

K-016: Microsoft "Malformed IMAP Request" Vulnerability 
K-017: Microsoft "Malformed RTF Control Word" Vulnerability 
K-018: HP-UX - Security Vulnerability with PMTU Strategy 
K-019: Microsoft - "Spoofed LPC Port Request" Vulnerability 
K-020: Majordomo open() call Vulnerability 
K-021: Malicious HTML Tags Vulnerability 
K-022: FreeBSD - Asmon/Ascpu Vulnerability
K-023: FreeBSD - Delegate Proxy Server Vulnerability
K-024: Microsoft Systems Management Server Vulnerability
K-025: MySQL Password Authentication Vulnerability


-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBONkVXbnzJzdsy3QZAQHW0gP/W7MrIhwTFQOXiCtSv/hJgcnGvjMLsJlD
k/A0+wdxL18VgS2rCzGT+BdlQaPACy4uHGyFGX9Qh8U31pOVQI6dzGrAqle9RQC4
pYUvz+tlZNHjfpcuhWGl5tMS2qOqND8Y5ot/hUu9ECSeFLfjGepXJ6tlMYIzQDGv
ONF/G9bFQ4E=
=IVPS
-----END PGP SIGNATURE-----