CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Vulnerability Details : CVE-2000-1209

The "sa" account is installed with a default null password on (1) Microsoft SQL Server 2000, (2) SQL Server 7.0, and (3) Data Engine (MSDE) 1.0, including third party packages that use these products such as (4) Tumbleweed Secure Mail (MMS) (5) Compaq Insight Manager, and (6) Visio 2000, which allows remote attackers to gain privileges, as exploited by worms such as Voyager Alpha Force and Spida.
Publish Date : 2002-08-12 Last Update Date : 2018-08-13
Search Twitter   Search YouTube   Search Google

- CVSS Scores & Vulnerability Types

CVSS Score
10.0
Confidentiality Impact Complete (There is total information disclosure, resulting in all system files being revealed.)
Integrity Impact Complete (There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the entire system being compromised.)
Availability Impact Complete (There is a total shutdown of the affected resource. The attacker can render the resource completely unavailable.)
Access Complexity Low (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. )
Authentication Not required (Authentication is not required to exploit the vulnerability.)
Gained Access Admin
Vulnerability Type(s) Gain privileges
CWE ID CWE id is not defined for this vulnerability

- Products Affected By CVE-2000-1209

# Product Type Vendor Product Version Update Edition Language
1 Application Compaq Insight Manager 7.0 Version Details Vulnerabilities
2 Application Compaq Insight Manager 7.0 SP1 Version Details Vulnerabilities
3 Application Compaq Insight Manager Xe 1.1 Version Details Vulnerabilities
4 Application Compaq Insight Manager Xe 1.21 Version Details Vulnerabilities
5 Application Compaq Insight Manager Xe 2.1 Version Details Vulnerabilities
6 Application Compaq Insight Manager Xe 2.1b Version Details Vulnerabilities
7 Application Compaq Insight Manager Xe 2.1c Version Details Vulnerabilities
8 Application Compaq Insight Manager Xe 2.2 Version Details Vulnerabilities
9 Application Microsoft Data Engine 1.0 Version Details Vulnerabilities
10 Application Microsoft Msde 2000 Version Details Vulnerabilities

- Number Of Affected Versions By Product

Vendor Product Vulnerable Versions
Compaq Insight Manager 2
Compaq Insight Manager Xe 6
Microsoft Data Engine 1
Microsoft Msde 1

- References For CVE-2000-1209

http://marc.info/?l=bugtraq&m=96333895000350&w=2
BUGTRAQ 20000710 MSDE / Re: Default Password Database
http://marc.info/?l=bugtraq&m=96593218804850&w=2
BUGTRAQ 20000810 Tumbleweed Worldsecure (MMS) BLANK 'sa' account password
http://marc.info/?l=bugtraq&m=96644570412692&w=2
BUGTRAQ 20000816 Released Patch: Tumbleweed Worldsecure (MMS) BLANK 'sa' account password
http://online.securityfocus.com/archive/1/273639
BUGTRAQ 20020522 Opty-Way Enterprise includes MSDE with sa <blank>
http://security-archive.merton.ox.ac.uk/bugtraq-200008/0233.html
BUGTRAQ 20000815 MS-SQL 'sa' user exploit code
http://www.securityfocus.com/bid/4797
BID 4797 Microsoft MSDE/SQL Server 2000 Desktop Engine Default Configuration Vulnerability Release Date:2009-07-11
http://www.kb.cert.org/vuls/id/635463
CERT-VN VU#635463
http://www.microsoft.com/security/security_bulletins/ms02020_sql.asp CONFIRM
http://www.iss.net/security_center/static/1459.php
XF mssql-no-sapassword(1459)
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q321081
MSKB Q321081
http://support.microsoft.com/default.aspx?scid=kb;[LN];Q313418
MSKB Q313418

- Metasploit Modules Related To CVE-2000-1209

Microsoft SQL Server Payload Execution
This module executes an arbitrary payload on a Microsoft SQL Server by using the "xp_cmdshell" stored procedure. Currently, three delivery methods are supported. First, the original method uses Windows 'debug.com'. File size restrictions are avoided by incorporating the debug bypass method presented by SecureStat at Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems. A second method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses 'wcsript.exe' to generate the executable on the target. Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the payload on the target. NOTE: This module will leave a payload executable on the target system when the attack is finished.
Module type : exploit Rank : excellent Platforms : Windows
Microsoft SQL Server Payload Execution via SQL Injection
This module will execute an arbitrary payload on a Microsoft SQL Server, using a SQL injection vulnerability. Once a vulnerability is identified this module will use xp_cmdshell to upload and execute Metasploit payloads. It is necessary to specify the exact point where the SQL injection vulnerability happens. For example, given the following injection: http://www.example.com/show.asp?id=1;exec xp_cmdshell 'dir';--&cat=electrical you would need to set the following path: set GET_PATH /showproduct.asp?id=1;[SQLi];--&cat=foobar In regard to the payload, unless there is a closed port in the web server, you dont want to use any "bind" payload, specially on port 80, as you will stop reaching the vulnerable web server host. You want a "reverse" payload, probably to your port 80 or to any other outbound port allowed on the firewall. For privileged ports execute Metasploit msfconsole as root. Currently, three delivery methods are supported. First, the original method uses Windows 'debug.com'. File size restrictions are avoided by incorporating the debug bypass method presented by SecureStat at Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems. A second method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses 'wcsript.exe' to generate the executable on the target. Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the payload on the target. NOTE: This module will leave a payload executable on the target system when the attack is finished.
Module type : exploit Rank : excellent Platforms : Windows


CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.