Microsoft SQL Server sa Account Default Blank Password

2001-05-25T00:00:00
ID MSSQL_BLANK_PASSWORD.NASL
Type nessus
Reporter This script is Copyright (C) 2001-2018 H D Moore
Modified 2020-02-02T00:00:00

Description

The remote instance of MS SQL / SQL Server has the default

                                        
                                            ##
#
# this script attempts to log in to a SQL server using the 
# "sa" account with a blank password.
#
##

# Changes by Tenable:
# - Revised plugin title (6/8/09)
# - Match NVD score for CVE, replace string() calls (9/14/18)


include("compat.inc");

if(description)
{
 script_id(10673);
 script_version("1.41");
 script_cvs_date("Date: 2018/09/17 21:46:53");

 script_cve_id("CVE-2000-1209");
 script_bugtraq_id(4797);

 script_name(english:"Microsoft SQL Server sa Account Default Blank Password");
 script_summary(english:"Microsoft's SQL Blank Password");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote database service has an account with a blank password." );
 script_set_attribute(attribute:"description", value:
"The remote instance of MS SQL / SQL Server has the default 'sa'
account enabled without any password. 

An attacker may leverage this flaw to execute commands against the
remote host, as well as read the content of any databases it might
have." );
 script_set_attribute(attribute:"solution", value:
"Disable the 'sa' account or set a password for it.  

In addition, filter incoming TCP traffic to this port. 

For MSDE (OEM versions without MSQL console) : 

 C:\MSSQL7\BINN\osql -U sa

 At the Password: prompt press <Enter>.

 Type the following replacing .password. with the password you wish to
 assign, in single quotes:

 EXEC sp_password NULL, .password., .sa.
 go
 exit" );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
 script_set_attribute(attribute:"cvss_score_source", value:"CVE-2000-1209");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"metasploit_name", value:'Microsoft SQL Server Payload Execution via SQL Injection');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');
 script_set_attribute(attribute:"plugin_publication_date", value: "2001/05/25");
 script_set_attribute(attribute:"vuln_publication_date", value: "2000/07/11");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sql_server");
 script_end_attributes();
 
 script_category(ACT_ATTACK);
 script_copyright(english:"This script is Copyright (C) 2001-2018 H D Moore");
 script_family(english:"Databases");
 script_require_ports("Services/mssql", 1433); 
 script_dependencies("mssqlserver_detect.nasl", "sybase_detect.nasl");
 script_exclude_keys("global_settings/supplied_logins_only");
 exit(0);
}

#
# The script code starts here
#
include("global_settings.inc");
include("misc_func.inc");

pkt_hdr = raw_string(
    0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
);


pkt_pt2 = raw_string (
    0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x61, 0x30, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x20, 0x18, 0x81, 0xb8, 0x2c, 0x08, 0x03,
    0x01, 0x06, 0x0a, 0x09, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x73, 0x71, 0x75, 0x65, 0x6c, 0x64, 0x61,
    0x20, 0x31, 0x2e, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00
);

pkt_pt3 = raw_string (
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00, 0x4d, 0x53, 0x44,
    0x42, 0x4c, 0x49, 0x42, 0x00, 0x00, 0x00, 0x07, 0x06, 0x00, 0x00,
    0x00, 0x00, 0x0d, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00
);

pkt_lang = raw_string(
    0x02, 0x01, 0x00, 0x47, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x30, 0x30, 0x00, 0x00,
    0x00, 0x03, 0x00, 0x00, 0x00
);

function make_sql_login_pkt (username, password)
{
    local_var nul, pblen, pbuf, plen, ppad, sql_packet, ublen, ubuf, ulen, upad;

    ulen = strlen(username);
    plen = strlen(password);
    
    upad = 30 - ulen;
    ppad = 30 - plen;
    
    ubuf = "";
    pbuf = "";
    
    nul = raw_string(0x00);
    
    if(ulen)
    {
        ublen = raw_string(ulen % 255);
    } else {
        ublen = raw_string(0x00);
    }
    
    if(plen)
    {
        pblen = raw_string(plen % 255);
    } else {
        pblen = raw_string(0x00);
    }  

    ubuf = username + crap(data:nul, length:upad);
    pbuf = password + crap(data:nul, length:ppad);

    sql_packet = pkt_hdr + ubuf + ublen + pbuf + pblen + pkt_pt2 + pblen + pbuf + pkt_pt3;

    # returning this as a string is NOT working!
    return sql_packet;
}


port = get_kb_item("Services/mssql");
if(!port)port = get_kb_item("Services/sybase");
if(!port)
{
  port = 1433;
  if (!service_is_unknown(port:port)) exit(0, "The service is already known on port "+port+".");
}
if (!get_tcp_port_state(port)) exit(0, "Port "+port+" is not open.");

if (supplied_logins_only) exit(0, "Nessus is currently configured to not log in with user accounts not specified in the scan policy.");

found = 0;


soc = open_sock_tcp(port);
if (!soc) exit(1, "Can't open socket on port "+port+".");

# this creates a variable called sql_packet
sql_packet = make_sql_login_pkt(username:"sa", password:"");

send(socket:soc, data:sql_packet);
send(socket:soc, data:pkt_lang);

r  = recv(socket:soc, length:255);
close(soc);

if (
  strlen(r) > 10 &&
  ord(r[8]) == 0xE3
)
{
  # Can we differentiate between mssql and sybase?
  # if (service_is_unknown(port:port)) register_service(port:port, proto:"mssql");

  security_hole(port);
  set_kb_item(name: 'MSSQL/blank_password/'+port, value: TRUE);

  exit(0);
}
else exit(0, "The SQL Server instance listening on port "+port+" is not affected.");