SEC Consult Vulnerability Lab Security Advisory < 20140227-0 > ======================================================================= title: Local Buffer Overflow vulnerability product: SAS for Windows (Statistical Analysis System) vulnerable version: SAS 9.2, 9.3 and 9.4 fixed version: SAS 9.4 TS 1M1 CVE number: - impact: High homepage: http://www.sas.com/ found: 2013-08-08 by: René Freingruber SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: ------------------------------------------------------------------------------ "SAS is a software suite developed by SAS Institute for advanced analytics, business intelligence, data management, and predictive analytics. It is the largest market-share holder for advanced analytics. SAS is a software suite that can mine, alter, manage and retrieve data from a variety of sources and perform statistical analysis on it. It is widely used in insurance, public health, scientific research, finance, human resources, IT, utilities, and retail, and is used for operations research, project management, quality improvement, forecasting and decision-making. It is the standard statistical analysis software for submitting clinical pharmaceutical trials to the US Food and Drug administration. SAS provides a graphical point-and-click user interface for non-technical users and more advanced options through the SAS programming language. SAS programs have a DATA step, which retrieves and manipulates data, and a PROC step, which analyzes data." URL: http://en.wikipedia.org/wiki/SAS_%28software%29 Business recommendation: ------------------------------------------------------------------------------ Attackers are able to completely compromise SAS clients when a malicious SAS program gets executed. The scope of the test, where the vulnerabilities had been identified, was a very short crash-test of the application. It is assumed that further vulnerabilities exist within this product! It is highly recommended by SEC Consult not to use this software until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: ------------------------------------------------------------------------------ It is possible to exploit a buffer overflow in the SAS client application by creating a malicious SAS program. When a user opens the SAS program the malicious content will be hidden because the enhanced editor does not display overlong lines. If the user executes the program a buffer overflow will be triggered resulting in arbitrary code execution. It was possible to exploit this vulnerability on a updated standard Windows 7 installation. Proof of concept: ------------------------------------------------------------------------------ The detailed proof of concept exploit was removed for this vulnerability. SEC Consult has released a proof of concept video demonstrating the issue: http://www.youtube.com/user/SECConsult/videos Vulnerable / tested versions: ------------------------------------------------------------------------------ The vulnerabilities have been verified to exist in SAS 9.3 TS Level 1M1. According to the vendor the following versions are also affected: SAS 9.2 TS 2M3 SAS 9.3 TS 1M1 & SAS 9.3 TS 1M2 SAS 9.4 TS 1M0 Vendor contact timeline: ------------------------------------------------------------------------------ 2013-11-04: Contacted vendor through office@aut.sas.com 2013-11-04: Initial vendor response. 2013-11-06: Issue will be verified, internal tracker created. 2014-01-17: Patch released by vendor. 2014-02-27: SEC Consult releases coordinated security advisory. Solution: ------------------------------------------------------------------------------ Apply the provided fix: SAS 9.4 TS 1M1 : includes the fix SAS 9.4 TS 1M0 - http://ftp.sas.com/techsup/download/hotfix/HF2/L08.html#L08004 SAS 9.3 TS 1M2 - http://ftp.sas.com/techsup/download/hotfix/HF2/I22.html#I22069 SAS 9.3 TS 1M1 - Apply maintenance M2 before applying fix for SAS 9.3 TS 1M2 SAS 9.2 TS 2M3 - http://ftp.sas.com/techsup/download/hotfix/HF2/B25.html#B25260 Workaround: ------------------------------------------------------------------------------ No workaround available. Advisory URL: ------------------------------------------------------------------------------ https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested in working with the experts of SEC Consult? Write to career@sec-consult.com EOF René Freingruber / @2014