SEC-1 LTD.
www.sec-1.com
Security Advisory
Advisory Name: RSA SecurID Web Agent Heap
Release Date: 06-05-2005
Application: RSA SecurID Web Agent 5
RSA SecurID Web Agent 5.2
RSA SecurID web Agent 5.3
Platform: Windows 2000 / IIS
Severity: Remote Code Execution
Author: Gary 'leary-Steele
Reported: See time line section below
Vendor status: See vendor statement in vendor response below
CVE Candidate: CAN-2005-XXXX Requested
Reference: http://www.sec-1.com/
:
RSA SecurID(R) is a popular strong authentication package deployed using a
number of variety of hardware or software authentication tokens.
RSA SecurID(R) two-factor authentication is based on something you know (a
password or PIN), and something you have (an authenticator) - providing a
much more reliable level of user authentication than reusable password.
Details:
Sec-1 has identified a exploitable Heap within the Web Agent which
could be used to execute code with LocalSystem privileges. Using the
chunked-encoding mechanism to send a large "chunk" of data it is possible to
overwrite critical portions of the heap which could lead to remote code
execution or a denial of service condition. Sec-1 were able to exploit this
vulnerability to gain remote access to a Windows IIS installation (Windows
2000
SP4 + all current MS Patches) with the RSA SecurID web agent installed.
A proof of concept exploit has been provided to RSA.
Exploit Availability:
Sec-1 do not release exploit code to the general public. Attendees of the
Sec-1 Applied Hacking & Intrusion prevention course will receive a copy of
this exploit as part of the Sec-1 Exploit Arsenal. Requests for a working
exploit will only be considered from professional IT Security Companies.
Time Line:
29-02-2004 - Directly contacted RSA via all public addresses,
worked with another security consultancy in attempt to contact
RSA product security team.
04-2005 - RSA contacted via telephone
15-04-2005 - NISCC informed (http://www.niscc.gov.uk/)
18-04-2005 - Reverse shell proof of concept sent to RSA for v5.2 of product
18-04-2005 - RSA send version 5.3 of product of testing
19-05-2005 - Initial proof of concept sent to RSA for v5.3 of product
21-04-2005 - RSA confirm crash within product
22-04-2005 - Reliable reverse shell proof of concept sent to RSA for v5.3
of
product
25-04-2005 - RSA send patch for testing
05-05-2005 - RSA release patch
06-05-2005 - Disclosure
Vendor Status: Fix Available
Vendor Response:
RSA have made a patch available for this vulnerability:
To get this new patch and documentation, log on to RSA SecurCare at
and click "Downloads" in the left
navigation menu. Then, click "Fixes by Product", click "RSA SecurID", and
"Authentication Agent 5.x", and select the downloads and documentation that
pertain to your environment.
Special Thanks:
Sec-1 Ltd would like to thank Whitehouse and Brett Moore for their
assistance in reporting this issue
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CAN-2005-XXXX Requested
Copyright 2005 Sec-1 LTD. All rights reserved.
NEW: Sec-1 Hacking Training - Learn to breach network security to further your knowledge and protect your network