--------------------------------------------------------------------------------

Summary of Vulnerability for Application

--------------------------------------------------------------------------------

COMPANY NAME: 

PRINT DATE  : 9/9/2004

TEST DATE   : 9/7/2004 8:18:09 PM - 9/7/2004 8:27:47 PM

APPLICATION : Microsoft SQL Server 2000 (MSSQLSERVER) on 192.168.1.212, port 1433

--------------------------------------------------------------------------------



REPORT DESCRIPTION: 

A security review has been run on a number of applications on your network. This review consisted of probing the application and comparing the results to a knowledge base of application security vulnerabilities.



This report displays a summary list of all vulnerabilities found include a summary analysis of the problem. To review a more detailed list of vulnerabilities and a comprehensive description of each vulnerability found, you can view the Vulnerability Details report.





REPORT SUMMARY:

------------------------------------------------------------

Vulnerabilities By Risk Level

------------------------------------------------------------

RiskLevel                     Vulnerability Count

------------------------------------------------------------

High                          51

Medium                        14

Low                           71

Informational                 6

------------------------------------------------------------





REPORT CONTENT:

--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: Agent jobs privilege escalation

> DESCRIPTION: A patch has not been applied to prevent privilege escalation through the SQL Agent service.

> SUMMARY: A security issue exists that allows privilege escalation to be done through the Agent service. By default, the public group is allowed to create jobs that the Agent runs. By crafting a malicious job using extended stored procedures such as xp_execresults, a non-privileged login can gain administrator privileges in the database.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: Blank password

> DESCRIPTION: A blank password for a SQL Server login has been found.

> SUMMARY: A blank password for a SQL Server login creates a security hole in SQL Server. If a password is left blank, an attacker can gain access to the SQL Server as the login with the blank password.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: Blank password for sa

> DESCRIPTION: The sa password is blank.

> SUMMARY: The administrator login on Microsoft SQL Server is called `sa`. Prior to SQL Server 2000, this login installed with a blank password. In version 8, you are now prompted for a password, but the password may still be set to blank. Leaving a blank password on the login allows an attacker to easily break into the database.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: Blank password for well-known login

> DESCRIPTION: A well-known login has a blank password.

> SUMMARY: Microsoft SQL Server version 6.x installed with several well-known logins. These logins were used for various tasks such as replication and performance monitoring of the database. By leaving the login with a blank password, access to the database could be gained by an attacker.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: DBCC CLEANTABLE buffer overflow

> DESCRIPTION: This version of SQL Server contains a buffer overflow in the DBCC CLEANTABLE function.

> SUMMARY: The built-in function DBCC CLEANTABLE contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The second parameter of the function does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: DBCC INDEXDEFRAG buffer overflow

> DESCRIPTION: This version of SQL Server contains a buffer overflow in the DBCC INDEXDEFRAG function.

> SUMMARY: The built-in function DBCC INDEXDEFRAG contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the function does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: DBCC SHOWCONTIG buffer overflow

> DESCRIPTION: This version of SQL Server contains a buffer overflow in the DBCC SHOWCONTIG function.

> SUMMARY: The built-in function DBCC SHOWCONTIG contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the function does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: DBCC SHOWTABLEAFFINITY buffer overflow

> DESCRIPTION: This version of SQL Server contains a buffer overflow in the DBCC SHOWTABLEAFFINITY function.

> SUMMARY: The built-in function DBCC SHOWTABLEAFFINITY contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the function does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: Enterprise Manager improperly revokes proxy account

> DESCRIPTION: The version of SQL Server is known to leave the SQL Agent Proxy Account enabled when disabled through Enterprise Manager.

> SUMMARY: Microsoft SQL Server 2000 is designed to run the xp_cmdshell extended stored procedure under a proxy account when not executed by a member of the sysadmin fixed server role. When the SQL Server Agent proxy account is revoked through Enterprise Manager, it is not properly revoked and commands continue to execute under the proxy account.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: Extended stored proc privilege upgrade

> DESCRIPTION: Permissions to escalate privileges through misuse of extended stored procedures have not been removed.

> SUMMARY: Three extended stored procedures can be used to gain escalated privileges. If a login is connected as a Windows account, these extended stored procedures allow the login to reauthenticate to the SQL Server using the privileges of the account running SQL Server.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: Format string vuln in xp_sprintf

> DESCRIPTION: This version of Microsoft SQL Server is known to be vulnerable to a format string vulnerability in the xp_sprintf function.

> SUMMARY: The extended stored procedure xp_sprintf contains a format string vulnerability that allows an attacker to execute malicious code under the security context of the database. Xp_sprintf is included in a default installation of SQL Server and is granted to the public group.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: FORMATMESSAGE buffer overflow

> DESCRIPTION: This version of Microsoft SQL Server is known to be vulnerable to a format string vulnerability in the FORMATMESSAGE function.

> SUMMARY: The built-in functions FORMATMESSAGE contains a format string vulnerability that allows an attacker to execute malicious code under the security context of the database. FORMATMESSAGE is a function of SQL Server that loads and formats a string from the sysmessages table.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: Hello buffer overflow

> DESCRIPTION: This version of SQL Server contains a buffer overflow in the authentication process.

> SUMMARY: During a login to Microsoft SQL Server, several packets containing user-defined data are passed from the client to the server. If an overly long string is passed as one of the user-defined fields, a buffer overflow condition is created on the server.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: Job output file handling

> DESCRIPTION: The patch has not been installed to prevent non-privileged users from creating and executing jobs under the SQL Server agent.

> SUMMARY: Microsoft SQL Server provides a mechanism to schedule jobs. This mechanism allows an unprivileged user to create jobs that will be executed using the elevated privileges of the SQL Server Agent.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: Latest service pack/hot fix not applied

> DESCRIPTION: The latest service pack and hot fix for SQL Server has not been installed.

> SUMMARY: Microsoft releases service packs and hot fixes on a regular basis that provide various updates including security fixes. Staying up to date on the latest service pack and hot fixes minimizes your risk of being vulnerable to buffer overflows and other attacks.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: MDX Query buffer overflow

> DESCRIPTION: The appropriate hotfix has not been applied to fix the MDX buffer overflow.

> SUMMARY: The Multidimensional Expressions (MDS) queries engine contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: Permission on mswebtasks

> DESCRIPTION: Permissions have not been revoked from the group public on the table msdb.dbo.mswebtasks.

> SUMMARY: The table mswebtasks in the msdb database is used to manage web tasks. By default, permissions on this table are granted to the group public.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: Permission on registry extended proc

> DESCRIPTION: Permission to execute the registry extended stored procedures have been granted to a user or group.

> SUMMARY: Microsoft SQL Server provides a set of extended stored procedures which allow database users to read and write from the registry. If not configured properly, the registry extended stored procedures can be used to read or write sensitive information from the registry.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: Permission on sp_runwebtask

> DESCRIPTION: EXECUTE permission has not been revoked from the group public on the system stored procedure master.dbo.sp_runwebtask.

> SUMMARY: The system stored procedure sp_runwebtask in the master database is used to run web tasks. By default, permission on this system stored procedure is granted to the group public.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: Public can create Agent jobs

> DESCRIPTION: Permissions are granted to public on stored procedures used to create SQL Agent jobs.

> SUMMARY: A security issue exists that allows Agent jobs to create arbitrary file. By default, the public group is allowed to create jobs that the Agent runs. By crafting malicious job, a non-privileged login can write arbitrary files on the operating system.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: pwdencrypt buffer overflow

> DESCRIPTION: This version of SQL Server contains a buffer overflow in the pwdencrypt function.

> SUMMARY: The built-in function pwdencrypt contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the function does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: RAISERROR buffer overflow

> DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the function RAISERROR.

> SUMMARY: The built-in functions RAISERROR contains a format string vulnerability that allows an attacker to execute malicious code under the security context of the database. RAISERROR is a function of SQL Server that loads and formats a string into the error handler of SQL Server.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: Remote data source function unchecked buffer

> DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the remote data source functions.

> SUMMARY: When a query using a heterogeneous join is made, the OPENROWSET or OpenDataSource methods are called. These functions do not check that the first parameters passed to them are not excessively long. This allows a long command to be passed in allowing arbitrary code to be executed.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: Reusable cached administrator connection

> DESCRIPTION: The version of SQL Server is known to allow cached connections to be reused.

> SUMMARY: SQL Server performs caching of connections in order to optimize performance. A single SQL Query method enables cached administrator connections to be reused when SQL Server is configured to allow standard SQL Server logins. In this case, an attacker could use this method to hijack a cached connection that belongs to an administrator.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: sp_MScopyscriptfile command injection

> DESCRIPTION: This version of SQL Server is known to contain a stored procedure called master.dbo.sp_MScopyscriptfile which is vulnerable to command injection.

> SUMMARY: The stored procedure sp_MScopyscriptfile is vulnerable to SQL injection. A file name is passed into the procedure. By crafting a malicious file name, the stored procedure can be caused to execute an operating system command using xp_cmdshell under the security context of SQL Server.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: srv_paraminfo buffer overflow in xp_displayparamstmt

> DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure xp_displayparamstmt.

> SUMMARY: The extended stored procedure xp_displayparamstmt contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_displayparamstmt does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: srv_paraminfo buffer overflow in xp_execresultset

> DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure xp_execresultset.

> SUMMARY: The extended stored procedure xp_execresultset contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_execresultset does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: srv_paraminfo buffer overflow in xp_peekqueue

> DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure xp_peekqueue.

> SUMMARY: The extended stored procedure xp_peekqueue contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_peekqueue does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: srv_paraminfo buffer overflow in xp_printstatements

> DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure xp_printstatements.

> SUMMARY: The extended stored procedure xp_printstatements contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_printstatements does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: srv_paraminfo buffer overflow in xp_proxiedmetadata

> DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure xp_proxiedmetadata.

> SUMMARY: The extended stored procedure xp_proxiedmetadata contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The second parameter of the extended stored procedure xp_proxiedmetadata does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: srv_paraminfo buffer overflow in xp_SetSQLSecurity

> DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure xp_SetSQLSecurity.

> SUMMARY: The extended stored procedure xp_SetSQLSecurity contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The third parameter of the extended stored procedure xp_SetSQLSecurity does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: srv_paraminfo buffer overflow in xp_showcolv

> DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure xp_showcolv.

> SUMMARY: The extended stored procedure xp_showcolv contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_showcolv does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: srv_paraminfo buffer overflow in xp_updatecolvbm

> DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure xp_updatecolvbm.

> SUMMARY: The extended stored procedure xp_updatecolvbm contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_updatecolvbm does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: xp_dirtree buffer overflow

> DESCRIPTION: The appropriate hotfix has not been applied to fix the xp_dirtree buffer overflow.

> SUMMARY: The extended stored procedure xp_dirtree contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_dirtree does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: xp_mergelineages buffer overflow

> DESCRIPTION: The appropriate hotfix has not been applied to fix the xp_mergelineages buffer overflow.

> SUMMARY: The extended stored procedure xp_mergelineages contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_mergelineages does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: High

> CHECK NAME: xp_proxiedmetadata buffer overflow

> DESCRIPTION: The appropriate hotfix has not been applied to fix the xp_proxiedmetadata buffer overflow.

> SUMMARY: The extended stored procedure xp_proxiedmetadata contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_proxiedmetadata does not properly handle a long string.



--------------------------------------------------------------------------------



> RISK LEVEL: Medium

> CHECK NAME: Auditing of failed logins

> DESCRIPTION: Auditing of failed login attempts is not enabled.

> SUMMARY: Microsoft SQL Server provides a facility to record failed connection attempts to the database. Recording these actions is necessary in order to detect when an attack occurs and to be able to analysis the attack after the fact.



--------------------------------------------------------------------------------

> RISK LEVEL: Medium

> CHECK NAME: Auditing of successful logins

> DESCRIPTION: Auditing of successful login attempts is not enabled.

> SUMMARY: Microsoft SQL Server provides a facility to record successful connection attempts to the database. Recording these actions is necessary in order to detect when an attack occurs and to be able to analysis the attack after the fact.



--------------------------------------------------------------------------------

> RISK LEVEL: Medium

> CHECK NAME: Buffer overflow in LPC

> DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the Local Procedure Call mechanism.

> SUMMARY: One of the communication mechanisms supported by Microsoft SQL Server is Local Procedure Calls. A malicious packet sent to this port can corrupt the server memory resulting in executing malicious code.



--------------------------------------------------------------------------------

> RISK LEVEL: Medium

> CHECK NAME: C2 Audit Mode

> DESCRIPTION: The `c2 audit mode` configuration option is not enabled.

> SUMMARY: Microsoft SQL Server provides an option to record access to statements and objects. Used properly, this feature can be useful for detecting misuse and attacks on the database.



--------------------------------------------------------------------------------

> RISK LEVEL: Medium

> CHECK NAME: Database ownership chaining not disabled

> DESCRIPTION: SQL Server database ownership chaining has not been disabled.

> SUMMARY: Microsoft SQL Server allows chaining ownership across databases. This feature can be used by a malicious database owner to elevate their privileges to system administrator.



--------------------------------------------------------------------------------

> RISK LEVEL: Medium

> CHECK NAME: DTS package procedures granted to public

> DESCRIPTION: Verify that the execute permission has been revoked from public on the stored procedures msdb.dbo.sp_enum_dtspackages and msdb.dbo.sp_get_dtspackage.

> SUMMARY: DTS packages in SQL Server allow database administrators to create scripts that will perform a set of database actions at regular intervals. As part of the creation of a DTS package, the administrator provides the login name and password under which the action should be taken. To protect this password, public permissions on msdb.dbo.sp_get_dtspackage should be revoked.



--------------------------------------------------------------------------------

> RISK LEVEL: Medium

> CHECK NAME: Encoded password written by installation

> DESCRIPTION: This version of SQL Server is known to write into a log file an encoded version of the password used to perform the installation.

> SUMMARY: When installing Microsoft SQL Server 2000 or a service pack for Microsoft SQL Server 7.0 or 2000, encoded versions of the passwords entered are written to the file setup.iss. The log file`s default permissions allow any user able to log on interactively to the operating system to read the file and discover the password.



--------------------------------------------------------------------------------

> RISK LEVEL: Medium

> CHECK NAME: Guest user exists in database

> DESCRIPTION: A guest user was found.

> SUMMARY: For each database in Microsoft SQL Server, a login must be linked to a user to access the database. If a login has not been granted to a database, a login will be mapped to a user called guest if the user exists. Guest users should only be used when appropriate.



--------------------------------------------------------------------------------

> RISK LEVEL: Medium

> CHECK NAME: Named Pipe Hijacking

> DESCRIPTION: This version of the database is known to be vulnerable to named pipe hijacking .

> SUMMARY: One of the communication mechanisms supported by Microsoft SQL Server is Named Pipes. An error in the authentication mechanism of the named pipes allows an attacker that is a local user to hijack or steal a named pipe from another user. This can be used by an attacker to gain full control of the database.



--------------------------------------------------------------------------------

> RISK LEVEL: Medium

> CHECK NAME: SQL Agent procedures granted to public

> DESCRIPTION: The stored procedure msdb.dbo.sp_get_sqlagent_properties can be executed by public.

> SUMMARY: SQL Server provides an engine, called the SQL Server Agent, to perform maintenance tasks. If the agent is configured to use a login name and password, the stored procedure sp_get_sqlagent_properties can be used to discover the password. By default, all logins can execute this stored procedure.



--------------------------------------------------------------------------------

> RISK LEVEL: Medium

> CHECK NAME: Table to store DTS passwords publicly viewable

> DESCRIPTION: The table msdb.dbo.RTblDBMProps can be viewed by all logins on the server.

> SUMMARY: DTS packages can be saved to SQL Server`s Meta Data Service. This gives administrators the ability to save meta data about the package as well as data lineage. When a DTS package is saved as a Meta Data Service, the account and password used to connect to the data source is saved in the table msdb.dbo.RTblDBMProps. This table is publicly viewable on a default installation of Microsoft SQL Server 2000.



--------------------------------------------------------------------------------





> RISK LEVEL: Low

> CHECK NAME: BUILTIN\Administrators not removed

> DESCRIPTION: The sysadmin role has not been revoked from the BUILTIN\Administrators group.

> SUMMARY: By default the Windows group BUILTIN\Administrators is granted the sysadmin role in Microsoft SQL Server. This makes any Windows administrator a SQL Server administrator also. It is a good security practice to separate these responsibilities and remove the BUILTIN\Administrators from the sysadmin role.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: BULK INSERT buffer overflow

> DESCRIPTION: A buffer overflow exists in the built-in function BULK INSERT.

