Vulnerabilities > CVE-2002-0644 - Unspecified vulnerability in Microsoft Data Engine and SQL Server

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
microsoft
nessus
exploit available

Summary

Buffer overflow in several Database Consistency Checkers (DBCCs) for Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE) 2000 allows members of the db_owner and db_ddladmin roles to execute arbitrary code.

Vulnerable Configurations

Part Description Count
Application
Microsoft
2

Exploit-Db

descriptionMicrosoft SQL Server 2000 Database Consistency Checkers Buffer Overflow Vulnerability. CVE-2002-0644. Remote exploit for windows platform
idEDB-ID:21650
last seen2016-02-02
modified2002-07-25
published2002-07-25
reporterCesar Cerrudo
sourcehttps://www.exploit-db.com/download/21650/
titleMicrosoft SQL Server 2000 Database Consistency Checkers Buffer Overflow Vulnerability

Nessus

NASL familyDatabases
NASL idMSSQL_LITCHFIELD_OVERFLOWS.NASL
descriptionThe remote MS SQL server is affected by several overflows that could be exploited by an attacker to gain SYSTEM access on that host. Note that a worm (sapphire) is exploiting these vulnerabilities in the wild.
last seen2020-06-01
modified2020-06-02
plugin id11214
published2003-01-25
reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11214
titleMS02-061: Microsoft SQL Server Multiple Vulnerabilities (uncredentialed check)
code
#
# (C) Tenable Network Security, Inc.
#

#
# ping code taken from mssql_ping by H D Moore
#
#
# MS02-061 supercedes MS02-020, MS02-038, MS02-039, MS02-043 and MS02-056
#
# BID xref by Erik Anderson <[email protected]>
#
# Other CVEs: CVE-2002-0729, CVE-2002-0650
#

include("compat.inc");

if (description)
{
 script_id(11214);
 script_version("1.52");
 script_cvs_date("Date: 2018/11/15 20:50:21");

 script_cve_id("CVE-2002-1137", "CVE-2002-1138", "CVE-2002-0649", "CVE-2002-0650",
               "CVE-2002-1145", "CVE-2002-0644", "CVE-2002-0645", "CVE-2002-0721");
 script_bugtraq_id(5309, 5310, 5311, 5312, 5481, 5483, 5877, 5980);
 script_xref(name:"MSFT", value:"MS02-061");
 script_xref(name:"MSKB", value:"316333");

 script_name(english:"MS02-061: Microsoft SQL Server Multiple Vulnerabilities (uncredentialed check)");
 script_summary(english:"Microsoft's SQL UDP Info Query");

 script_set_attribute(
  attribute:"synopsis",
  value:"The remote database server is affected by multiple buffer overflows."
 );
 script_set_attribute(attribute:"description", value:
"The remote MS SQL server is affected by several overflows that could
be exploited by an attacker to gain SYSTEM access on that host.

Note that a worm (sapphire) is exploiting these vulnerabilities in the
wild." );
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2002/ms02-061");
 script_set_attribute(
  attribute:"solution",
  value:
"Microsoft has released patches for SQL Server 7.0 and 2000 as well as
Microsoft Data Engine (MSDE) 1.0 and 2000."
 );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploited_by_malware", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'MS02-039 Microsoft SQL Server Resolution Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_cwe_id(119);

 script_set_attribute(attribute:"vuln_publication_date", value:"2002/07/24");
 script_set_attribute(attribute:"plugin_publication_date", value:"2003/01/25");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sql_server");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:data_engine");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
 script_family(english:"Databases");

 script_dependencies("mssql_ping.nasl");
 script_require_keys("MSSQL/UDP/Ping");
 exit(0);
}

#
# The script code starts here
#


function sql_ping()
{
 local_var r, req, soc;

 req = raw_string(0x02);
 if(!get_udp_port_state(1434))exit(0);
 soc = open_sock_udp(1434);


 if(soc)
 {
	send(socket:soc, data:req);
	r  = recv(socket:soc, length:4096);
	close(soc);
	return(r);
 }
}



r = sql_ping();
if(strlen(r) > 0)
 {
  soc = open_sock_udp(1434);
  send(socket:soc, data:raw_string(0x0A));
  r = recv(socket:soc, length:1);
  if(strlen(r) > 0 && ord(r[0]) == 0x0A)security_hole(port:1434, proto:"udp");
 }
exit(0);