Vulnerability ID 1832

RSA Authentication Agent for Web up to 5.3 on IIS HTTP GET Redirect Handler IISWebAgentIF.dll buffer overflow

CVSSv3 Temp ScoreCurrent Exploit Price (≈)
5.5$0-$1k

A vulnerability was found in RSA Authentication Agent for Web up to 5.3 on IIS and classified as critical. Affected by this issue is an unknown function in the library IISWebAgentIF.dll of the component HTTP GET Redirect Handler. The manipulation with an unknown input leads to a buffer overflow vulnerability (stack-based). Impacted is confidentiality, integrity, and availability.

The weakness was disclosed 10/21/2005 by H. D. Moore with MetaSploit. The advisory is shared for download at metasploit.com. This vulnerability is handled as CVE-2005-4734 since 03/19/2006. The attack may be launched remotely. No form of authentication is required for exploitation. Technical details as well as a public exploit are known.

The exploit is shared for download at metasploit.com. As 0-day the estimated underground price was around $25k-$50k.

Applying a patch is able to eliminate this problem. The bugfix is ready for download at knowledge.rsasecurity.com. It is possible to mitigate the weakness by firewalling . The best possible mitigation is suggested to be applying a restrictive firewalling. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 3891.

The vulnerability is also documented in the databases at SecurityFocus (BID 26424), X-Force (25390), Secunia (SA17281) and Vulnerability Center (SBV-28940).

CVSSv3

Base Score: 5.6 [?]
Temp Score: 5.5 [?]
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:W/RC:X [?]
Reliability: High

CVSSv2

Base Score: 5.1 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P) [?]
Temp Score: 4.8 (CVSS2#E:ND/RL:W/RC:ND) [?]
Reliability: High

AVACAuCIA
LHMNNN
AMSPPP
NLNCCC
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
LocalHighMultipleNoneNoneNone
AdjacentMediumSinglePartialPartialPartial
NetworkLowNoneCompleteCompleteComplete

CPE

Exploiting

Class: Buffer overflow
Local: No
Remote: Yes

Availability: Yes
Access: Public
Download: metasploit.com

Current Price Estimation: $25k-$50k (0-day) / $0-$1k (Today)

0-Day$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k
Today$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k

Saint ID: exploit_info/rsa_auth_agent_redirect
Saint Name: RSA SecurID Web Agent for IIS redirect buffer overflow
MetaSploit ID: rsa_webagent_redirect.rb
MetaSploit File: metasploit-framework/modules/exploits/windows/isapi/rsa_webagent_redirect.rb
MetaSploit Name: Microsoft IIS ISAPI RSA WebAgent Redirect Overflow

Countermeasures

Recommended: Firewall
Status: Workaround
0-Day Time: 0 days since found

Patch: knowledge.rsasecurity.com
TippingPoint: 3891
PaloAlto IPS: 30123

Fortigate IPS: 11783

Timeline

10/21/2005 Advisory disclosed
10/21/2005 +0 days VulnerabilityCenter entry assigned
10/21/2005 +0 days OSVDB entry created
10/25/2005 +4 days VulDB entry created
12/31/2005 +67 days NVD disclosed
03/19/2006 +78 days CVE assigned
01/03/2011 +1751 days VulnerabilityCenter entry created
09/02/2014 +1338 days VulnerabilityCenter entry updated
07/08/2015 +310 days VulDB entry updated

Sources

Advisory: metasploit.com
Researcher: H. D. Moore
Organization: MetaSploit

CVE: CVE-2005-4734 (mitre.org) (nvd.nist.org) (cvedetails.com)

SecurityFocus: 26424 - RSA Authentication Agent IISWebAgentIF.DLL Remote Stack Based Buffer Overflow Vulnerability
Secunia: 17281 - RSA Authentication Agent for Web "Redirect" Buffer Overflow, Highly Critical
X-Force: 25390
Vulnerability Center: 28940 - RSA Security Authentication Agent for Web 5.2-5.3 Remote Arbitrary Code Execution Vulnerability, High
OSVDB: 20151

Entry

Created: 10/25/2005
Updated: 07/08/2015
Entry: 95.5% complete