CVE-2005-4145
published 2005-12-10CVE-2005-4145: The MSDE version of Lyris ListManager 5.0 through 8.9b configures the sa account in the database to use a password with a small search space ("lyris" and up to…
PriorityP348medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
43.92%
98.6th percentile
The MSDE version of Lyris ListManager 5.0 through 8.9b configures the sa account in the database to use a password with a small search space ("lyris" and up to 5 digits, possibly from the process ID), which allows remote attackers to gain access via a brute force attack.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lyris_technologies_inc | listmanager | — | — |
| lyris_technologies_inc | listmanager | — | — |
| lyris_technologies_inc | listmanager | — | — |
| lyris_technologies_inc | listmanager | — | — |
| lyris_technologies_inc | listmanager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect rapid sequential MSSQL authentication attempts for the 'sa' account using passwords matching the pattern 'lyris' followed by 1–65535 (process ID brute force). ↗
- →Alert on successful MSSQL 'sa' login using the password 'lminstall', which is the transient installation-phase credential. ↗
- →Monitor for MSSQL xp_cmdshell or binary upload/execution activity following 'sa' authentication, as the exploit uploads and executes a payload after successful login. ↗
- →High-volume sequential failed MSSQL login attempts (increments of 1000 logged by the module) against the 'sa' account from a single source IP should trigger a brute-force alert. ↗
- ·The Metasploit module is explicitly set to NOT auto-run (autofilter returns false) due to risk of account lockout on SQL Server 2005 targets — brute-force use may lock out the 'sa' account. ↗
- ·Newer Lyris ListManager installations may use a randomly generated suffix (e.g., 'lyris629dAe536F') instead of a numeric PID, making the numeric brute-force ineffective but requiring broader password pattern coverage. ↗
- ·The vulnerability affects only the MSDE (Microsoft SQL Server Desktop Engine) variant of Lyris ListManager versions 5.0 through 8.9b; non-MSDE installs are not affected. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Lyris ListManager - MSDE Weak sa Password (Metasploit)
exploitdb·2010-09-20
CVE-2005-4145 Lyris ListManager - MSDE Weak sa Password (Metasploit)
Lyris ListManager - MSDE Weak sa Password (Metasploit)
---
##
# $Id: lyris_listmanager_weak_pass.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Lyris ListManager MSDE Weak sa Password',
'Description' => %q{
This module exploits a weak password vulnerability in the
Lyris ListManager MSDE install. During installation, the 'sa'
account password is set to 'lminstall'. Once the install
completes, it is set to 'lyris' followed by the process
ID of the installer. This module brute forces all possible
process
Metasploit
Lyris ListManager MSDE Weak sa Password
metasploit
Lyris ListManager MSDE Weak sa Password
Lyris ListManager MSDE Weak sa Password
This module exploits a weak password vulnerability in the Lyris ListManager MSDE install. During installation, the 'sa' account password is set to 'lminstall'. Once the install completes, it is set to 'lyris' followed by the process ID of the installer. This module brute forces all possible process IDs that would be used by the installer.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0349.htmlhttp://metasploit.com/research/vulns/lyris_listmanager/http://secunia.com/advisories/17943http://www.osvdb.org/21559http://www.securityfocus.com/archive/1/419077/100/0/threadedhttp://www.vupen.com/english/advisories/2005/2820http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0349.htmlhttp://metasploit.com/research/vulns/lyris_listmanager/http://secunia.com/advisories/17943http://www.osvdb.org/21559http://www.securityfocus.com/archive/1/419077/100/0/threadedhttp://www.vupen.com/english/advisories/2005/2820
2005-12-10
Published