what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SAS 9.2 / 9.3 / 9.4 Local Buffer Overflow

SAS 9.2 / 9.3 / 9.4 Local Buffer Overflow
Posted Feb 27, 2014
Authored by Rene Freingruber | Site sec-consult.com

SAS for Windows versions 9.2, 9.3, and 9.4 suffer from a local buffer overflow vulnerability.

tags | advisory, overflow, local
systems | windows
SHA-256 | 24769861835016b127bed896f8ade5c050efa0a1c159a8540888d617d43db899

SAS 9.2 / 9.3 / 9.4 Local Buffer Overflow

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20140227-0 >
=======================================================================
title: Local Buffer Overflow vulnerability
product: SAS for Windows (Statistical Analysis System)
vulnerable version: SAS 9.2, 9.3 and 9.4
fixed version: SAS 9.4 TS 1M1
CVE number: -
impact: High
homepage: https://www.sas.com/
found: 2013-08-08
by: René Freingruber
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor/product description:
------------------------------------------------------------------------------
"SAS is a software suite developed by SAS Institute for advanced analytics,
business intelligence, data management, and predictive analytics.
It is the largest market-share holder for advanced analytics.
SAS is a software suite that can mine, alter, manage and retrieve data from
a variety of sources and perform statistical analysis on it. It is widely
used in insurance, public health, scientific research, finance, human resources,
IT, utilities, and retail, and is used for operations research, project
management, quality improvement, forecasting and decision-making. It is the
standard statistical analysis software for submitting clinical pharmaceutical
trials to the US Food and Drug administration. SAS provides a graphical
point-and-click user interface for non-technical users and more advanced
options through the SAS programming language. SAS programs have a DATA step,
which retrieves and manipulates data, and a PROC step, which analyzes data."

URL: https://en.wikipedia.org/wiki/SAS_%28software%29


Business recommendation:
------------------------------------------------------------------------------
Attackers are able to completely compromise SAS clients when a malicious
SAS program gets executed.

The scope of the test, where the vulnerabilities had been identified, was a
very short crash-test of the application. It is assumed that further
vulnerabilities exist within this product!

It is highly recommended by SEC Consult not to use this software until a
thorough security review has been performed by security professionals and all
identified issues have been resolved.



Vulnerability overview/description:
------------------------------------------------------------------------------
It is possible to exploit a buffer overflow in the SAS client application by
creating a malicious SAS program. When a user opens the SAS program the
malicious content will be hidden because the enhanced editor does not display
overlong lines. If the user executes the program a buffer overflow will be
triggered resulting in arbitrary code execution. It was possible to exploit
this vulnerability on a updated standard Windows 7 installation.


Proof of concept:
------------------------------------------------------------------------------
The detailed proof of concept exploit was removed for this vulnerability.

SEC Consult has released a proof of concept video demonstrating the issue:

https://www.youtube.com/user/SECConsult/videos


Vulnerable / tested versions:
------------------------------------------------------------------------------
The vulnerabilities have been verified to exist in SAS 9.3 TS Level 1M1.
According to the vendor the following versions are also affected:
SAS 9.2 TS 2M3
SAS 9.3 TS 1M1 & SAS 9.3 TS 1M2
SAS 9.4 TS 1M0


Vendor contact timeline:
------------------------------------------------------------------------------
2013-11-04: Contacted vendor through office@aut.sas.com
2013-11-04: Initial vendor response.
2013-11-06: Issue will be verified, internal tracker created.
2014-01-17: Patch released by vendor.
2014-02-27: SEC Consult releases coordinated security advisory.


Solution:
------------------------------------------------------------------------------
Apply the provided fix:
SAS 9.4 TS 1M1 : includes the fix
SAS 9.4 TS 1M0 - https://ftp.sas.com/techsup/download/hotfix/HF2/L08.html#L08004
SAS 9.3 TS 1M2 - https://ftp.sas.com/techsup/download/hotfix/HF2/I22.html#I22069
SAS 9.3 TS 1M1 - Apply maintenance M2 before applying fix for SAS 9.3 TS 1M2
SAS 9.2 TS 2M3 - https://ftp.sas.com/techsup/download/hotfix/HF2/B25.html#B25260


Workaround:
------------------------------------------------------------------------------
No workaround available.


Advisory URL:
------------------------------------------------------------------------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested in working with the experts of SEC Consult?
Write to career@sec-consult.com

EOF René Freingruber / @2014
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close