| code | #
# (C) Tenable Network Security, Inc.
#
#
# ping code taken from mssql_ping by H D Moore
#
#
# MS02-061 supercedes MS02-020, MS02-038, MS02-039, MS02-043 and MS02-056
#
# BID xref by Erik Anderson <[email protected]>
#
# Other CVEs: CVE-2002-0729, CVE-2002-0650
#
include("compat.inc");
if (description)
{
script_id(11214);
script_version("1.52");
script_cvs_date("Date: 2018/11/15 20:50:21");
script_cve_id("CVE-2002-1137", "CVE-2002-1138", "CVE-2002-0649", "CVE-2002-0650",
"CVE-2002-1145", "CVE-2002-0644", "CVE-2002-0645", "CVE-2002-0721");
script_bugtraq_id(5309, 5310, 5311, 5312, 5481, 5483, 5877, 5980);
script_xref(name:"MSFT", value:"MS02-061");
script_xref(name:"MSKB", value:"316333");
script_name(english:"MS02-061: Microsoft SQL Server Multiple Vulnerabilities (uncredentialed check)");
script_summary(english:"Microsoft's SQL UDP Info Query");
script_set_attribute(
attribute:"synopsis",
value:"The remote database server is affected by multiple buffer overflows."
);
script_set_attribute(attribute:"description", value:
"The remote MS SQL server is affected by several overflows that could
be exploited by an attacker to gain SYSTEM access on that host.
Note that a worm (sapphire) is exploiting these vulnerabilities in the
wild." );
script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2002/ms02-061");
script_set_attribute(
attribute:"solution",
value:
"Microsoft has released patches for SQL Server 7.0 and 2000 as well as
Microsoft Data Engine (MSDE) 1.0 and 2000."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'MS02-039 Microsoft SQL Server Resolution Overflow');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_cwe_id(119);
script_set_attribute(attribute:"vuln_publication_date", value:"2002/07/24");
script_set_attribute(attribute:"plugin_publication_date", value:"2003/01/25");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sql_server");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:data_engine");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
script_family(english:"Databases");
script_dependencies("mssql_ping.nasl");
script_require_keys("MSSQL/UDP/Ping");
exit(0);
}
#
# The script code starts here
#
function sql_ping()
{
local_var r, req, soc;
req = raw_string(0x02);
if(!get_udp_port_state(1434))exit(0);
soc = open_sock_udp(1434);
if(soc)
{
send(socket:soc, data:req);
r = recv(socket:soc, length:4096);
close(soc);
return(r);
}
}
r = sql_ping();
if(strlen(r) > 0)
{
soc = open_sock_udp(1434);
send(socket:soc, data:raw_string(0x0A));
r = recv(socket:soc, length:1);
if(strlen(r) > 0 && ord(r[0]) == 0x0A)security_hole(port:1434, proto:"udp");
}
exit(0);
|