CVE-1999-1556
CVSS7.2
发布时间 :1998-06-29 00:00:00
修订时间 :2016-10-17 22:05:57
NMCOS    

[原文]Microsoft SQL Server 6.5 uses weak encryption for the password for the SQLExecutiveCmdExec account and stores it in an accessible portion of the registry, which could allow local users to gain privileges by reading and decrypting the CmdExecAccount value.


[CNNVD]NT SQL服务器密码漏洞(CNNVD-199806-023)

        Microsoft SQL Server 6.5对SQLExecutiveCmdExec账户使用弱加密并且将账户存储于注册表的访问部分,本地用户通过读取和解密CmdExecAccount的值获取特权。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1556
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1556
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199806-023
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=ntbugtraq&m=90222453431645&w=2
(UNKNOWN)  NTBUGTRAQ  19980629 MS SQL Server 6.5 stores password in unprotected registry keys
http://www.securityfocus.com/bid/109
(VENDOR_ADVISORY)  BID  109
http://xforce.iss.net/xforce/xfdb/7354
(VENDOR_ADVISORY)  XF  mssql-sqlexecutivecmdexec-password(7354)

- 漏洞信息

NT SQL服务器密码漏洞
高危 其他
1998-06-29 00:00:00 2006-09-01 00:00:00
本地  
        Microsoft SQL Server 6.5对SQLExecutiveCmdExec账户使用弱加密并且将账户存储于注册表的访问部分,本地用户通过读取和解密CmdExecAccount的值获取特权。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 漏洞信息

10156
Microsoft SQL Server SQLExecutiveCmdExec Account Credential Encryption Weakness

- 漏洞描述

Unknown or Incomplete

- 时间线

1998-06-28 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

NT SQL Server Password Vulnerability
Access Validation Error 109
No No
1998-06-29 12:00:00 2009-07-11 12:16:00
This vulnerabilities were reported to the NTBugTraq mailing list by Todd Sabin <tas@webspan.net> and Kevin Hegg <kevinhegg@kshtechnology.com> on Mon, 29 Jun 1998 and Tue, 30 Jun 1998.

- 受影响的程序版本

Microsoft SQL Server 6.5

- 漏洞讨论

SQL Server creates an account named SQLExecutiveCmdExec during its installaion. This account is created with very limited rights on the machine, and is used by the SQLServer and SQLExecutive services to execute commands submitted to xp_cmdshell by users other than sa (if so configured).

The problem is that SQL Server stores the password for this account in an unprotected section of the registry. Under the key HKLM\SOFTWARE\Microsoft\MSSqlServer\SQLExecutive, there is a value of type REG_BINARY named CmdExecAccount. The data for this value is the password for the SQLExecutiveCmdExec account, encrypted using the PKZip encryption algorithm and a fixed key. It is possible to write a program which decrypts these passwords instantly.

The risk here is probably not too great. The SQLExecutiveCmdExec account is, by design, extremely limited in rights. SQL Server is normally installed on servers; ordinary users won't be able to access the registry remotely, nor log in to the server to access it locally. It's probably the case that it requires more rights to obtain the password than the password would give you. Nevertheless, this is bad practice, and people ought to be aware of it.

Also, if you register a server under SQL Enterprise Manager then whatever login and password you register is stored in the registry. Typically a DBA will register using the 'sa' login, so that also puts the 'sa' password in the registry. To view the login and password go to HKCU/SOFTWARE/MICROSOFT/MSSQLSERVER/SQLEW/Registered Servers/SQL 6.5, then select the target server, choose the 'View-&gt;Display Binary Data' menu item, select the 'Byte Format' radio button, and scroll down through the 'Data:' list box and you will see the login and password (no programming is required).

- 漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站