SEC Consult Vulnerability Lab Security Advisory < 20140227-0 >
=======================================================================
              title: Local Buffer Overflow vulnerability
            product: SAS for Windows (Statistical Analysis System)
 vulnerable version: SAS 9.2, 9.3 and 9.4
      fixed version: SAS 9.4 TS 1M1
         CVE number: -
             impact: High
           homepage: http://www.sas.com/
              found: 2013-08-08
                 by: René Freingruber
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com         
=======================================================================

Vendor/product description:
------------------------------------------------------------------------------
"SAS is a software suite developed by SAS Institute for advanced analytics, 
business intelligence, data management, and predictive analytics. 
It is the largest market-share holder for advanced analytics.
SAS is a software suite that can mine, alter, manage and retrieve data from 
a variety of sources and perform statistical analysis on it. It is widely 
used in insurance, public health, scientific research, finance, human resources, 
IT, utilities, and retail, and is used for operations research, project 
management, quality improvement, forecasting and decision-making. It is the 
standard statistical analysis software for submitting clinical pharmaceutical 
trials to the US Food and Drug administration. SAS provides a graphical 
point-and-click user interface for non-technical users and more advanced 
options through the SAS programming language. SAS programs have a DATA step, 
which retrieves and manipulates data, and a PROC step, which analyzes data."

URL: http://en.wikipedia.org/wiki/SAS_%28software%29


Business recommendation:
------------------------------------------------------------------------------
Attackers are able to completely compromise SAS clients when a malicious
SAS program gets executed.

The scope of the test, where the vulnerabilities had been identified, was a
very short crash-test of the application. It is assumed that further
vulnerabilities exist within this product!

It is highly recommended by SEC Consult not to use this software until a
thorough security review has been performed by security professionals and all
identified issues have been resolved.



Vulnerability overview/description:
------------------------------------------------------------------------------
It is possible to exploit a buffer overflow in the SAS client application by
creating a malicious SAS program. When a user opens the SAS program the
malicious content will be hidden because the enhanced editor does not display
overlong lines. If the user executes the program a buffer overflow will be 
triggered resulting in arbitrary code execution. It was possible to exploit 
this vulnerability on a updated standard Windows 7 installation.


Proof of concept:
------------------------------------------------------------------------------
The detailed proof of concept exploit was removed for this vulnerability.

SEC Consult has released a proof of concept video demonstrating the issue:

http://www.youtube.com/user/SECConsult/videos


Vulnerable / tested versions:
------------------------------------------------------------------------------
The vulnerabilities have been verified to exist in SAS 9.3 TS Level 1M1.
According to the vendor the following versions are also affected:
SAS 9.2 TS 2M3
SAS 9.3 TS 1M1 & SAS 9.3 TS 1M2
SAS 9.4 TS 1M0


Vendor contact timeline:
------------------------------------------------------------------------------
2013-11-04: Contacted vendor through office@aut.sas.com
2013-11-04: Initial vendor response.
2013-11-06: Issue will be verified, internal tracker created.
2014-01-17: Patch released by vendor.
2014-02-27: SEC Consult releases coordinated security advisory.


Solution:
------------------------------------------------------------------------------
Apply the provided fix:
SAS 9.4 TS 1M1 : includes the fix
SAS 9.4 TS 1M0 - http://ftp.sas.com/techsup/download/hotfix/HF2/L08.html#L08004
SAS 9.3 TS 1M2 - http://ftp.sas.com/techsup/download/hotfix/HF2/I22.html#I22069
SAS 9.3 TS 1M1 - Apply maintenance M2 before applying fix for SAS 9.3 TS 1M2
SAS 9.2 TS 2M3 - http://ftp.sas.com/techsup/download/hotfix/HF2/B25.html#B25260 


Workaround:
------------------------------------------------------------------------------
No workaround available.


Advisory URL:
------------------------------------------------------------------------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested in working with the experts of SEC Consult?
Write to career@sec-consult.com

EOF René Freingruber / @2014