CVE-2000-1209
published 2002-08-12CVE-2000-1209: The "sa" account is installed with a default null password on (1) Microsoft SQL Server 2000, (2) SQL Server 7.0, and (3) Data Engine (MSDE) 1.0, including…
PriorityP267critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
87.31%
99.7th percentile
The "sa" account is installed with a default null password on (1) Microsoft SQL Server 2000, (2) SQL Server 7.0, and (3) Data Engine (MSDE) 1.0, including third party packages that use these products such as (4) Tumbleweed Secure Mail (MMS) (5) Compaq Insight Manager, and (6) Visio 2000, which allows remote attackers to gain privileges, as exploited by worms such as Voyager Alpha Force and Spida.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| compaq | insight_manager | — | — |
| compaq | insight_manager_xe | — | — |
| compaq | insight_manager_xe | — | — |
| compaq | insight_manager_xe | — | — |
| compaq | insight_manager_xe | — | — |
| compaq | insight_manager_xe | — | — |
| compaq | insight_manager_xe | — | — |
| microsoft | data_engine | — | — |
| microsoft | msde | — | — |
Detection & IOCsextracted from sources · hover to see the quote
port1433
snort
alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa brute force failed login unicode attempt"; flow:established,to_client; content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2103273; rev:5; metadata:created_at 2010_09_23, cve CVE_2000_1209, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
snort
alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"GPL SQL sa login failed"; flow:established,to_client; content:"Login failed for user 'sa'"; offset:83; reference:bugtraq,4797; reference:cve,2000-1209; classtype:attempted-user; sid:2100680; rev:11; metadata:created_at 2010_09_23, cve CVE_2000_1209, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
bytes
L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|
bytes
Login failed for user 'sa'
- →Monitor for repeated 'sa' login failures from external sources on TCP/1433 — the Snort rule triggers on 5 failures within 2 seconds from the same source, indicative of brute-force attempts against the blank default 'sa' password.
- →Detect 'sa' login failure strings in unicode (UTF-16LE) encoding on TCP/1433 traffic, as used by worms such as Voyager Alpha Force and Spida exploiting the blank 'sa' password. ↗
- →Alert on 'sa' login failure strings on TCP/139 (NetBIOS) at byte offset 83, indicating exploitation attempts via SMB-adjacent SQL Server named pipes.
- →Detect use of xp_cmdshell in SQL traffic or web requests, as exploitation of the blank 'sa' password commonly leads to OS command execution via this stored procedure. ↗
- →Watch for SQL injection patterns of the form ';exec xp_cmdshell '...';-- in HTTP GET parameters, as used by the SQLi-based exploitation module. ↗
- →Third-party products bundling vulnerable MSSQL/MSDE instances (Tumbleweed Secure Mail, Compaq Insight Manager, Visio 2000) should be audited for the blank 'sa' password, as they inherit the vulnerability. ↗
- ·The Snort rule for TCP/1433 unicode detection (sid:2103273) uses a threshold of 5 events in 2 seconds tracked by source IP; tuning may be needed in environments with high legitimate authentication failure rates to avoid false positives.
- ·The Snort rule for TCP/139 (sid:2100680) relies on a fixed byte offset of 83 for the 'Login failed for user sa' string; changes in SQL Server response framing may cause missed detections.
- ·The Metasploit exploit module leaves a payload executable on the target system after the attack completes, which can serve as a forensic artifact during incident response. ↗
- ·The debug.exe delivery method (old) invokes ntvdm and is not available on x86_64 systems; attackers on 64-bit targets will use PowerShell or Command Stager methods instead. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
GPL SQL sa brute force failed login unicode attempt
suricata·2010-09-23
CVE-2000-1209 GPL SQL sa brute force failed login unicode attempt
GPL SQL sa brute force failed login unicode attempt
Rule: alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa brute force failed login unicode attempt"; flow:established,to_client; content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2103273; rev:5; metadata:created_at 2010_09_23, cve CVE_2000_1209, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
Suricata
GPL SQL sa login failed
suricata·2010-09-23
CVE-2000-1209 GPL SQL sa login failed
GPL SQL sa login failed
Rule: alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"GPL SQL sa login failed"; flow:established,to_client; content:"Login failed for user 'sa'"; offset:83; reference:bugtraq,4797; reference:cve,2000-1209; classtype:attempted-user; sid:2100680; rev:11; metadata:created_at 2010_09_23, cve CVE_2000_1209, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
Suricata
GPL SQL sa brute force failed login attempt
suricata·2010-09-23
CVE-2000-1209 GPL SQL sa brute force failed login attempt
GPL SQL sa brute force failed login attempt
Rule: alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa brute force failed login attempt"; flow:established,to_client; content:"Login failed for user 'sa'"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2103152; rev:5; metadata:created_at 2010_09_23, cve CVE_2000_1209, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
Suricata
GPL SQL sa login failed
suricata·2010-09-23
CVE-2000-1209 GPL SQL sa login failed
GPL SQL sa login failed
Rule: alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa login failed"; flow:established,to_client; content:"Login failed for user 'sa'"; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2100688; rev:12; metadata:created_at 2010_09_23, cve CVE_2000_1209, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
Exploit-DB
Microsoft SQL Server - Payload Execution (via SQL Injection) (Metasploit)
exploitdb·2011-02-08
CVE-2000-1209 Microsoft SQL Server - Payload Execution (via SQL Injection) (Metasploit)
Microsoft SQL Server - Payload Execution (via SQL Injection) (Metasploit)
---
##
# $Id: mssql_payload_sqli.rb 11730 2011-02-08 23:31:44Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft SQL Server Payload Execution via SQL injection',
'Description' => %q{
This module will execute an arbitrary payload on a Microsoft SQL
Server, using a SQL injection vulnerability.
