Signature Detail

SCAN: Core Impact SQL Server HELLO Exploit

This signature detects the CORE Impact penetration testing tool using the MS-SQL Server Hello exploit against your network (this exploit is also detected by the signature attack object HIGH:DB:MS-SQL:SERVER-HELLO-OF). Because CORE Impact can chain one infected computer to another, other machines in the network might already be compromised. CORE Impact can be used legitimately to perform a network security audit of your network. However, if a network security audit is not in progress, detecting this testing tool can indicate that a malicious attacker is using the CORE Impact tool to compromise your network.

Extended Description

A vulnerability has been discovered in Microsoft SQL Server that could make it possible for remote attackers to gain access to target hosts. It is possible for an attacker to cause a buffer overflow condition on the vulnerable SQL server with a malformed login request. This may allow a remote attacker to execute arbitrary code as the SQL Server process. This vulnerability reportedly occurs even before authentication can proceed.

Affected Products

• Microsoft Data Engine 2000
• Microsoft SQL Server 2000 SP1
• Microsoft SQL Server 2000 SP2
• Microsoft SQL Server 2000

References

• BugTraq: 5411
• CVE: CVE-2002-1123