2.1 Low
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
0.732 High
EPSS
Percentile
98.1%
The installation process of the remote MS SQL server left a file named ‘sqlsp.log’ on the remote host. This file contains the password assigned to the ‘sa’ account of the remote database.
An attacker may use this flaw to gain administrative access to the database server.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(11330);
script_version("1.41");
script_cvs_date("Date: 2018/11/15 20:50:29");
script_cve_id("CVE-2000-0402");
script_bugtraq_id(1281);
script_xref(name:"MSFT", value:"MS00-035");
script_xref(name:"MSKB", value:"263968");
script_name(english:"MS00-035: MS SQL7.0 Service Pack may leave passwords on system (263968)");
script_summary(english:"Reads %temp%\sqlsp.log");
script_set_attribute(attribute:"synopsis", value:
"The remote SQL server is vulnerable to an information disclosure
attack.");
script_set_attribute(attribute:"description", value:
"The installation process of the remote MS SQL server left a file named
'sqlsp.log' on the remote host. This file contains the password
assigned to the 'sa' account of the remote database.
An attacker may use this flaw to gain administrative access to the
database server.");
script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-035");
script_set_attribute(attribute:"solution", value:"Apply the appropriate patches from MS00-035 or upgrade MS SQL.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Microsoft SQL Server Payload Execution via SQL Injection');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2000/05/30");
script_set_attribute(attribute:"patch_publication_date", value:"2000/05/30");
script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/09");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sql_server");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
script_family(english:"Windows : Microsoft Bulletins");
script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
script_require_keys("SMB/MS_Bulletin_Checks/Possible");
script_require_ports(139, 445, 'Host/patch_management_checks');
exit(0);
}
include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");
get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
bulletin = 'MS00-035';
kb = "263968";
kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);
get_kb_item_or_exit('SMB/WindowsVersion');
common = hotfix_get_systemroot();
if (!common) exit(1, "Can't get system root.");
port = kb_smb_transport();
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
if(! smb_session_init()) audit(AUDIT_FN_FAIL, "smb_session_init");
r = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (r != 1)
{
NetUseDel();
audit(AUDIT_SHARE_FAIL,"IPC$");
}
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if ( isnull(hklm) )
{
NetUseDel();
audit(AUDIT_REG_FAIL);
}
key_h = RegOpenKey(handle:hklm, key:"SYSTEM\CurrentControlSet\Control\Session Manager\Environment", mode:MAXIMUM_ALLOWED);
if ( isnull(key_h) )
{
RegCloseKey(handle:hklm);
NetUseDel();
exit(0);
}
value = RegQueryValue(handle:key_h, item:"TEMP");
RegCloseKey(handle:key_h);
RegCloseKey(handle:hklm);
NetUseDel(close:FALSE);
if ( isnull(value) )
{
NetUseDel();
exit(1);
}
value[1] = ereg_replace(pattern:"%systemroot%", string:value[1], replace:common, icase:TRUE);
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:value[1]);
rootfile = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\sqlsp.log", string:value[1]);
r = NetUseAdd(login:kb_smb_login(), password:kb_smb_password(), domain:kb_smb_domain(), share:share);
if (r != 1)
{
NetUseDel();
audit(AUDIT_SHARE_FAIL,share);
}
handle = CreateFile (file:rootfile, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
if ( ! isnull(handle) )
{
CloseFile(handle:handle);
NetUseDel();
if (
defined_func("report_xml_tag") &&
!isnull(bulletin) &&
!isnull(kb)
) report_xml_tag(tag:bulletin, value:kb);
hotfix_security_warning();
set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
exit(0);
}
NetUseDel();
exit(0, "The host is not affected.");
Vendor | Product | Version | CPE |
---|---|---|---|
microsoft | sql_server | cpe:/a:microsoft:sql_server |