Gary O'leary-Steele
2005-05-06 08:58:03 UTC
SEC-1 LTD.
www.sec-1.com
Security Advisory
Advisory Name: RSA SecurID Web Agent Heap Overflow
Release Date: 06-05-2005
Application: RSA SecurID Web Agent 5
RSA SecurID Web Agent 5.2
RSA SecurID web Agent 5.3
Platform: Windows 2000 / IIS
Severity: Remote Code Execution
Author: Gary O'leary-Steele
Reported: See time line section below
Vendor status: See vendor statement in vendor response below
CVE Candidate: CAN-2005-XXXX Requested
Reference: http://www.sec-1.com/
Overview:
RSA SecurID(R) is a popular strong authentication package deployed using a
number of variety of hardware or software authentication tokens.
RSA SecurID(R) two-factor authentication is based on something you know (a
password or PIN), and something you have (an authenticator) - providing a
much more reliable level of user authentication than reusable password.
Details:
Sec-1 has identified a exploitable Heap Overflow within the Web Agent which
could be used to execute code with LocalSystem privileges. Using the
chunked-encoding mechanism to send a large "chunk" of data it is possible to
overwrite critical portions of the heap which could lead to remote code
execution or a denial of service condition. Sec-1 were able to exploit this
vulnerability to gain remote access to a Windows IIS installation (Windows
2000
SP4 + all current MS Patches) with the RSA SecurID web agent installed.
A proof of concept exploit has been provided to RSA.
Exploit Availability:
Sec-1 do not release exploit code to the general public. Attendees of the
Sec-1 Applied Hacking & Intrusion prevention course will recieve a copy of
this exploit as part of the Sec-1 Exploit Arsenal. Requests for a working
exploit will only be considered from professional IT Security Companies.
Time Line:
29-02-2004 - Directly contacted RSA via all publc addresses,
worked with another securty consultancy in attempt to contact
RSA product security team.
04-2005 - RSA contacted via telephone
15-04-2005 - NISCC informed (http://www.niscc.gov.uk/)
18-04-2005 - Reverse shell proof of concept sent to RSA for v5.2 of product
18-04-2005 - RSA send version 5.3 of product of testing
19-05-2005 - Initial proof of concept sent to RSA for v5.3 of product
21-04-2005 - RSA confirm crash within product
22-04-2005 - Reliable reverse shell proof of concept sent to RSA for v5.3
of
product
25-04-2005 - RSA send patch for testing
05-05-2005 - RSA release patch
06-05-2005 - Disclosure
Vendor Status: Fix Available
Vendor Response:
RSA have made a patch availible for this vulnerability:
To get this new patch and documentation, log on to RSA SecurCare Online at
https://knowledge.rsasecurity.com and click "Downloads" in the left
navigation menu. Then, click "Fixes by Product", click "RSA SecurID", and
"Authentication Agent 5.x", and select the downloads and documentation that
pertain to your environment.
Special Thanks:
Sec-1 Ltd would like to thank Ollie Whitehouse and Brett Moore for their
assisance in reporting this issue
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CAN-2005-XXXX Requested
Copyright 2005 Sec-1 LTD. All rights reserved.
******************************************************************************************************************************************************************
NEW: Sec-1 Hacking Training - Learn to breach network security to further your knowledge and protect your network http://www.sec-1.com/applied_hacking_course.html
******************************************************************************************************************************************************************
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
www.sec-1.com
Security Advisory
Advisory Name: RSA SecurID Web Agent Heap Overflow
Release Date: 06-05-2005
Application: RSA SecurID Web Agent 5
RSA SecurID Web Agent 5.2
RSA SecurID web Agent 5.3
Platform: Windows 2000 / IIS
Severity: Remote Code Execution
Author: Gary O'leary-Steele
Reported: See time line section below
Vendor status: See vendor statement in vendor response below
CVE Candidate: CAN-2005-XXXX Requested
Reference: http://www.sec-1.com/
Overview:
RSA SecurID(R) is a popular strong authentication package deployed using a
number of variety of hardware or software authentication tokens.
RSA SecurID(R) two-factor authentication is based on something you know (a
password or PIN), and something you have (an authenticator) - providing a
much more reliable level of user authentication than reusable password.
Details:
Sec-1 has identified a exploitable Heap Overflow within the Web Agent which
could be used to execute code with LocalSystem privileges. Using the
chunked-encoding mechanism to send a large "chunk" of data it is possible to
overwrite critical portions of the heap which could lead to remote code
execution or a denial of service condition. Sec-1 were able to exploit this
vulnerability to gain remote access to a Windows IIS installation (Windows
2000
SP4 + all current MS Patches) with the RSA SecurID web agent installed.
A proof of concept exploit has been provided to RSA.
Exploit Availability:
Sec-1 do not release exploit code to the general public. Attendees of the
Sec-1 Applied Hacking & Intrusion prevention course will recieve a copy of
this exploit as part of the Sec-1 Exploit Arsenal. Requests for a working
exploit will only be considered from professional IT Security Companies.
Time Line:
29-02-2004 - Directly contacted RSA via all publc addresses,
worked with another securty consultancy in attempt to contact
RSA product security team.
04-2005 - RSA contacted via telephone
15-04-2005 - NISCC informed (http://www.niscc.gov.uk/)
18-04-2005 - Reverse shell proof of concept sent to RSA for v5.2 of product
18-04-2005 - RSA send version 5.3 of product of testing
19-05-2005 - Initial proof of concept sent to RSA for v5.3 of product
21-04-2005 - RSA confirm crash within product
22-04-2005 - Reliable reverse shell proof of concept sent to RSA for v5.3
of
product
25-04-2005 - RSA send patch for testing
05-05-2005 - RSA release patch
06-05-2005 - Disclosure
Vendor Status: Fix Available
Vendor Response:
RSA have made a patch availible for this vulnerability:
To get this new patch and documentation, log on to RSA SecurCare Online at
https://knowledge.rsasecurity.com and click "Downloads" in the left
navigation menu. Then, click "Fixes by Product", click "RSA SecurID", and
"Authentication Agent 5.x", and select the downloads and documentation that
pertain to your environment.
Special Thanks:
Sec-1 Ltd would like to thank Ollie Whitehouse and Brett Moore for their
assisance in reporting this issue
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CAN-2005-XXXX Requested
Copyright 2005 Sec-1 LTD. All rights reserved.
******************************************************************************************************************************************************************
NEW: Sec-1 Hacking Training - Learn to breach network security to further your knowledge and protect your network http://www.sec-1.com/applied_hacking_course.html
******************************************************************************************************************************************************************
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/