-------------------------------------------------------------------------------- Summary of Vulnerability for Session -------------------------------------------------------------------------------- COMPANY NAME : PRINT DATE : 9/14/2004 SESSION DATE : 9/14/2004 4:57:38 PM DISCOVERY RANGE: Merge of sessions 3, 2 -------------------------------------------------------------------------------- REPORT DESCRIPTION: A security review has been run on a number of applications on your network. This review consisted of probing the application and comparing the results to a knowledge base of application security vulnerabilities. This report displays a summary list of all vulnerabilities found include a summary analysis of the problem. To review a more detailed list of vulnerabilities and a comprehensive description of each vulnerability found, you can view the Vulnerability Details report. REPORT SUMMARY: ------------------------------------------------------------ Vulnerabilities By Risk Level ------------------------------------------------------------ RiskLevel Vulnerability Count ------------------------------------------------------------ High 74 Medium 19 Low 75 Informational 8 ------------------------------------------------------------ Vulnerabilities BY IP Address ------------------------------------------------------------ IP Address Vulnerability Count ------------------------------------------------------------ 172.16.0.100 148 172.16.0.233 11 172.16.0.64 11 172.16.0.65 5 172.16.0.94 1 ------------------------------------------------------------ REPORT CONTENT: -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: IBM DB2 > CHECK NAME: Connect handshake overflow (Verify version) > DESCRIPTION: This version of IBM DB2 is vulnerable to a buffer overflow in the connection handshake. > SUMMARY: A buffer overflow exists by sending a modified connect packet to the DB2 administration server. This attack allows an anonymous attacker to bring down the DAS instance or possibly execute arbitrary code on the DB2 database. -------------------------------------------------------------------------------- IP Address: 172.16.0.64 Port: 50000 Application: DB2 6.1 (db2inst2:SAMPLE) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: IBM DB2 > CHECK NAME: db2dart buffer overflow (Verify version) > DESCRIPTION: This version of IBM DB2 is vulnerable to a buffer overflow in the db2dart binary. > SUMMARY: IBM DB2 is installed with a command line utility called db2dart. There exists a buffer overflow in the db2dart binary which can allow a local attacker to gain elevated privileges on the system running IBM DB2 database. -------------------------------------------------------------------------------- IP Address: 172.16.0.64 Port: 50000 Application: DB2 6.1 (db2inst2:SAMPLE) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: IBM DB2 > CHECK NAME: Default password for db2as > DESCRIPTION: The default password for db2as has not been changed. > SUMMARY: DB2 UDB is installed on UNIX with a well-known username of db2as with a default password of ibmdb2. If the default password is not changed, an attacker can easily break into the server. -------------------------------------------------------------------------------- IP Address: 172.16.0.64 Port: 50000 Application: DB2 6.1 (db2inst2:SAMPLE) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: IBM DB2 > CHECK NAME: Default password for db2fenc1 > DESCRIPTION: The default password for db2fenc1 has not been changed. > SUMMARY: DB2 UDB is installed on UNIX with a well-known username of db2fenc1 with a default password of ibmdb2. If the default password is not changed, an attacker can easily break into the server. -------------------------------------------------------------------------------- IP Address: 172.16.0.64 Port: 50000 Application: DB2 6.1 (db2inst2:SAMPLE) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: IBM DB2 > CHECK NAME: Default password for db2inst1 > DESCRIPTION: The default password for db2inst1 has not been changed. > SUMMARY: DB2 UDB is installed on UNIX with a well-known username of db2inst1 with a default password of ibmdb2. If the default password is not changed, an attacker can easily break into the server. -------------------------------------------------------------------------------- IP Address: 172.16.0.64 Port: 50000 Application: DB2 6.1 (db2inst2:SAMPLE) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: IBM DB2 > CHECK NAME: Multiple setuid buffer overflows (Verify version) > DESCRIPTION: This version of IBM DB2 is vulnerable to a format string or buffer overflow vulnerability in one of the binaries db2start, db2stop, or db2govd. > SUMMARY: IBM provides a number of command line utilities that are used to perform tasks on the database from the local Unix or Linux operating system. There exist multiple format string and buffer overflow vulnerabilities in the db2start, db2stop, and db2govd binaries which can allow a local attacker to gain `root` or elevated privileges on the system running IBM DB2 database. -------------------------------------------------------------------------------- IP Address: 172.16.0.64 Port: 50000 Application: DB2 6.1 (db2inst2:SAMPLE) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: IBM DB2 > CHECK NAME: SERVER authentication > DESCRIPTION: The authentication type is set to SERVER. > SUMMARY: The authentication type of DB2 can be configured using the database manager configuration file. Use of the authentication type SERVER is not recommended since the authentication credentials are sent over the network in clear text. -------------------------------------------------------------------------------- IP Address: 172.16.0.64 Port: 50000 Application: DB2 6.1 (db2inst2:SAMPLE) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Agent jobs privilege escalation > DESCRIPTION: Permissions to escalate privileges through the SQL Agent have not been removed. > SUMMARY: A security issue exists that allows privilege escalation to be done through the Agent service. By default, the public group is allowed to create jobs that the Agent runs. By crafting a malicious job using extended stored procedures such as xp_execresults, a non-privileged login can gain administrator privileges in the database. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 7 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Blank password > DESCRIPTION: A blank password for a SQL Server login has been found. > SUMMARY: Leaving the password for a SQL Server login Id blank creates a security hole in SQL Server. If a password is left blank, an attacker can gain access to the database as the login with the blank password. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Blank password for sa > DESCRIPTION: The sa password is blank. > SUMMARY: The administrator login on Microsoft SQL Server is called `sa`. Prior to SQL Server 2000, this login installed with a blank password. In version 8, you are now prompted for a password, but the password may still be set to blank. Leaving a blank password on the login allows an attacker to easily break into the database. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Blank password for well-known login > DESCRIPTION: A well-known login has a blank password. > SUMMARY: Microsoft SQL Server version 6.x installed with several well-known logins. These logins were used for various tasks such as replication and performance monitoring of the database. By leaving the login with a blank password, access to the database could be gained by an attacker. