| VID |
25008 |
| Severity |
40 |
| Port |
1433 |
| Protocol |
TCP |
| Class |
DB |
| Detailed Description |
The extended stored procedure xp_cmdshell allows a user to submit operating system commands in Microsoft SQL Server as if at a command line prompt.
Although Microsoft recommends that the password for "sa" account be set upon installation, many servers are not properly secured. Any Microsoft SQL installation may be vulnerable if it is installed with a missing or weak "sa" account password. Once a vulnerable server has been discovered, a remote attacker can use the MS-SQL stored procedure "xp_cmdshell" to execute arbitrary commands.
The various worms such as Spida or CBlade attempt to locate and login to Microsoft SQL servers with the "sa" account and a blank password. Once a vulnerable computer is found, the worms will infect that target, send its configuration and password information to an external host, and begin scanning for new targets.
* References:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q322336
http://www.iss.net/security_center/static/7610.php
http://www.iss.net/security_center/static/9124.php
http://www.iss.net/security_center/alerts/advise118.php
http://www.kb.cert.org/vuls/id/635463
http://www.securiteam.com/windowsntfocus/5BP0L1P7PA.html
http://www.securiteam.com/tools/5GP081P75C.html
http://www.securiteam.com/windowsntfocus/5WP0N0K75U.html
* Platforms Affected:
Microsoft SQL Server Any version
Microsoft Data Engine (MSDE) Any version |
| Recommendation |
If 'sa' account uses a blank password, configure a password that is difficult to guess. You can use the sp_password stored procedure from the SQL query window to set up a password. For example, to set the SA password from NULL to "complexpwd", you can use code similar to:
exec sp_password NULL,'complexpwd','sa'
-- AND --
Examine the command executed through xp_cmdshell from the Trace file. Configure the server so that only the sa account can execute the xp_cmdshell statement, or remove it entirely. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
