COMMAND
Data Transformation Service (DTS)
SYSTEMS AFFECTED
Microsoft SQL Server 7.0
PROBLEM
Following is based on a Security Bulletin from the Microsoft.
Data Transformation Service (DTS) packages in SQL Server 7.0 allow
database administrators to create a package that will perform a
particular database action at regular intervals. As part of the
creation of a DTS package, the administrator provides the account
name and password under which the action should be taken.
However, the password can be retrieved by programmatically
interrogating the package's Properties dialogue. The
vulnerability could only occur if several best practices have not
been followed:
- The creator of the DTS package chose to supply a username and
password instead of using Windows Authentication.
- The DTS package was created without restricting who can edit
it.
- The SQL Server administrator allowed Guest access to the SQL
Server MSDB database.
- A SQL Server is registered under Enterprise Manager using a
username and password instead of using Windows Authentication.
On July 11, 2000, Microsoft updated their bulletin to reflect a
similar issue with the Enterprise Manager Server registration
dialog. A new version of the patch is available to remedy all
symptoms related to this vulnerability.
SOLUTION
Patch availability:
- Intel: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21905
- Alpha: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21906