Vulnerabilities > CVE-2002-1809 - Unspecified vulnerability in Oracle Mysql
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The default configuration of the Windows binary release of MySQL 3.23.2 through 3.23.52 has a NULL root password, which could allow remote attackers to gain unauthorized root access to the MySQL database.
Vulnerable Configurations
Exploit-Db
| description | MySQL 3.20.32/3.22.x/3.23.x Null Root Password Weak Default Configuration Vulnerability (1). CVE-2002-1809. Remote exploit for linux platform |
| id | EDB-ID:21725 |
| last seen | 2016-02-02 |
| modified | 2002-08-19 |
| published | 2002-08-19 |
| reporter | g0thm0g |
| source | https://www.exploit-db.com/download/21725/ |
| title | MySQL 3.20.32/3.22.x/3.23.x Null Root Password Weak Default Configuration Vulnerability 1 |
Nessus
NASL family Databases NASL id MYSQL_UNPASSWORDED.NASL description It is possible to connect to the remote MySQL database server using an unpassworded account. This may allow an attacker to launch further attacks against the database. last seen 2020-06-01 modified 2020-06-02 plugin id 10481 published 2000-07-27 reporter This script is Copyright (C) 2000-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/10481 title MySQL Unpassworded Account Check code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(10481); script_version("1.62"); script_cvs_date("Date: 2018/11/15 20:50:21"); script_cve_id("CVE-2002-1809", "CVE-2004-1532"); script_bugtraq_id(11704); script_name(english:"MySQL Unpassworded Account Check"); script_summary(english:"Checks for unpassword root / anonymous accounts"); script_set_attribute(attribute:"synopsis", value: "The remote database server can be accessed without a password."); script_set_attribute(attribute:"description", value: "It is possible to connect to the remote MySQL database server using an unpassworded account. This may allow an attacker to launch further attacks against the database."); script_set_attribute(attribute:"see_also", value: "https://dev.mysql.com/doc/refman/8.0/en/default-privileges.html"); script_set_attribute(attribute:"solution", value: "Disable or set a password for the affected account."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value:"2000/07/27"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/08/18"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mysql:mysql"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2000-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_require_ports("Services/mysql", 3306); script_dependencies("find_service2.nasl"); script_exclude_keys("global_settings/supplied_logins_only"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("mysql_func.inc"); include("stream_func.inc"); function show_databases() { local_var req, res, databases, loop; mysql_send_packet(data:mkbyte(3)+'show databases', num:0); res = mysql_recv_packet(); databases = make_list(); if (!isnull(res) && res['num'] == 1) { res = mysql_recv_packet(); if (!isnull(res)) { res = mysql_recv_packet(); if (!isnull(res) && getbyte(blob:res['data'], pos:0) == 254) { loop = 1; while (loop) { res = mysql_recv_packet(); if (!isnull(res) && getbyte(blob:res['data'], pos:0) != 254) databases = make_list(databases, substr(res['data'], 1, res['len']-1)); else loop = 0; } } } } if (max_index(databases) > 0) return databases; else return NULL; } function current_user() { local_var req, res, user; user = NULL; mysql_send_packet(data:mkbyte(3)+'select current_user()', num:0); res = mysql_recv_packet(); if (!isnull(res) && res['num'] == 1) { res = mysql_recv_packet(); if (!isnull(res)) { res = mysql_recv_packet(); if (!isnull(res) && getbyte(blob:res['data'], pos:0) == 254) { res = mysql_recv_packet(); if (!isnull(res) && getbyte(blob:res['data'], pos:0) != 254) { user = substr(res['data'], 1, res['len']-1); res = mysql_recv_packet(); } } } } return user; } ## Main code ## port = get_service(svc:"mysql", default:3306, exit_on_fail:TRUE); if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY); foreach name (make_list("root", "anonymous")) { mysql_init(port:port, nocache:TRUE, exit_on_fail:TRUE); caps = mysql_get_caps(); caps = caps & (0xFFFFFFFF - CLIENT_NO_SCHEMA); if (mysql_login(user:name, flags:caps) == 1) { # Check which user we authenticated as, not which user we _tried_ # to authenticate as. This prevents erroneously flagging an # unpassworded root account when we actually authenticated as # an anonymous user user = current_user(); if (!isnull(user)) { user = split(user, sep:'@', keep:FALSE); if (user[0] == '') report = '\nThe anonymous account does not have a password.\n'; else report = '\nThe \''+name+'\' account does not have a password.\n'; } else report = '\nThe \''+name+'\' account does not have a password.\n'; # Fetch data directory and current databases, and KB store them datadir = mysql_query_41(sql:'SHOW VARIABLES WHERE Variable_Name = "datadir"'); if (!empty_or_null(datadir) && !empty_or_null(datadir[0]) && !empty_or_null(datadir[0]['Value'])) { replace_kb_item( name:'mysql/' + port + '/datadir', value:datadir[0]['Value'] ); } databases = show_databases(); if (!isnull(databases)) { info = ""; foreach value (databases) { info += ' - '+value+'\n'; } if (info) { report += '\nHere is the list of databases on the remote server :\n\n'+info; set_kb_item(name: 'MySQL/no_passwd/'+port, value: name); replace_kb_item(name:'mysql/' + port + '/databases', value:info); } } security_hole(port:port, extra:report); exit(0); } mysql_close(); } audit(AUDIT_LISTEN_NOT_VULN, 'MySQL', port);NASL family Databases NASL id MYSQL_3_WEAK_DEFAULT_CONFIG.NASL description The version of MySQL installed on the remote host is 3.20.32 to 3.23.52. On Windows, the default configuration used in these versions is weak : - The database server binds to all network interfaces and can be reached from outside. (CVE-2002-1921) - Logging is disabled, attackers will not be detected. (CVE-2002-1923) - root last seen 2020-06-01 modified 2020-06-02 plugin id 17821 published 2012-01-18 reporter This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/17821 title MySQL 3.20.32 - 3.23.52 Weak Default Configuration code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(17821); script_version("1.8"); script_cvs_date("Date: 2018/11/15 20:50:21"); script_cve_id( "CVE-2002-1809", "CVE-2002-1921", "CVE-2002-1923" ); script_bugtraq_id( 5503, 5511, 5513 ); script_name(english:"MySQL 3.20.32 - 3.23.52 Weak Default Configuration"); script_summary(english:"Checks the version of MySQL Server."); script_set_attribute(attribute:"synopsis", value: "The default configuration of the remote database server may be weak."); script_set_attribute(attribute:"description", value: "The version of MySQL installed on the remote host is 3.20.32 to 3.23.52. On Windows, the default configuration used in these versions is weak : - The database server binds to all network interfaces and can be reached from outside. (CVE-2002-1921) - Logging is disabled, attackers will not be detected. (CVE-2002-1923) - root's password is blank. (CVE-2002-1809)"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2002/Aug/281"); script_set_attribute(attribute:"solution", value: "Edit the configuration file and add this line if needed : bind-address=127.0.0.1"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/10/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/18"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mysql:mysql"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("mysql_version.nasl", "mysql_login.nasl", "os_fingerprint.nasl"); script_require_keys("Settings/ParanoidReport"); script_require_ports("Services/mysql", 3306); exit(0); } include("mysql_version.inc"); mysql_check_version(fixed:'3.23.53', min: '3.20.32', severity:SECURITY_HOLE);