> SUMMARY: The built-in function BULK INSERT contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of BULK INSERT does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: Case-insensitive sort order

> DESCRIPTION: The sort order is not case-sensitive.

> SUMMARY: The sort order on your SQL Server determines the manner in which your data will be sorted. It is specific to national languages and can be case-sensitive as well as accent-sensitive.  If your sort order is not case-sensitive, a hacker attempting to brute-force a password does not have to worry about the case of the passwords being hacked (i.e. `asi`, `ASI`, `Asi`, etc. are all considered the same word).  This can significantly shorten the amount of time it takes to crack a password.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: Changing mode may leave sa password blank

> DESCRIPTION: This version of SQL Server is known to leave a blank password for the sa login when the authentication mode is changed to support SQL Server logins.

> SUMMARY: Microsoft SQL Server supports authentication through both Windows and through standard SQL Server logins. In unpatched builds of SQL Server 2000 as well as older versions of SQL Server, when the authentication mode was switched from Windows to SQL Server logins, the password for the sa login was left blank.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: Computed column UDF DoS

> DESCRIPTION: An attacker can bring down this version of Microsoft SQL Server by selecting from a table with a computed column that references a user-defined function.

> SUMMARY: A denial of service attack exists that allows a user to crash the SQL Server when a computed column references a user-defined function. By crashing the SQL Server, a non-privileged login can perform a denial of service attack.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: DBCC addextendedproc buffer overflow

> DESCRIPTION: This version of SQL Server contains a buffer overflow in the DBCC addextendedproc function.

> SUMMARY: The built-in function DBCC addextendedproc contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the function does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: DBCC BUFFER buffer overflow

> DESCRIPTION: This version of SQL Server contains a buffer overflow in the DBCC BUFFER function.

> SUMMARY: The built-in function DBCC BUFFER contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The second parameter of the function does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: DBCC CHECKCONSTRAINTS buffer overflow

> DESCRIPTION: This version of SQL Server contains a buffer overflow in the DBCC CHECKCONSTRAINTS function.

> SUMMARY: The built-in function DBCC CHECKCONSTRAINTS contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the function does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: DBCC PROCBUF buffer overflow

> DESCRIPTION: This version of SQL Server contains a buffer overflow in the DBCC PROCBUF function.

> SUMMARY: The built-in function DBCC PROCBUF contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The second parameter of the function does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: DBCC UPDATEUSAGE buffer overflow

> DESCRIPTION: This version of SQL Server contains a buffer overflow in the DBCC UPDATEUSAGE function.

> SUMMARY: The built-in function DBCC UPDATEUSAGE contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The second parameter of the function does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: Error logs can be overwritten

> DESCRIPTION: The maximum number of error log files is set too low and error log could be overwritten.

> SUMMARY: Microsoft SQL Server writes data such as successful logins, failed logins, and error information to an error log on the operating system. Each time the server is restarted, another file is created. After the configured number of times, SQL Server will overwrite previous files.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: Format string in C runtime DoS

> DESCRIPTION: This version of Microsoft SQL Server is known to be vulnerable to a format string vulnerability in the C runtime functions.

> SUMMARY: SQL Server contains a number of built-in functions based on C style format specifiers. Several of these functions contain format string vulnerabilities that would allow an attacker to create malicious input that could crash the database or run code under the security context of the database.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: Malformed RPC request DoS

> DESCRIPTION: This version of Microsoft SQL Server can be crashed by sending a malformed RPC request.

> SUMMARY: In addition to supporting the TDS protocol, SQL Server also supports the use of Remote Procedure Call (RPC) for communicating with the database. It has been discovered that the RPC engine of SQL Server does not adequately validate inputs, and in some cases accepts invalid input that results in a DoS attack.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: Named Pipe DoS

> DESCRIPTION: This version of the database is known to be vulnerable to a denial of service in the named pipe mechanism.

> SUMMARY: One of the communication mechanisms supported by Microsoft SQL Server is Named Pipes. A malicious packet sent to the named pipe on which SQL Server listens can cause the named pipe to stop functioning resulting in a denial of service.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: Openrowset reveals service account

> DESCRIPTION: The account that SQL Server service runs under can be revealed by executing an invalid openrowset command.

