SEC Consult Vulnerability Lab Security Advisory < 20140227-0 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D title: Local Buffer Overflow vulnerability product: SAS for Windows (Statistical Analysis System) vulnerable version: SAS 9.2, 9.3 and 9.4 fixed version: SAS 9.4 TS 1M1 CVE number: - impact: High homepage: http://www.sas.com/ found: 2013-08-08 by: Ren=C3=A9 Freingruber SEC Consult Vulnerability Lab https://www.sec-consult.com =20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Vendor/product description: ---------------------------------------------------------------------------= --- "SAS is a software suite developed by SAS Institute for advanced analytics,= =20 business intelligence, data management, and predictive analytics.=20 It is the largest market-share holder for advanced analytics. SAS is a software suite that can mine, alter, manage and retrieve data from= =20 a variety of sources and perform statistical analysis on it. It is widely=20 used in insurance, public health, scientific research, finance, human resou= rces,=20 IT, utilities, and retail, and is used for operations research, project=20 management, quality improvement, forecasting and decision-making. It is the= =20 standard statistical analysis software for submitting clinical pharmaceutic= al=20 trials to the US Food and Drug administration. SAS provides a graphical=20 point-and-click user interface for non-technical users and more advanced=20 options through the SAS programming language. SAS programs have a DATA step= ,=20 which retrieves and manipulates data, and a PROC step, which analyzes data." URL: http://en.wikipedia.org/wiki/SAS_%28software%29 Business recommendation: ---------------------------------------------------------------------------= --- Attackers are able to completely compromise SAS clients when a malicious SAS program gets executed. The scope of the test, where the vulnerabilities had been identified, was a very short crash-test of the application. It is assumed that further vulnerabilities exist within this product! It is highly recommended by SEC Consult not to use this software until a thorough security review has been performed by security professionals and a= ll identified issues have been resolved. Vulnerability overview/description: ---------------------------------------------------------------------------= --- It is possible to exploit a buffer overflow in the SAS client application by creating a malicious SAS program. When a user opens the SAS program the malicious content will be hidden because the enhanced editor does not displ= ay overlong lines. If the user executes the program a buffer overflow will be= =20 triggered resulting in arbitrary code execution. It was possible to exploit= =20 this vulnerability on a updated standard Windows 7 installation. Proof of concept: ---------------------------------------------------------------------------= --- The detailed proof of concept exploit was removed for this vulnerability. SEC Consult has released a proof of concept video demonstrating the issue: http://www.youtube.com/user/SECConsult/videos Vulnerable / tested versions: ---------------------------------------------------------------------------= --- The vulnerabilities have been verified to exist in SAS 9.3 TS Level 1M1. According to the vendor the following versions are also affected: SAS 9.2 TS 2M3 SAS 9.3 TS 1M1 & SAS 9.3 TS 1M2 SAS 9.4 TS 1M0 Vendor contact timeline: ---------------------------------------------------------------------------= --- 2013-11-04: Contacted vendor through office@aut.sas.com 2013-11-04: Initial vendor response. 2013-11-06: Issue will be verified, internal tracker created. 2014-01-17: Patch released by vendor. 2014-02-27: SEC Consult releases coordinated security advisory. Solution: ---------------------------------------------------------------------------= --- Apply the provided fix: SAS 9.4 TS 1M1 : includes the fix SAS 9.4 TS 1M0 - http://ftp.sas.com/techsup/download/hotfix/HF2/L08.html#L0= 8004 SAS 9.3 TS 1M2 - http://ftp.sas.com/techsup/download/hotfix/HF2/I22.html#I2= 2069 SAS 9.3 TS 1M1 - Apply maintenance M2 before applying fix for SAS 9.3 TS 1M2 SAS 9.2 TS 2M3 - http://ftp.sas.com/techsup/download/hotfix/HF2/B25.html#B2= 5260=20 Workaround: ---------------------------------------------------------------------------= --- No workaround available. Advisory URL: ---------------------------------------------------------------------------= --- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested in working with the experts of SEC Consult? Write to career@sec-consult.com EOF Ren=C3=A9 Freingruber / @2014