SEC-1 LTD. www.sec-1.com Security Advisory Advisory Name: RSA SecurID Web Agent Heap Overflow Release Date: 06-05-2005 Application: RSA SecurID Web Agent 5 RSA SecurID Web Agent 5.2 RSA SecurID web Agent 5.3 Platform: Windows 2000 / IIS Severity: Remote Code Execution Author: Gary O'leary-Steele Reported: See time line section below Vendor status: See vendor statement in vendor response below CVE Candidate: CAN-2005-XXXX Requested Reference: http://www.sec-1.com/ Overview: RSA SecurID(R) is a popular strong authentication package deployed using a number of variety of hardware or software authentication tokens. RSA SecurID(R) two-factor authentication is based on something you know (a password or PIN), and something you have (an authenticator) - providing a much more reliable level of user authentication than reusable password. Details: Sec-1 has identified a exploitable Heap Overflow within the Web Agent which could be used to execute code with LocalSystem privileges. Using the chunked-encoding mechanism to send a large "chunk" of data it is possible to overwrite critical portions of the heap which could lead to remote code execution or a denial of service condition. Sec-1 were able to exploit this vulnerability to gain remote access to a Windows IIS installation (Windows 2000 SP4 + all current MS Patches) with the RSA SecurID web agent installed. A proof of concept exploit has been provided to RSA. Exploit Availability: Sec-1 do not release exploit code to the general public. Attendees of the Sec-1 Applied Hacking & Intrusion prevention course will recieve a copy of this exploit as part of the Sec-1 Exploit Arsenal. Requests for a working exploit will only be considered from professional IT Security Companies. Time Line: 29-02-2004 - Directly contacted RSA via all publc addresses, worked with another securty consultancy in attempt to contact RSA product security team. 04-2005 - RSA contacted via telephone 15-04-2005 - NISCC informed (http://www.niscc.gov.uk/) 18-04-2005 - Reverse shell proof of concept sent to RSA for v5.2 of product 18-04-2005 - RSA send version 5.3 of product of testing 19-05-2005 - Initial proof of concept sent to RSA for v5.3 of product 21-04-2005 - RSA confirm crash within product 22-04-2005 - Reliable reverse shell proof of concept sent to RSA for v5.3 of product 25-04-2005 - RSA send patch for testing 05-05-2005 - RSA release patch 06-05-2005 - Disclosure Vendor Status: Fix Available Vendor Response: RSA have made a patch availible for this vulnerability: To get this new patch and documentation, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click "Downloads" in the left navigation menu. Then, click "Fixes by Product", click "RSA SecurID", and "Authentication Agent 5.x", and select the downloads and documentation that pertain to your environment. Special Thanks: Sec-1 Ltd would like to thank Ollie Whitehouse and Brett Moore for their assisance in reporting this issue Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2005-XXXX Requested Copyright 2005 Sec-1 LTD. All rights reserved. ****************************************************************************************************************************************************************** NEW: Sec-1 Hacking Training - Learn to breach network security to further your knowledge and protect your network http://www.sec-1.com/applied_hacking_course.html ******************************************************************************************************************************************************************