> SUMMARY: The openrowset function reveals the account that the SQL Server service is running under.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: Permission on sp_MSsetalertinfo

> DESCRIPTION: EXECUTE permissions have not been revoked from public on the stored procedure master.dbo.sp_MSsetalertinfo.

> SUMMARY: The system stored procedure sp_MSsetalertinfo in the master database is used to configure SQL Server responses to alerts. By default, permission to execute this stored procedure is granted to the group public.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: Permission on sp_MSSetServerProperties

> DESCRIPTION: EXECUTE permissions have not been revoked from public on the stored procedure master.dbo.sp_MSSetServerProperties.

> SUMMARY: The system stored procedure sp_MSSetServerProperties in the master database is used to configure whether SQL Server is set to auto-start or not. By default, permission to execute this stored procedure is granted to the group public.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: Permission on sp_readwebtask

> DESCRIPTION: EXECUTE permission has not been revoked from the group public on the system stored procedure master.dbo.sp_readwebtask.

> SUMMARY: The system stored procedure sp_readwebtask in the master database is used to read web tasks. By default, permission on this system stored procedure is granted to the group public.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: Permission to select from syslogins

> DESCRIPTION: SELECT permissions have not been revoked from the syslogins table.

> SUMMARY: The system table syslogins contains the list of valid logins allowed in the master database. Anyone granted access to select from the table can gather a list of valid logins to attack.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: Sample database not removed

> DESCRIPTION: Discovered a sample database that has not been removed.

> SUMMARY: Microsoft SQL Server has several sample databases which are used to demonstrate functionality and to test the server. It is recommended on a production system that you remove these databases.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: SQL injection in sp_MSdropretry

> DESCRIPTION: master.dbo.sp_MSdropretry is susceptible to a SQL Injection attack.

> SUMMARY: SQL injection is a vulnerability that allows unintended SQL code to be inserted into a query in order to change how the query works. In this case, the system stored procedure sp_MSdropretry is susceptible to SQL injection and can allow privileged users (or users who have gained privileges) the ability to write to system tables.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: srv_paraminfo buffer overflow in sp_OACreate

> DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure sp_OACreate.

> SUMMARY: The extended stored procedure sp_OACreate contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. One of the parameters of the extended stored procedure sp_OACreate does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: srv_paraminfo buffer overflow in sp_OADestroy

> DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure sp_OADestroy.

> SUMMARY: The extended stored procedure sp_OADestroy contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. One of the parameters of the extended stored procedure sp_OADestroy does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: srv_paraminfo buffer overflow in sp_OAGetProperty

> DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure sp_OAGetProperty.

> SUMMARY: The extended stored procedure sp_OAGetProperty contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. One of the parameters of the extended stored procedure sp_OAGetProperty does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: srv_paraminfo buffer overflow in sp_OAMethod

> DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure sp_OAMethod.

> SUMMARY: The extended stored procedure sp_OAMethod contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. One of the parameters of the extended stored procedure sp_OAMethod does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: srv_paraminfo buffer overflow in sp_OASetProperty

> DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure sp_OASetProperty.

> SUMMARY: The extended stored procedure sp_OASetProperty contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. One of the parameters of the extended stored procedure sp_OASetProperty does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: srv_paraminfo buffer overflow in xp_sqlagent_monitor

> DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure xp_sqlagent_monitor.

> SUMMARY: The extended stored procedure xp_sqlagent_monitor contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. One of the parameters of the extended stored procedure xp_sqlagent_monitor does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: Standard SQL Server authentication allowed

> DESCRIPTION: The authentication mode has been configured to allow standard SQL Server logins.

> SUMMARY: SQL Server supports multiple methods of authenticating users including via standard SQL Server logins and Windows authentication. Microsoft strongly recommends using Windows authentication for improved security.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: XMLHTTP control allows local file access

> DESCRIPTION: The version of the XMLHTTP control installed with SQL Server can be used by a malicious web site to allow access to local files.

> SUMMARY: Along with Microsoft SQL Server is installed the Microsoft XML Core Services (MSXML) which includes the XMLHTTP ActiveX control. This control has been discover to allow access to read files on a client connected over HTTP.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: xp_cmdshell not removed

> DESCRIPTION: The xp_cmdshell extended stored procedure has not been removed from the database.

> SUMMARY: Microsoft SQL Server provides an extended stored procedure which allows operating system commands to be run from Transact-SQL as if at a command line prompt. If not configured properly, the xp_cmdshell executes commands under the security context of the service SQL Server runs under.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: xp_controlqueueservice buffer overflow

> DESCRIPTION: The appropriate hotfix has not been applied to fix the xp_controlqueueservice buffer overflow.

> SUMMARY: The extended stored procedure xp_controlqueueservice contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_controlqueueservice does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: xp_createprivatequeue buffer overflow

> DESCRIPTION: The appropriate hotfix has not been applied to fix the xp_createprivatequeue buffer overflow.

> SUMMARY: The extended stored procedure xp_createprivatequeue contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_createprivatequeue does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: xp_createqueue buffer overflow

> DESCRIPTION: The appropriate hotfix has not been applied to fix the xp_createqueue buffer overflow.

> SUMMARY: The extended stored procedure xp_createqueue contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_createqueue does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: xp_decodequeuecmd buffer overflow

> DESCRIPTION: The appropriate hotfix has not been applied to fix the xp_decodequeuecmd buffer overflow.

> SUMMARY: The extended stored procedure xp_decodequeuecmd contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_decodequeuecmd does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: xp_deleteprivatequeue buffer overflow

> DESCRIPTION: The appropriate hotfix has not been applied to fix the xp_deleteprivatequeue buffer overflow.

> SUMMARY: The extended stored procedure xp_deleteprivatequeue contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_deleteprivatequeue does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: xp_deletequeue buffer overflow

> DESCRIPTION: The appropriate hotfix has not been applied to fix the xp_deletequeue buffer overflow.

> SUMMARY: The extended stored procedure xp_deletequeue contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_deletequeue does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: xp_displayqueuemesgs buffer overflow

> DESCRIPTION: The appropriate hotfix has not been applied to fix the xp_displayqueuemesgs buffer overflow.

> SUMMARY: The extended stored procedure xp_displayqueuemesgs contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_displayqueuemesgs does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: xp_oledbinfo buffer overflow

> DESCRIPTION: The appropriate hotfix has not been applied to fix the xp_oledbinfo buffer overflow.

> SUMMARY: The extended stored procedure xp_oledbinfo contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_oledbinfo does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: xp_readpkfromqueue buffer overflow

> DESCRIPTION: The appropriate hotfix has not been applied to fix the xp_readpkfromqueue buffer overflow.

> SUMMARY: The extended stored procedure xp_readpkfromqueue contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_readpkfromqueue does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: xp_readpkfromvarbin buffer overflow

> DESCRIPTION: The appropriate hotfix has not been applied to fix the xp_readpkfromvarbin buffer overflow.

> SUMMARY: The extended stored procedure xp_readpkfromvarbin contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_readpkfromvarbin does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: xp_repl_encrypt buffer overflow

> DESCRIPTION: The appropriate hotfix has not been applied to fix the xp_repl_encrypt buffer overflow.

> SUMMARY: The extended stored procedure xp_repl_encrypt contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_repl_encrypt does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: xp_resetqueue buffer overflow

> DESCRIPTION: The appropriate hotfix has not been applied to fix the xp_resetqueue buffer overflow.

> SUMMARY: The extended stored procedure xp_resetqueue contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_resetqueue does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: xp_sqlagent_param buffer overflow

> DESCRIPTION: The appropriate hotfix has not been applied to fix the xp_sqlagent_param buffer overflow.

> SUMMARY: The extended stored procedure xp_sqlagent_param contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_sqlagent_param does not properly handle a long string.



--------------------------------------------------------------------------------

> RISK LEVEL: Low

> CHECK NAME: xp_unpackcab buffer overflow

> DESCRIPTION: The appropriate hotfix has not been applied to fix the xp_unpackcab buffer overflow.

> SUMMARY: The extended stored procedure xp_unpackcab contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The second parameter of the extended stored procedure xp_unpackcab does not properly handle a long string.



--------------------------------------------------------------------------------





No Informational Vulnerability Found.





Powered by Application Security, Inc.