[SEC-1 LTD] RSA SecurID Web Agent Heap Overflow

From: Gary O'leary-Steele (garyo_at_SEC-1.COM)
Date: 05/06/05

  • Next message: Arley Barros Leal: "Re: MS05-019 Breaks VPN"
    Date:         Fri, 6 May 2005 09:58:03 +0100

                               SEC-1 LTD.

                           Security Advisory

    Advisory Name: RSA SecurID Web Agent Heap Overflow
     Release Date: 06-05-2005
      Application: RSA SecurID Web Agent 5
                   RSA SecurID Web Agent 5.2
                   RSA SecurID web Agent 5.3
         Platform: Windows 2000 / IIS
         Severity: Remote Code Execution
           Author: Gary O'leary-Steele
         Reported: See time line section below
    Vendor status: See vendor statement in vendor response below
    CVE Candidate: CAN-2005-XXXX Requested
        Reference: http://www.sec-1.com/


    RSA SecurID(R) is a popular strong authentication package deployed using a
    number of variety of hardware or software authentication tokens.

    RSA SecurID(R) two-factor authentication is based on something you know (a
    password or PIN), and something you have (an authenticator) - providing a
    much more reliable level of user authentication than reusable password.


    Sec-1 has identified a exploitable Heap Overflow within the Web Agent which
    could be used to execute code with LocalSystem privileges. Using the
    chunked-encoding mechanism to send a large "chunk" of data it is possible to
    overwrite critical portions of the heap which could lead to remote code
    execution or a denial of service condition. Sec-1 were able to exploit this
    vulnerability to gain remote access to a Windows IIS installation (Windows
    SP4 + all current MS Patches) with the RSA SecurID web agent installed.

    A proof of concept exploit has been provided to RSA.

    Exploit Availability:

    Sec-1 do not release exploit code to the general public. Attendees of the
    Sec-1 Applied Hacking & Intrusion prevention course will recieve a copy of
    this exploit as part of the Sec-1 Exploit Arsenal. Requests for a working
    exploit will only be considered from professional IT Security Companies.

    Time Line:

    29-02-2004 - Directly contacted RSA via all publc addresses,
                  worked with another securty consultancy in attempt to contact
                  RSA product security team.
       04-2005 - RSA contacted via telephone
    15-04-2005 - NISCC informed (http://www.niscc.gov.uk/)
    18-04-2005 - Reverse shell proof of concept sent to RSA for v5.2 of product
    18-04-2005 - RSA send version 5.3 of product of testing
    19-05-2005 - Initial proof of concept sent to RSA for v5.3 of product
    21-04-2005 - RSA confirm crash within product
    22-04-2005 - Reliable reverse shell proof of concept sent to RSA for v5.3
    25-04-2005 - RSA send patch for testing
    05-05-2005 - RSA release patch
    06-05-2005 - Disclosure

    Vendor Status: Fix Available

    Vendor Response:

    RSA have made a patch availible for this vulnerability:

    To get this new patch and documentation, log on to RSA SecurCare Online at
    https://knowledge.rsasecurity.com and click "Downloads" in the left
    navigation menu. Then, click "Fixes by Product", click "RSA SecurID", and
    "Authentication Agent 5.x", and select the downloads and documentation that
    pertain to your environment.

    Special Thanks:

    Sec-1 Ltd would like to thank Ollie Whitehouse and Brett Moore for their
    assisance in reporting this issue

    Common Vulnerabilities and Exposures (CVE) Information:

    The Common Vulnerabilities and Exposures (CVE) project has assigned
    the following names to these issues. These are candidates for
    inclusion in the CVE list (http://cve.mitre.org), which standardizes
    names for security problems.

      CAN-2005-XXXX Requested

    Copyright 2005 Sec-1 LTD. All rights reserved.

    NEW: Sec-1 Hacking Training - Learn to breach network security to further your knowledge and protect your network http://www.sec-1.com/applied_hacking_course.html

    NTBugtraq Editor's Note:
    Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.

  • Next message: Arley Barros Leal: "Re: MS05-019 Breaks VPN"