Vulnerabilities / Threats
2/28/2014
02:06 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

SAS For Windows Buffer Overflow Leads To Code Execution

Vulnerabilities were discovered in a routine security crash

VIENNA, February 27, 2014 /PRNewswire/ --

"SAS for Windows" is part of a software for statistical analysis, data-mining and business intelligence. The software was shipped by the manufacturer SAS Institute Inc. containing a critical vulnerability [1]. The vulnerabilities were discovered in a routine security crash test by experts of the SEC Consult Vulnerability Lab ( http://www.sec-consult.com).

The vulnerability enables state-sponsored or criminal hackers to create a malicious SAS-file, which gives an attacker full control over the attacked computer if the file gets processed with "SAS for Windows". An attacker can send phishing mails containing such a manipulated SAS-file to subsequently attack the internal corporate network via a compromised client computer.

The experts of the SEC Consult Vulnerability Lab were able to successfully exploit the vulnerability during a crash test, bypass current mitigation techniques on a standard Windows 7 installation (including firewall and anti-virus software) and control the attacked computer remotely over the Internet.

SEC Consult experts recommend immediately installing the update, released by the vendor to counter these vulnerabilities [2]. SEC Consult advises that customers of SAS products should demand from the vendor exhaustive security tests by

(European) security experts before the implementation of the respective software product.

[1] https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

[2]

SAS 9.4 TS 1M0 - http://ftp.sas.com/techsup/download/hotfix/HF2/L08.html#L08004

SAS 9.3 TS 1M2 - http://ftp.sas.com/techsup/download/hotfix/HF2/I22.html#I22069

SAS 9.2 TS 2M3 - http://ftp.sas.com/techsup/download/hotfix/HF2/B25.html#B25260

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4233
Published: 2015-07-02
SQL injection vulnerability in Cisco Unified MeetingPlace 8.6(1.2) allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCuu54037.

CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report