SEC Consult SA-20140227-0 :: Local Buffer Overflow vulnerability in SAS for Windows (Statistical Analysis System) Feb 27 2014 10:57AM
SEC Consult Vulnerability Lab (research sec-consult com)
SEC Consult Vulnerability Lab Security Advisory < 20140227-0 >
title: Local Buffer Overflow vulnerability
product: SAS for Windows (Statistical Analysis System)
vulnerable version: SAS 9.2, 9.3 and 9.4
fixed version: SAS 9.4 TS 1M1
CVE number: -
impact: High
homepage: http://www.sas.com/
found: 2013-08-08
by: René Freingruber
SEC Consult Vulnerability Lab

Vendor/product description:
"SAS is a software suite developed by SAS Institute for advanced analytics,
business intelligence, data management, and predictive analytics.
It is the largest market-share holder for advanced analytics.
SAS is a software suite that can mine, alter, manage and retrieve data from
a variety of sources and perform statistical analysis on it. It is widely
used in insurance, public health, scientific research, finance, human resources,
IT, utilities, and retail, and is used for operations research, project
management, quality improvement, forecasting and decision-making. It is the
standard statistical analysis software for submitting clinical pharmaceutical
trials to the US Food and Drug administration. SAS provides a graphical
point-and-click user interface for non-technical users and more advanced
options through the SAS programming language. SAS programs have a DATA step,
which retrieves and manipulates data, and a PROC step, which analyzes data."

URL: http://en.wikipedia.org/wiki/SAS_%28software%29

Business recommendation:
Attackers are able to completely compromise SAS clients when a malicious
SAS program gets executed.

The scope of the test, where the vulnerabilities had been identified, was a
very short crash-test of the application. It is assumed that further
vulnerabilities exist within this product!

It is highly recommended by SEC Consult not to use this software until a
thorough security review has been performed by security professionals and all
identified issues have been resolved.

Vulnerability overview/description:
It is possible to exploit a buffer overflow in the SAS client application by
creating a malicious SAS program. When a user opens the SAS program the
malicious content will be hidden because the enhanced editor does not display
overlong lines. If the user executes the program a buffer overflow will be
triggered resulting in arbitrary code execution. It was possible to exploit
this vulnerability on a updated standard Windows 7 installation.

Proof of concept:
The detailed proof of concept exploit was removed for this vulnerability.

SEC Consult has released a proof of concept video demonstrating the issue:


Vulnerable / tested versions:
The vulnerabilities have been verified to exist in SAS 9.3 TS Level 1M1.
According to the vendor the following versions are also affected:
SAS 9.2 TS 2M3
SAS 9.3 TS 1M1 & SAS 9.3 TS 1M2
SAS 9.4 TS 1M0

Vendor contact timeline:
2013-11-04: Contacted vendor through office (at) aut.sas (dot) com [email concealed]
2013-11-04: Initial vendor response.
2013-11-06: Issue will be verified, internal tracker created.
2014-01-17: Patch released by vendor.
2014-02-27: SEC Consult releases coordinated security advisory.

Apply the provided fix:
SAS 9.4 TS 1M1 : includes the fix
SAS 9.4 TS 1M0 - http://ftp.sas.com/techsup/download/hotfix/HF2/L08.html#L08004
SAS 9.3 TS 1M2 - http://ftp.sas.com/techsup/download/hotfix/HF2/I22.html#I22069
SAS 9.3 TS 1M1 - Apply maintenance M2 before applying fix for SAS 9.3 TS 1M2
SAS 9.2 TS 2M3 - http://ftp.sas.com/techsup/download/hotfix/HF2/B25.html#B25260

No workaround available.

Advisory URL:

SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested in working with the experts of SEC Consult?
Write to career (at) sec-consult (dot) com [email concealed]

EOF René Freingruber / @2014

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus