Vulnerabilities > CVE-2000-0402 - Unspecified vulnerability in Microsoft SQL Server 7.0

047910
CVSS 2.1 - LOW
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
local
low complexity
microsoft
nessus
exploit available
metasploit

Summary

The Mixed Mode authentication capability in Microsoft SQL Server 7.0 stores the System Administrator (sa) account in plaintext in a log file which is readable by any user, aka the "SQL Server 7.0 Service Pack Password" vulnerability.

Vulnerable Configurations

Part Description Count
Application
Microsoft
3

Exploit-Db

  • descriptionMicrosoft SQL Server Payload Execution via SQL injection. CVE-2000-0402,CVE-2000-1209. Remote exploit for windows platform
    idEDB-ID:16394
    last seen2016-02-01
    modified2011-02-08
    published2011-02-08
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16394/
    titleMicrosoft SQL Server Payload Execution via SQL injection
  • descriptionMicrosoft SQL Server Payload Execution. CVE-2000-0402,CVE-2000-1209. Remote exploit for windows platform
    idEDB-ID:16395
    last seen2016-02-01
    modified2010-12-21
    published2010-12-21
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16395/
    titleMicrosoft SQL Server Payload Execution

Metasploit

  • descriptionThis module executes an arbitrary payload on a Microsoft SQL Server by using the "xp_cmdshell" stored procedure. Currently, three delivery methods are supported. First, the original method uses Windows 'debug.com'. File size restrictions are avoided by incorporating the debug bypass method presented by SecureStat at Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems. A second method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses 'wcsript.exe' to generate the executable on the target. Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the payload on the target. NOTE: This module will leave a payload executable on the target system when the attack is finished.
    idMSF:EXPLOIT/WINDOWS/MSSQL/MSSQL_PAYLOAD
    last seen2020-05-22
    modified2017-09-14
    published2010-07-03
    references
    reporterRapid7
    sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/mssql/mssql_payload.rb
    titleMicrosoft SQL Server Payload Execution
  • descriptionThis module will execute an arbitrary payload on a Microsoft SQL Server, using a SQL injection vulnerability. Once a vulnerability is identified this module will use xp_cmdshell to upload and execute Metasploit payloads. It is necessary to specify the exact point where the SQL injection vulnerability happens. For example, given the following injection: http://www.example.com/show.asp?id=1;exec xp_cmdshell 'dir';--&cat;=electrical you would need to set the following path: set GET_PATH /showproduct.asp?id=1;[SQLi];--&cat;=foobar In regard to the payload, unless there is a closed port in the web server, you dont want to use any "bind" payload, specially on port 80, as you will stop reaching the vulnerable web server host. You want a "reverse" payload, probably to your port 80 or to any other outbound port allowed on the firewall. For privileged ports execute Metasploit msfconsole as root. Currently, three delivery methods are supported. First, the original method uses Windows 'debug.com'. File size restrictions are avoided by incorporating the debug bypass method presented by SecureStat at Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems. A second method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses 'wcsript.exe' to generate the executable on the target. Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the payload on the target. NOTE: This module will leave a payload executable on the target system when the attack is finished.
    idMSF:EXPLOIT/WINDOWS/MSSQL/MSSQL_PAYLOAD_SQLI
    last seen2020-01-10
    modified2017-09-14
    published2011-01-27
    references
    reporterRapid7
    sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/mssql/mssql_payload_sqli.rb
    titleMicrosoft SQL Server Payload Execution via SQL Injection

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS00-035.NASL
descriptionThe installation process of the remote MS SQL server left a file named
last seen2020-06-01
modified2020-06-02
plugin id11330
published2003-03-09
reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11330
titleMS00-035: MS SQL7.0 Service Pack may leave passwords on system (263968)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(11330);
  script_version("1.41");
  script_cvs_date("Date: 2018/11/15 20:50:29");

  script_cve_id("CVE-2000-0402");
  script_bugtraq_id(1281);
  script_xref(name:"MSFT", value:"MS00-035");
  script_xref(name:"MSKB", value:"263968");

  script_name(english:"MS00-035: MS SQL7.0 Service Pack may leave passwords on system (263968)");
  script_summary(english:"Reads %temp%\sqlsp.log");

  script_set_attribute(attribute:"synopsis", value:
"The remote SQL server is vulnerable to an information disclosure
attack.");
  script_set_attribute(attribute:"description", value:
"The installation process of the remote MS SQL server left a file named
'sqlsp.log' on the remote host. This file contains the password
assigned to the 'sa' account of the remote database.

An attacker may use this flaw to gain administrative access to the
database server.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-035");
  script_set_attribute(attribute:"solution", value:"Apply the appropriate patches from MS00-035 or upgrade MS SQL.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Microsoft SQL Server Payload Execution via SQL Injection');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2000/05/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2000/05/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/09");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sql_server");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
  script_family(english:"Windows : Microsoft Bulletins");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 'Host/patch_management_checks');
  exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS00-035';
kb = "263968";

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);

get_kb_item_or_exit('SMB/WindowsVersion');


common = hotfix_get_systemroot();
if (!common) exit(1, "Can't get system root.");

port = kb_smb_transport();
login  = kb_smb_login();
pass   = kb_smb_password();
domain = kb_smb_domain();

if(! smb_session_init()) audit(AUDIT_FN_FAIL, "smb_session_init");

r = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (r != 1)
{
  NetUseDel();
  audit(AUDIT_SHARE_FAIL,"IPC$");
}

hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if ( isnull(hklm) )
{
  NetUseDel();
  audit(AUDIT_REG_FAIL);
}

key_h = RegOpenKey(handle:hklm, key:"SYSTEM\CurrentControlSet\Control\Session Manager\Environment", mode:MAXIMUM_ALLOWED);
if ( isnull(key_h) )
{
 RegCloseKey(handle:hklm);
 NetUseDel();
 exit(0);
}

value = RegQueryValue(handle:key_h, item:"TEMP");
RegCloseKey(handle:key_h);
RegCloseKey(handle:hklm);
NetUseDel(close:FALSE);

if ( isnull(value) )
{
 NetUseDel();
 exit(1);
}

value[1] = ereg_replace(pattern:"%systemroot%", string:value[1], replace:common, icase:TRUE);
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:value[1]);
rootfile =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\sqlsp.log", string:value[1]);


r = NetUseAdd(login:kb_smb_login(), password:kb_smb_password(), domain:kb_smb_domain(), share:share);
if (r != 1)
{
  NetUseDel();
  audit(AUDIT_SHARE_FAIL,share);
}

handle =  CreateFile (file:rootfile, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);

if ( ! isnull(handle) )
{
  CloseFile(handle:handle);
  NetUseDel();

  if (
    defined_func("report_xml_tag") &&
    !isnull(bulletin) &&
    !isnull(kb)
  ) report_xml_tag(tag:bulletin, value:kb);

  hotfix_security_warning();
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);

  exit(0);
}

NetUseDel();
exit(0, "The host is not affected.");


Packetstorm

Seebug

bulletinFamilyexploit
descriptionNo description provided by source.
idSSV:75516
last seen2017-11-19
modified2014-07-01
published2014-07-01
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-75516
titleMicrosoft SQL Server 2000 User Authentication Remote Buffer Overflow Vulnerability