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: DBCC CLEANTABLE buffer overflow > DESCRIPTION: This version of SQL Server contains a buffer overflow in the DBCC CLEANTABLE function. > SUMMARY: The built-in function DBCC CLEANTABLE contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The second parameter of the function does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: DBCC INDEXDEFRAG buffer overflow > DESCRIPTION: This version of SQL Server contains a buffer overflow in the DBCC INDEXDEFRAG function. > SUMMARY: The built-in function DBCC INDEXDEFRAG contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the function does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: DBCC SHOWCONTIG buffer overflow > DESCRIPTION: This version of SQL Server contains a buffer overflow in the DBCC SHOWCONTIG function. > SUMMARY: The built-in function DBCC SHOWCONTIG contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the function does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: DBCC SHOWTABLEAFFINITY buffer overflow > DESCRIPTION: This version of SQL Server contains a buffer overflow in the DBCC SHOWTABLEAFFINITY function. > SUMMARY: The built-in function DBCC SHOWTABLEAFFINITY contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the function does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Enterprise Manager improperly revokes proxy account > DESCRIPTION: The version of SQL Server is known to leave the SQL Agent Proxy Account enabled when disabled through Enterprise Manager. > SUMMARY: Microsoft SQL Server 2000 is designed to run the xp_cmdshell extended stored procedure under a proxy account when not executed by a member of the sysadmin fixed server role. When the SQL Server Agent proxy account is revoked through Enterprise Manager, it is not properly revoked and commands continue to execute under the proxy account. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Extended stored proc privilege upgrade > DESCRIPTION: Permissions to escalate privileges through misuse of extended stored procedures have not been removed. > SUMMARY: Three extended stored procedures can be used to gain escalated privileges. If a login is connected as a Windows account, these extended stored procedures allow the login to reauthenticate to the SQL Server using the privileges of the account running SQL Server. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 3 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Format string vuln in xp_sprintf > DESCRIPTION: This version of Microsoft SQL Server is known to be vulnerable to a format string vulnerability in the xp_sprintf function. > SUMMARY: The extended stored procedure xp_sprintf contains a format string vulnerability that allows an attacker to execute malicious code under the security context of the database. Xp_sprintf is included in a default installation of SQL Server and is granted to the public group. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: FORMATMESSAGE buffer overflow > DESCRIPTION: This version of Microsoft SQL Server is known to be vulnerable to a format string vulnerability in the FORMATMESSAGE function. > SUMMARY: The built-in functions FORMATMESSAGE contains a format string vulnerability that allows an attacker to execute malicious code under the security context of the database. FORMATMESSAGE is a function of SQL Server that loads and formats a string from the sysmessages table. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Hello buffer overflow > DESCRIPTION: This version of SQL Server contains a buffer overflow in the authentication process. > SUMMARY: During a login to Microsoft SQL Server, several packets containing user-defined data are passed from the client to the server. If an overly long string is passed as one of the user-defined fields, a buffer overflow condition is created on the server. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Job output file handling > DESCRIPTION: The patch has not been installed to prevent non-privileged users from creating and executing jobs under the SQL Server agent. > SUMMARY: Microsoft SQL Server provides a mechanism to schedule jobs. This mechanism allows an unprivileged user to create jobs that will be executed using the elevated privileges of the SQL Server Agent. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Latest service pack/hot fix not applied > DESCRIPTION: The latest service pack and hot fix for SQL Server has not been installed. > SUMMARY: Microsoft releases service packs and hot fixes on a regular basis that provide various updates including security fixes. Staying up to date on the latest service pack and hot fixes minimizes your risk of being vulnerable to buffer overflows and other attacks. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: MDX Query buffer overflow > DESCRIPTION: The appropriate hotfix has not been applied to fix the MDX buffer overflow. > SUMMARY: Determines whether or not your server is susceptible to a buffer overflow involving Multidimensional Expressions (MDS) queries. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Permission on mswebtasks > DESCRIPTION: Permissions have not been revoked from the group public on the table msdb.dbo.mswebtasks. > SUMMARY: The table mswebtasks in the msdb database is used to manage web tasks. By default, permissions on this table are granted to the group public. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 4 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Permission on registry extended proc > DESCRIPTION: Permission to execute the registry extended stored procedures have been granted to a user or group. > SUMMARY: Microsoft SQL Server provides a set of extended stored procedures which allow database users to read and write from the registry. If not configured properly, the registry extended stored procedures can be used to read or write sensitive information from the registry. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 2 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Permission on sp_runwebtask > DESCRIPTION: EXECUTE permission has not been revoked from the group public on the system stored procedure master.dbo.sp_runwebtask. > SUMMARY: The system stored procedure sp_runwebtask in the master database is used to run web tasks. By default, permission on this system stored procedure is granted to the group public. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Public can create Agent jobs > DESCRIPTION: Permissions are granted to public on stored procedures used to create SQL Agent jobs. > SUMMARY: A security issue exists that allows Agent jobs to create arbitrary file. By default, the public group is allowed to create jobs that the Agent runs. By crafting malicious job, a non-privileged login can write arbitrary files on the operating system. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 4 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: pwdencrypt buffer overflow > DESCRIPTION: This version of SQL Server contains a buffer overflow in the pwdencrypt function. > SUMMARY: The built-in function pwdencrypt contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the function does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: RAISERROR buffer overflow > DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the function RAISERROR. > SUMMARY: The built-in functions RAISERROR contains a format string vulnerability that allows an attacker to execute malicious code under the security context of the database. RAISERROR is a function of SQL Server that loads and formats a string into the error handler of SQL Server. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Remote data source function unchecked buffer > DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the remote data source functions. > SUMMARY: When a query using a heterogeneous join is made, the OPENROWSET or OpenDataSource methods are called. These functions do not check that the first parameters passed to them are not excessively long. This allows a long command to be passed in allowing arbitrary code to be executed. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Resolution service heap overflow > DESCRIPTION: A heap-based buffer overflow exists in the resolution service. > SUMMARY: The SQL Server resolution service accepts packets on UDP port 1434. A buffer overflow occurs on the heap area of memory when a maliciously-crafted packet is sent to the port. This allows an attacker to inject arbitrary code onto the heap. The malicious code would then be executed under the security context of the SQL Server service. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Resolution service stack overflow > DESCRIPTION: A stack-based buffer overflow exists in the resolution service. > SUMMARY: The SQL Server resolution service accepts packets on UDP port 1434. A buffer overflow occurs on the stack area of memory when a maliciously-crafted packet is sent to the port. This allows an attacker to inject arbitrary code onto the heap. The malicious code would then be executed under the security context of the SQL Server service. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Reusable cached administrator connection > DESCRIPTION: The version of SQL Server is known to allow cached connections to be reused. > SUMMARY: SQL Server performs caching of connections in order to optimize performance. A single SQL Query method enables cached administrator connections to be reused when SQL Server is configured to allow standard SQL Server logins. In this case, an attacker could use this method to hijack a cached connection that belongs to an administrator. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Slammer/Sapphire worm > DESCRIPTION: The SQL Server is vulnerable to the Slammer worm. > SUMMARY: The Slammer or Sapphire worm is a Microsoft SQL Server-based worm that propagates through the network using a buffer overflow in the Resolution Service of SQL Server. This worm does not have a malicious payload, but because it propagates very quickly, it can create a denial of service condition. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: sp_MScopyscriptfile command injection > DESCRIPTION: This version of SQL Server is known to contain a stored procedure called master.dbo.sp_MScopyscriptfile which is vulnerable to command injection. > SUMMARY: The stored procedure sp_MScopyscriptfile is vulnerable to SQL injection. A file name is passed into the procedure. By crafting a malicious file name, the stored procedure can be caused to execute an operating system command using xp_cmdshell under the security context of SQL Server. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: srv_paraminfo buffer overflow in xp_displayparamstmt > DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure xp_displayparamstmt. > SUMMARY: The extended stored procedure xp_displayparamstmt contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_displayparamstmt does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: srv_paraminfo buffer overflow in xp_execresultset > DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure xp_execresultset. > SUMMARY: The extended stored procedure xp_execresultset contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_execresultset does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: srv_paraminfo buffer overflow in xp_peekqueue > DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure xp_peekqueue. > SUMMARY: The extended stored procedure xp_peekqueue contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_peekqueue does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: srv_paraminfo buffer overflow in xp_printstatements > DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure xp_printstatements. > SUMMARY: The extended stored procedure xp_printstatements contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_printstatements does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: srv_paraminfo buffer overflow in xp_proxiedmetadata > DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure xp_proxiedmetadata. > SUMMARY: The extended stored procedure xp_proxiedmetadata contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The second parameter of the extended stored procedure xp_proxiedmetadata does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: srv_paraminfo buffer overflow in xp_SetSQLSecurity > DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure xp_SetSQLSecurity. > SUMMARY: The extended stored procedure xp_SetSQLSecurity contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The third parameter of the extended stored procedure xp_SetSQLSecurity does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: srv_paraminfo buffer overflow in xp_showcolv > DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure xp_showcolv. > SUMMARY: The extended stored procedure xp_showcolv contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_showcolv does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: srv_paraminfo buffer overflow in xp_updatecolvbm > DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure xp_updatecolvbm. > SUMMARY: The extended stored procedure xp_updatecolvbm contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_updatecolvbm does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: UDP broadcast buffer overflow > DESCRIPTION: The version of the MDAC component is susceptible to a UDP broadcast buffer overflow. > SUMMARY: A Unicode buffer overflow exists in the SQL Server SQL-DMO library that could allow a remote user to execute malicious code on the target computer. The vulnerability does not occur when accepting incoming connections, but rather in the response to broadcast queries. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: xp_dirtree buffer overflow > DESCRIPTION: The xp_dirtree extended stored procedure has not been removed nor has the appropriate hotfix has been applied. > SUMMARY: The extended stored procedure xp_dirtree contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_dirtree does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: xp_mergelineages buffer overflow > DESCRIPTION: The appropriate hotfix has not been applied to fix the xp_mergelineages buffer overflow. > SUMMARY: The extended stored procedure xp_mergelineages contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_mergelineages does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: xp_proxiedmetadata buffer overflow > DESCRIPTION: The appropriate hotfix has not been applied to fix the xp_proxiedmetadata buffer overflow. > SUMMARY: The extended stored procedure xp_proxiedmetadata contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_proxiedmetadata does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: MySQL > CHECK NAME: Anonymous user exists > DESCRIPTION: The database is configured to allow anonymous access. > SUMMARY: Many of the early versions of MySQL