Once a vulnerability is identified this module
will use xp_cmdshell to upload and execute Metasploit payloads.
It is necessary to specify the exact point where th
Exploit-DB
Microsoft SQL Server - Payload Execution (Metasploit)
exploitdb·2010-12-21
CVE-2000-1209 Microsoft SQL Server - Payload Execution (Metasploit)
Microsoft SQL Server - Payload Execution (Metasploit)
---
##
# $Id: mssql_payload.rb 11392 2010-12-21 20:36:34Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft SQL Server Payload Execution',
'Description' => %q{
This module executes an arbitrary payload on a Microsoft SQL Server by using
the "xp_cmdshell" stored procedure. Currently, three delivery methods are supported.
First, the original method uses Windows 'debug.com'. File size restrictions are
avoidied by incorporating the debug bypass method presented by SecureStat
Metasploit
Microsoft SQL Server Payload Execution
metasploit
Microsoft SQL Server Payload Execution
Microsoft SQL Server Payload Execution
This module executes an arbitrary payload on a Microsoft SQL Server by using the "xp_cmdshell" stored procedure. Currently, three delivery methods are supported. First, the original method uses Windows 'debug.com'. File size restrictions are avoided by incorporating the debug bypass method presented by SecureStat at Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems. A second method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses 'wcsript.exe' to generate the executable on the target. Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the payload on the target. NOTE: This m
Metasploit
Microsoft SQL Server Payload Execution via SQL Injection
metasploit
Microsoft SQL Server Payload Execution via SQL Injection
Microsoft SQL Server Payload Execution via SQL Injection
This module will execute an arbitrary payload on a Microsoft SQL Server, using a SQL injection vulnerability. Once a vulnerability is identified this module will use xp_cmdshell to upload and execute Metasploit payloads. It is necessary to specify the exact point where the SQL injection vulnerability happens. For example, given the following injection: http://www.example.com/show.asp?id=1;exec xp_cmdshell 'dir';--&cat=electrical you would need to set the following path: set GET_PATH /showproduct.asp?id=1;[SQLi];--&cat=foobar In regard to the payload, unless there is a closed port in the web server, you dont want to use any "bind" payload, specially on port 80, as you will stop reaching the vulnerable web server host. You want a "rev
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=96333895000350&w=2http://marc.info/?l=bugtraq&m=96593218804850&w=2http://marc.info/?l=bugtraq&m=96644570412692&w=2http://online.securityfocus.com/archive/1/273639http://security-archive.merton.ox.ac.uk/bugtraq-200008/0233.htmlhttp://support.microsoft.com/default.aspx?scid=kb%3B%5BLN%5D%3BQ313418http://support.microsoft.com/default.aspx?scid=kb%3BEN-US%3Bq321081http://www.iss.net/security_center/static/1459.phphttp://www.kb.cert.org/vuls/id/635463http://www.microsoft.com/security/security_bulletins/ms02020_sql.asphttp://www.osvdb.org/3570http://www.securityfocus.com/bid/4797http://marc.info/?l=bugtraq&m=96333895000350&w=2http://marc.info/?l=bugtraq&m=96593218804850&w=2http://marc.info/?l=bugtraq&m=96644570412692&w=2http://online.securityfocus.com/archive/1/273639http://security-archive.merton.ox.ac.uk/bugtraq-200008/0233.htmlhttp://support.microsoft.com/default.aspx?scid=kb%3B%5BLN%5D%3BQ313418http://support.microsoft.com/default.aspx?scid=kb%3BEN-US%3Bq321081http://www.iss.net/security_center/static/1459.phphttp://www.kb.cert.org/vuls/id/635463http://www.microsoft.com/security/security_bulletins/ms02020_sql.asphttp://www.osvdb.org/3570http://www.securityfocus.com/bid/4797
2002-08-12
Published