[VulnWatch] [SEC-1 LTD] RSA SecurID Web Agent Heap Overflow

From: Gary O'leary-Steele (garyo@sec-1.com)
Date: Fri May 06 2005 - 04:24:02 PDT


                           SEC-1 LTD.                                       
                         www.sec-1.com

                       Security Advisory

Advisory Name: RSA SecurID Web Agent Heap Overflow
 Release Date: 06-05-2005
  Application: RSA SecurID Web Agent 5 
               RSA SecurID Web Agent 5.2
               RSA SecurID web Agent 5.3
     Platform: Windows 2000 / IIS
     Severity: Remote Code Execution 
       Author: Gary O'leary-Steele 
     Reported: See time line section below
Vendor status: See vendor statement in vendor response below
CVE Candidate: CAN-2005-XXXX  Requested
    Reference: http://www.sec-1.com/


Overview: 

RSA SecurID(R) is a popular strong authentication package deployed using a
number of variety of hardware or software authentication tokens.

RSA SecurID(R) two-factor authentication is based on something you know (a
password or PIN), and something you have (an authenticator) - providing a
much more reliable level of user authentication than reusable password. 


Details: 

Sec-1 has identified a exploitable Heap Overflow within the Web Agent which
could be used to execute code with LocalSystem privileges. Using the
chunked-encoding mechanism to send a large "chunk" of data it is possible to
overwrite critical portions of the heap which could lead to remote code
execution or a denial of service condition. Sec-1 were able to exploit this
vulnerability to gain remote access to a Windows IIS installation (Windows
2000
SP4 + all current MS Patches) with the RSA SecurID web agent installed. 

A proof of concept exploit has been provided to RSA.


Exploit Availability:

Sec-1 do not release exploit code to the general public. Attendees of the
Sec-1 Applied Hacking & Intrusion prevention course will receive a copy of
this exploit as part of the Sec-1 Exploit Arsenal. Requests for a working
exploit will only be considered from professional IT Security Companies.

Time Line:

29-02-2004  - Directly contacted RSA via all public addresses,
              worked with another security consultancy in attempt to contact

              RSA product security team.
   04-2005  - RSA contacted via telephone
15-04-2005  - NISCC informed (http://www.niscc.gov.uk/)
18-04-2005  - Reverse shell proof of concept sent to RSA for v5.2 of product
18-04-2005  - RSA send version 5.3 of product of testing
19-05-2005  - Initial proof of concept sent to RSA for v5.3 of product
21-04-2005  - RSA confirm crash within product
22-04-2005  - Reliable reverse shell proof of concept sent to RSA for v5.3
of 
              product
25-04-2005  - RSA send patch for testing
05-05-2005  - RSA release patch
06-05-2005  - Disclosure

Vendor Status: Fix Available

Vendor Response:

RSA have made a patch available for this vulnerability:

To get this new patch and documentation, log on to RSA SecurCare Online at
https://knowledge.rsasecurity.com and click "Downloads" in the left
navigation menu. Then, click "Fixes by Product", click "RSA SecurID", and
"Authentication Agent 5.x", and select the downloads and documentation that
pertain to your environment.

Special Thanks:

Sec-1 Ltd would like to thank Ollie Whitehouse and Brett Moore for their
assistance in reporting this issue

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned 
the following names to these issues.  These are candidates for 
inclusion in the CVE list (http://cve.mitre.org), which standardizes 
names for security problems.


  CAN-2005-XXXX  Requested


Copyright 2005 Sec-1 LTD. All rights reserved.


******************************************************************************************************************************************************************
NEW: Sec-1 Hacking Training - Learn to breach network security to further your knowledge and protect your network http://www.sec-1.com/applied_hacking_course.html
******************************************************************************************************************************************************************



This archive was generated by hypermail 2.1.3 : Fri May 06 2005 - 15:03:00 PDT