allow anonymous access by default. This allows an attacker to easily break into the database. -------------------------------------------------------------------------------- IP Address: 172.16.0.233 Port: 3306 Application: MySQL 3.23 Database Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: MySQL > CHECK NAME: COM_CHANGE_USER memory corruption > DESCRIPTION: The version of MySQL contains a buffer overflow in the COM_CHANGE_USER function. > SUMMARY: An error in the COM_CHANGE_USER function in the MySQL database can be exploited by a valid user to gain full control of the database server. This error is the result of a lack of bounds checking resulting in a stack based buffer overflow. -------------------------------------------------------------------------------- IP Address: 172.16.0.233 Port: 3306 Application: MySQL 3.23 Database Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: MySQL > CHECK NAME: COM_CHANGE_USER password length compromise > DESCRIPTION: The version of MySQL contains an error in the COM_CHANGE_USER function which could allow any password to be compromised. > SUMMARY: An error in the authentication mechanism of MySQL makes it trivial for one user to compromise any other user in the system. The vulnerability exists in the COM_CHANGE_USER function. -------------------------------------------------------------------------------- IP Address: 172.16.0.233 Port: 3306 Application: MySQL 3.23 Database Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: MySQL > CHECK NAME: get_salt_from_password buffer overflow > DESCRIPTION: The MySQL Database is vulnerable to a buffer overflow in the get_salt_from_password function. > SUMMARY: A buffer overflow exists in the get_salt_from_password function defined in sql/password.c. Successful exploitation of this vulnerability allows an attacker to get a remote shell on the server with the privileges of the system account under which `mysqld` runs. Global administrative privileges in the mysql database are required to be able to exploit this vulnerability. -------------------------------------------------------------------------------- IP Address: 172.16.0.233 Port: 3306 Application: MySQL 3.23 Database Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: MySQL > CHECK NAME: Latest release not installed > DESCRIPTION: The latest release has not been installed. > SUMMARY: MySQL releases updates on a regular basis that provide various fixes including security fixes. Staying up to date on the latest version minimizes your risk of being vulnerable to buffer overflows and other attacks. -------------------------------------------------------------------------------- IP Address: 172.16.0.233 Port: 3306 Application: MySQL 3.23 Database Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: MySQL > CHECK NAME: mysqld privilege escalation > DESCRIPTION: The MySQL daemon is vulnerable to a privilege escalation attack caused by reading world-writeable files. > SUMMARY: A vulnerability in the MySQL daemon allows the engine to be started with elevated privileges. This local vulnerability would allow an attacker on the operating system to gain full control of the operating system via the MySQL database. -------------------------------------------------------------------------------- IP Address: 172.16.0.233 Port: 3306 Application: MySQL 3.23 Database Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Oracle > CHECK NAME: ADMIN_RESTRICTIONS flag not set > DESCRIPTION: The ADMIN_RESTRICTIONS flag has not been set. > SUMMARY: If a password is not set on the listener service, an attack can read and write files on the operating system. To alleviate this issue, Oracle added a new parameter called ADMIN_RESTRICTIONS. The ADMIN_RESTRICTIONS flag disables the ability of the listener controller to set parameters, thereby not allowing remote users to set parameters. After setting this parameter, you must edit the listener parameters directly in the listener.ora file. -------------------------------------------------------------------------------- IP Address: 172.16.0.65 Port: 1521 Application: Oracle9i Database (sunny5) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Oracle > CHECK NAME: Default database password > DESCRIPTION: A default database password has not been changed. > SUMMARY: Oracle is installed with a list of well-known usernames and passwords. If a default password has not been changed, an attacker can easily break into a database. -------------------------------------------------------------------------------- IP Address: 172.16.0.65 Port: 1521 Application: Oracle9i Database (sunny5) Vulnerability Countl: 2 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Oracle > CHECK NAME: External procedure service found > DESCRIPTION: At least one external procedure service is running. > SUMMARY: Oracle provides a method of calling functions outside the database by creating external procedure servers. This feature extends Oracle`s functionality greatly and is very useful. However, if access to send commands to these external procedure servers is not properly restricted, anonymous users can gain control of the operating system. -------------------------------------------------------------------------------- IP Address: 172.16.0.65 Port: 1521 Application: Oracle9i Database (sunny5) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Oracle > CHECK NAME: Listener password not enabled > DESCRIPTION: The password feature for the listener service was not enabled. > SUMMARY: A strong password must be set on the listener service to prevent remote users from guessing the password. If the password feature is not enabled, an attacker can use the listener service to write files on the operating system, possibly gaining access as the account that owns oracle. -------------------------------------------------------------------------------- IP Address: 172.16.0.65 Port: 1521 Application: Oracle9i Database (sunny5) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: High > APPLICATION TYPE: Sybase > CHECK NAME: Password same as login name > DESCRIPTION: A password has been found that matches the login name. > SUMMARY: If the password for a login is set to the same as the login name, an attacker can easily access the database using the login. -------------------------------------------------------------------------------- IP Address: 172.16.0.94 Port: 5000 Application: Sybase 12.5 Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Medium > APPLICATION TYPE: IBM DB2 > CHECK NAME: db2licm buffer overflow (Verify version) > DESCRIPTION: This version of IBM DB2 is vulnerable to a buffer overflow in the db2licm binary. > SUMMARY: IBM DB2 provides a utility called db2licm to manage the license under which it runs. There is a buffer overflow in the db2licm binary that allows a local attacker to gain `root` privileges on the system running IBM DB2. -------------------------------------------------------------------------------- IP Address: 172.16.0.64 Port: 50000 Application: DB2 6.1 (db2inst2:SAMPLE) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Medium > APPLICATION TYPE: IBM DB2 > CHECK NAME: db2start buffer overflow (Verify version) > DESCRIPTION: This version of IBM DB2 is vulnerable to a format string buffer overflow in the db2start binary. > SUMMARY: IBM DB2 provides a command line utility to start the current database manager instance background processes. There exists a format string buffer overflow in the db2start binary which can allow a local attacker to gain `root` privileges on the system running IBM DB2 database. -------------------------------------------------------------------------------- IP Address: 172.16.0.64 Port: 50000 Application: DB2 6.1 (db2inst2:SAMPLE) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Medium > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Auditing of failed logins > DESCRIPTION: Auditing of failed login attempts is not enabled. > SUMMARY: Microsoft SQL Server provides a facility to record failed connection attempts to the database. Recording these actions is necessary in order to detect when an attack occurs and to be able to analysis the attack after the fact. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Medium > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Auditing of successful logins > DESCRIPTION: Auditing of successful login attempts is not enabled. > SUMMARY: Microsoft SQL Server provides a facility to record successful connection attempts to the database. Recording these actions is necessary in order to detect when an attack occurs and to be able to analysis the attack after the fact. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Medium > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Buffer overflow in LPC > DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the Local Procedure Call mechanism. > SUMMARY: One of the communication mechanisms supported by Microsoft SQL Server is Local Procedure Calls. A malicious packet sent to this port can corrupt the server memory resulting in executing malicious code. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Medium > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: C2 Audit Mode > DESCRIPTION: The `c2 audit mode` configuration option is not enabled. > SUMMARY: Microsoft SQL Server provides an option to record access to statements and objects. Used properly, this feature can be useful for detecting misuse and attacks on the database. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Medium > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Database ownership chaining not disabled > DESCRIPTION: SQL Server database ownership chaining has not been disabled. > SUMMARY: Microsoft SQL Server allows chaining ownership across databases. This feature can be used by a malicious database owner to elevate their privileges to system administrator. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Medium > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: DTS package procedures granted to public > DESCRIPTION: Verify that the execute permission has been revoked from public on the stored procedures msdb.dbo.sp_enum_dtspackages and msdb.dbo.sp_get_dtspackage. > SUMMARY: DTS packages in SQL Server allow database administrators to create scripts that will perform a set of database actions at regular intervals. As part of the creation of a DTS package, the administrator provides the login name and password under which the action should be taken. To protect this password, public permissions on msdb.dbo.sp_get_dtspackage should be revoked. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 2 -------------------------------------------------------------------------------- > RISK LEVEL: Medium > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Encoded password written by installation > DESCRIPTION: This version of SQL Server is known to write into a log file an encoded version of the password used to perform the installation. > SUMMARY: When installing Microsoft SQL Server 2000 or a service pack for Microsoft SQL Server 7.0 or 2000, encoded versions of the passwords entered are written to the file setup.iss. The log file`s default permissions allow any user able to log on interactively to the operating system to read the file and discover the password. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Medium > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Guest user exists in database > DESCRIPTION: A guest user was found. > SUMMARY: For each database in Microsoft SQL Server, a login must be linked to a user to access the database. If a login has not been granted to a database, a login will be mapped to a user called guest if the user exists. Guest users should only be used when appropriate. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 3 -------------------------------------------------------------------------------- > RISK LEVEL: Medium > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Named Pipe Hijacking > DESCRIPTION: This version of the database is known to be vulnerable to named pipe hijacking. > SUMMARY: One of the communication mechanisms supported by Microsoft SQL Server is Named Pipes. An error in the authentication mechanism of the named pipes allows an attacker that is a local user to hijack or steal a named pipe from another user. This can be used by an attacker to gain full control of the database. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Medium > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: SQL Agent procedures granted to public > DESCRIPTION: The stored procedure msdb.dbo.sp_get_sqlagent_properties can be executed by public. > SUMMARY: SQL Server provides an engine, called the SQL Server Agent, to perform maintenance tasks. If the agent is configured to use a login name and password, the stored procedure sp_get_sqlagent_properties can be used to discover the password. By default, all logins can execute this stored procedure. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Medium > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Table to store DTS passwords publicly viewable > DESCRIPTION: The table msdb.dbo.RTblDBMProps can be viewed by all logins on the server. > SUMMARY: DTS packages can be saved to SQL Server`s Meta Data Service. This gives administrators the ability to save meta data about the package as well as data lineage. When a DTS package is saved as a Meta Data Service, the account and password used to connect to the data source is saved in the table msdb.dbo.RTblDBMProps. This table is publicly viewable on a default installation of Microsoft SQL Server 2000. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Medium > APPLICATION TYPE: MySQL > CHECK NAME: libmysqlclient library read_rows buffer overflow > DESCRIPTION: The version of MySQL client library contains a buffer overflow in the read_rows function. > SUMMARY: A vulnerability in the MySQL client application could allow a malicious MySQL server to take control over the MySQL client. This is the result of a buffer overflow in the function read_rows in the MySQL client library. -------------------------------------------------------------------------------- IP Address: 172.16.0.233 Port: 3306 Application: MySQL 3.23 Database Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Medium > APPLICATION TYPE: MySQL > CHECK NAME: libmysqlclient read_one_row buffer overflow > DESCRIPTION: The version of MySQL client library contains a buffer overflow in the read_one_row function. > SUMMARY: A vulnerability in the MySQL client application could allow a malicious MySQL server to take control over the MySQL client. This is the result of a buffer overflow in the function read_one_row in the MySQL client library. -------------------------------------------------------------------------------- IP Address: 172.16.0.233 Port: 3306 Application: MySQL 3.23 Database Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Medium > APPLICATION TYPE: MySQL > CHECK NAME: mysql_real_connect buffer overflow > DESCRIPTION: The version of MySQL contains a buffer overflow in the mysql_real_connect function. > SUMMARY: Users can send a long string to the mysql_real_connect function to cause a stack-based buffer overflow. -------------------------------------------------------------------------------- IP Address: 172.16.0.233 Port: 3306 Application: MySQL 3.23 Database Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: IBM DB2 > CHECK NAME: Query compiler DoS (Verify version) > DESCRIPTION: This version of the database is known to be vulnerable to a DoS in the Query Compiler. > SUMMARY: A denial of service vulnerability was discovered in the Query Compiler of DB2 UDB. When running a specially-formatted SELECT CASE, the database crashes. -------------------------------------------------------------------------------- IP Address: 172.16.0.64 Port: 50000 Application: DB2 6.1 (db2inst2:SAMPLE) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: BUILTIN\Administrators not removed > DESCRIPTION: The sysadmin role has not been revoked from the BUILTIN\Administrators group. > SUMMARY: By default the Windows group BUILTIN\Administrators is granted the sysadmin role in Microsoft SQL Server. This makes any Windows administrator a SQL Server administrator also. It is a good security practice to separate these responsibilities and remove the BUILTIN\Administrators from the sysadmin role. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: BULK INSERT buffer overflow > DESCRIPTION: A buffer overflow exists in the built-in function BULK INSERT. > SUMMARY: The built-in function BULK INSERT contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of BULK INSERT does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Case-insensitive sort order > DESCRIPTION: The sort order is not case-sensitive. > SUMMARY: The sort order on your SQL Server determines the manner in which your data will be sorted. It is specific to national languages and can be case-sensitive as well as accent-sensitive. If your sort order is not case-sensitive, a hacker attempting to brute-force a password does not have to worry about the case of the passwords being hacked (i.e. `asi`, `ASI`, `Asi`, etc. are all considered the same word). This can significantly shorten the amount of time it takes to crack a password. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Changing mode may leave sa password blank > DESCRIPTION: This version of SQL Server is known to leave a blank password for the sa login when the authentication mode is changed to support SQL Server logins. > SUMMARY: Microsoft SQL Server supports authentication through both Windows and through standard SQL Server logins. In unpatched builds of SQL Server 2000 as well as older versions of SQL Server, when the authentication mode was switched from Windows to SQL Server logins, the password for the sa login was left blank -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Computed column UDF DoS > DESCRIPTION: An attacker can bring down this version of Microsoft SQL Server by selecting from a table with a computed column that references a user-defined function. > SUMMARY: A denial of service attack exists that allows a user to crash the SQL Server when a computed column references a user-defined function. By crashing the SQL Server, a non-privileged login can perform a denial of service attack. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: DBCC addextendedproc buffer overflow > DESCRIPTION: This version of SQL Server contains a buffer overflow in the DBCC addextendedproc function. > SUMMARY: The built-in function DBCC addextendedproc contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the function does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: DBCC BUFFER buffer overflow > DESCRIPTION: This version of SQL Server contains a buffer overflow in the DBCC BUFFER function. > SUMMARY: The built-in function DBCC BUFFER contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The second parameter of the function does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: DBCC CHECKCONSTRAINTS buffer overflow > DESCRIPTION: This version of SQL Server contains a buffer overflow in the DBCC CHECKCONSTRAINTS function. > SUMMARY: The built-in function DBCC CHECKCONSTRAINTS contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the function does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: DBCC PROCBUF buffer overflow > DESCRIPTION: This version of SQL Server contains a buffer overflow in the DBCC PROCBUF function. > SUMMARY: The built-in function DBCC PROCBUF contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The second parameter of the function does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: DBCC UPDATEUSAGE buffer overflow > DESCRIPTION: This version of SQL Server contains a buffer overflow in the DBCC UPDATEUSAGE function. > SUMMARY: The built-in function DBCC UPDATEUSAGE contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The second parameter of the function does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Error logs can be overwritten > DESCRIPTION: The maximum number of error log files is set too low and error log could be overwritten. > SUMMARY: Microsoft SQL Server writes data such as successful logins, failed logins, and error information to an error log on the operating system. Each time the server is restarted, another file is created. After the configured number of times, SQL Server will overwrite previous files. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Format string in C runtime DoS > DESCRIPTION: This version of Microsoft SQL Server is known to be vulnerable to a format string vulnerability in the C runtime functions. > SUMMARY: SQL Server contains a number of built-in functions based on C style format specifiers. Several of these functions contain format string vulnerabilities that would allow an attacker to create malicious input that could crash the database or run code under the security context of the database. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Malformed RPC request DoS > DESCRIPTION: This version of Microsoft SQL Server can be crashed by sending a malformed RPC request. > SUMMARY: In addition to supporting the TDS protocol, SQL Server also supports the use of Remote Procedure Call (RPC) for communicating with the database. It has been discovered that the RPC engine of SQL Server does not adequately validate inputs, and in some cases accepts invalid input that results in a DoS attack. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Named Pipe DoS > DESCRIPTION: This version of the database is known to be vulnerable to a denial of service in the named pipe mechanism. > SUMMARY: One of the communication mechanisms supported by Microsoft SQL Server is Named Pipes. A malicious packet sent to the named pipe on which SQL Server listens can cause the named pipe to stop functioning resulting in a denial of service. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Openrowset reveals service account > DESCRIPTION: The account that SQL Server service runs under can be revealed by executing an invalid openrowset command. > SUMMARY: The openrowset function reveals the account that the SQL Server service is running under. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Permission on sp_MSsetalertinfo > DESCRIPTION: EXECUTE permissions have not been revoked from public on the stored procedure master.dbo.sp_MSsetalertinfo. > SUMMARY: The system stored procedure sp_MSsetalertinfo in the master database is used to configure SQL Server responses to alerts. By default, permission to execute this stored procedure is granted to the group public. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Permission on sp_MSSetServerProperties > DESCRIPTION: EXECUTE permissions have not been revoked from public on the stored procedure master.dbo.sp_MSSetServerProperties. > SUMMARY: The system stored procedure sp_MSSetServerProperties in the master database is used to configure whether SQL Server is set to auto-start or not. By default, permission to execute this stored procedure is granted to the group public. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Permission on sp_readwebtask > DESCRIPTION: EXECUTE permission has not been revoked from the group public on the system stored procedure master.dbo.sp_readwebtask. > SUMMARY: The system stored procedure sp_readwebtask in the master database is used to read web tasks. By default, permission on this system stored procedure is granted to the group public. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Permission to select from syslogins > DESCRIPTION: SELECT permissions have not been revoked from the syslogins table. > SUMMARY: The system table syslogins contains the list of valid logins allowed in the master database. Anyone granted access to select from the table can gather a list of valid logins to attack. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 27 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Resolution service DoS > DESCRIPTION: A network denial of service attack exist in the UDP based resolution service. > SUMMARY: The SQL Server resolution service accepts packets on UDP port 1434. This service supports an echo capability that can be used to flood a network with traffic. If an attacker is able to send a UDP packet to a SQL Server spoofed from another SQL Server, the two SQL Servers will be placed in an endless loop of echo the packet back and forth. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Sample database not removed > DESCRIPTION: Discovered a sample database that has not been removed. > SUMMARY: Microsoft SQL Server has several sample databases which are used to demonstrate functionality and to test the server. It is recommended on a production system that you remove these databases. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 2 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: SQL injection in sp_MSdropretry > DESCRIPTION: master.dbo.sp_MSdropretry is susceptible to a SQL Injection attack. > SUMMARY: SQL injection is a vulnerability that allows unintended SQL code to be inserted into a query in order to change how the query works. In this case, the system stored procedure sp_MSdropretry is susceptible to SQL injection and can allow privileged users (or users who have gained privileges) the ability to write to system tables. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: srv_paraminfo buffer overflow in sp_OACreate > DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure sp_OACreate. > SUMMARY: The extended stored procedure sp_OACreate contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. One of the parameters of the extended stored procedure sp_OACreate does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: srv_paraminfo buffer overflow in sp_OADestroy > DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure sp_OADestroy. > SUMMARY: The extended stored procedure sp_OADestroy contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. One of the parameters of the extended stored procedure sp_OADestroy does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: srv_paraminfo buffer overflow in sp_OAGetProperty > DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure sp_OAGetProperty. > SUMMARY: The extended stored procedure sp_OAGetProperty contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. One of the parameters of the extended stored procedure sp_OAGetProperty does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: srv_paraminfo buffer overflow in sp_OAMethod > DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure sp_OAMethod. > SUMMARY: The extended stored procedure sp_OAMethod contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. One of the parameters of the extended stored procedure sp_OAMethod does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: srv_paraminfo buffer overflow in sp_OASetProperty > DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure sp_OASetProperty. > SUMMARY: The extended stored procedure sp_OASetProperty contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. One of the parameters of the extended stored procedure sp_OASetProperty does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: srv_paraminfo buffer overflow in xp_sqlagent_monitor > DESCRIPTION: This version of the database is known to be vulnerable to a buffer overflow in the extended stored procedure xp_sqlagent_monitor. > SUMMARY: The extended stored procedure xp_sqlagent_monitor contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. One of the parameters of the extended stored procedure xp_sqlagent_monitor does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Standard SQL Server authentication allowed > DESCRIPTION: The authentication mode has been configured to allow standard SQL Server logins. > SUMMARY: SQL Server supports multiple methods of authenticating users including via standard SQL Server logins and Windows authentication. Microsoft strongly recommends using Windows authentication for improved security. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: XMLHTTP control allows local file access > DESCRIPTION: The version of the XMLHTTP control installed with SQL Server can be used by a malicious web site to allow access to local files. > SUMMARY: Along with Microsoft SQL Server is installed the Microsoft XML Core Services (MSXML) which includes the XMLHTTP ActiveX control. This control has been discover to allow access to read files on a client connected over HTTP. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: xp_cmdshell not removed > DESCRIPTION: The xp_cmdshell extended stored procedure has not been removed from the database. > SUMMARY: Microsoft SQL Server provides an extended stored procedure which allows operating system commands to be run from Transact-SQL as if at a command line prompt. If not configured properly, the xp_cmdshell executes commands under the security context of the service SQL Server runs under. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: xp_controlqueueservice buffer overflow > DESCRIPTION: The xp_controlqueueservice extended stored procedure has not been removed nor has the appropriate hotfix has been applied. > SUMMARY: The extended stored procedure xp_controlqueueservice contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_controlqueueservice does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: xp_createprivatequeue buffer overflow > DESCRIPTION: The xp_createprivatequeue extended stored procedure has not been removed nor has the appropriate hotfix has been applied. > SUMMARY: The extended stored procedure xp_createprivatequeue contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_createprivatequeue does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: xp_createqueue buffer overflow > DESCRIPTION: The xp_createqueue extended stored procedure has not been removed nor has the appropriate hotfix has been applied. > SUMMARY: The extended stored procedure xp_createqueue contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_createqueue does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: xp_decodequeuecmd buffer overflow > DESCRIPTION: The xp_decodequeuecmd extended stored procedure has not been removed nor has the appropriate hotfix has not been applied. > SUMMARY: The extended stored procedure xp_decodequeuecmd contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_decodequeuecmd does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: xp_deleteprivatequeue buffer overflow > DESCRIPTION: The xp_deleteprivatequeue extended stored procedure has not been removed nor has the appropriate hotfix has been applied. > SUMMARY: The extended stored procedure xp_deleteprivatequeue contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_deleteprivatequeue does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: xp_deletequeue buffer overflow > DESCRIPTION: The xp_deletequeue extended stored procedure has not been removed nor has the appropriate hotfix has been applied. > SUMMARY: The extended stored procedure xp_deletequeue contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_deletequeue does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: xp_displayqueuemesgs buffer overflow > DESCRIPTION: The xp_displayqueuemesgs extended stored procedure has not been removed nor has the appropriate hotfix has been applied. > SUMMARY: The extended stored procedure xp_displayqueuemesgs contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_displayqueuemesgs does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: xp_oledbinfo buffer overflow > DESCRIPTION: The xp_oledbinfo extended stored procedure has not been removed nor has the appropriate hotfix has been applied. > SUMMARY: The extended stored procedure xp_oledbinfo contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_oledbinfo does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: xp_readpkfromqueue buffer overflow > DESCRIPTION: The xp_readpkfromqueue extended stored procedure has not been removed nor has the appropriate hotfix has been applied. > SUMMARY: The extended stored procedure xp_readpkfromqueue contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_readpkfromqueue does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: xp_readpkfromvarbin buffer overflow > DESCRIPTION: The xp_readpkfromvarbin extended stored procedure has not been removed nor has the appropriate hotfix has been applied. > SUMMARY: The extended stored procedure xp_readpkfromvarbin contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_readpkfromvarbin does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: xp_repl_encrypt buffer overflow > DESCRIPTION: The xp_repl_encrypt extended stored procedure has not been removed nor has the appropriate hotfix has been applied. > SUMMARY: The extended stored procedure xp_repl_encrypt contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_repl_encrypt does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: xp_resetqueue buffer overflow > DESCRIPTION: The xp_resetqueue extended stored procedure has not been removed nor has the appropriate hotfix has not been applied. > SUMMARY: The extended stored procedure xp_resetqueue contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_resetqueue does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: xp_sqlagent_param buffer overflow > DESCRIPTION: The xp_sqlagent_param extended stored procedure has not been removed nor has the appropriate hotfix has not been applied. > SUMMARY: The extended stored procedure xp_sqlagent_param contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_sqlagent_param does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: xp_unpackcab buffer overflow > DESCRIPTION: The xp_unpackcab extended stored procedure has not been removed nor has the appropriate hotfix has been applied. > SUMMARY: The extended stored procedure xp_unpackcab contains a buffer overflow that may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database. The first parameter of the extended stored procedure xp_unpackcab does not properly handle a long string. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: MySQL > CHECK NAME: COM_TABLE_DUMP memory corruption > DESCRIPTION: The version of MySQL contains an error in the COM_TABLE_DUMP function which could result in a denial of service condition. > SUMMARY: An error in the COM_TABLE_DUMP function in the MySQL database can be exploited by a valid user to create a denial of service against the database. This error is the result of casting unsigned values to signed variables. -------------------------------------------------------------------------------- IP Address: 172.16.0.233 Port: 3306 Application: MySQL 3.23 Database Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Low > APPLICATION TYPE: MySQL > CHECK NAME: Double free heap corruption > DESCRIPTION: The version of MySQL contains a DoS condition in the mysql_change_user function. > SUMMARY: An error in the mysql_change_user function in the MySQL database can be exploited by a valid user to crash the database server. This error is the result of a pointer being freed twice. -------------------------------------------------------------------------------- IP Address: 172.16.0.233 Port: 3306 Application: MySQL 3.23 Database Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Informational > APPLICATION TYPE: IBM DB2 > CHECK NAME: Authentication type > DESCRIPTION: Discovered the authentication type configured for the instance. > SUMMARY: The authentication type defines how authentication occurs between the client and the server. It is important to select an authentication type that is secure. The method to use can be specified with the AUTHENTICATION parameter in the database manager configuration file. -------------------------------------------------------------------------------- IP Address: 172.16.0.64 Port: 50000 Application: DB2 6.1 (db2inst2:SAMPLE) Vulnerability Countl: 1 -------------------------------------------------------------------------------- > RISK LEVEL: Informational > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: Statement permission granted > DESCRIPTION: Found a statement permission granted to a user or group other than dbo. > SUMMARY: Microsoft SQL Server contains a number of statement permissions that can be granted. These statement privileges are sensitive and should not be granted trivially. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 6 -------------------------------------------------------------------------------- > RISK LEVEL: Informational > APPLICATION TYPE: Microsoft SQL Server > CHECK NAME: sysadmin role granted > DESCRIPTION: A non-standard login has been granted the sysadmin role. > SUMMARY: Roles are used by SQL Server to group together object and statement permissions. By grouping them together they can be granted and revoked from users and logins more efficiently. People granted the sysadmin role can perform any activity in SQL Server. You should review the logins granted this role and verify that only database administrators have been granted the role. -------------------------------------------------------------------------------- IP Address: 172.16.0.100 Port: 1433 Application: Microsoft SQL Server 2000 (MSSQLSERVER) Vulnerability Countl: 1 -------------------------------------------------------------------------------- Powered by Application Security, Inc.