Vulnerabilities > CVE-2012-0397 - Buffer Errors vulnerability in RSA Securid Software Token Converter 2.6

CVSS 7.6 - HIGH

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

high complexity

rsa

CWE-119

nessus

NVD

Published: 2012-03-06

Updated: 2012-03-07

Summary

Buffer overflow in EMC RSA SecurID Software Token Converter before 2.6.1 allows remote attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors.

Vulnerable Configurations

Part	Description	Count
Application	Rsa RSA Securid Software Token Converter 2.6	1

Common Weakness Enumeration (CWE)

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Common Attack Pattern Enumeration and Classification (CAPEC)

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
MIME Conversion
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

NASL family	Windows
NASL id	RSA_CONVERTER_OVERFLOW_WINDOWS.NASL
description	RSA SecurID Software Token Converter prior to version 2.6.1 is prone to an overflow condition. A boundary error occurs when handling XML- formatted
last seen	2020-06-01
modified	2020-06-02
plugin id	69515
published	2013-08-30
reporter	This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/69515
title	RSA SecurID Software Token Converter XML-Formatted .sdtid Buffer Overflow
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(69515); script_version("1.9"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2012-0397"); script_bugtraq_id(52315); script_xref(name:"IAVB", value:"2012-B-0027"); script_name(english:"RSA SecurID Software Token Converter XML-Formatted .sdtid Buffer Overflow"); script_summary(english:"Looks for the affected application by walking C:\Users"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host has an application that may be affected by a buffer overflow condition."); script_set_attribute(attribute:"description", value: "RSA SecurID Software Token Converter prior to version 2.6.1 is prone to an overflow condition. A boundary error occurs when handling XML- formatted '.sdtid' file strings. By tricking a user into running the converter with a crafted file, an attacker could potentially execute arbitrary code."); script_set_attribute(attribute:"solution", value:"Update to version 2.6.1 or higher."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2012/Mar/att-16/esa-2012-013.txt"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/03/06"); script_set_attribute(attribute:"patch_publication_date", value:"2012/03/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/08/30"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:rsa:securid_software_token_converter"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl"); script_require_ports(139, 445); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_reg_query.inc"); include("misc_func.inc"); # Will find files down to C:\Users\Tenable\Desktop\tools\TokenConverter.exe function _list_dir(basedir, level, file_pat) { local_var contents, ret, subdirs, subsub, MAX_RECURSE; MAX_RECURSE = 4; # nb: limit how deep we'll recurse. if (level > MAX_RECURSE) return NULL; subdirs = NULL; ret = FindFirstFile(pattern:basedir + "\"); contents = make_list(); while (!isnull(ret[1])) { if (file_pat && ereg(pattern:file_pat, string:ret[1], icase:TRUE)) contents = make_list(contents, basedir+"\"+ret[1]); subsub = NULL; if ("." != ret[1] && ".." != ret[1] && level <= MAX_RECURSE) subsub = _list_dir(basedir:basedir+"\"+ret[1], level:level+1, file_pat:file_pat); if (!isnull(subsub)) { if (isnull(subdirs)) subdirs = make_list(subsub); else subdirs = make_list(subdirs, subsub); } ret = FindNextFile(handle:ret); } if (isnull(subdirs)) return contents; else return make_list(contents, subdirs); } function get_profiles_dir() { local_var hklm, pdir, root, share; registry_init(); hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE); pdir = get_registry_value(handle:hklm, item:"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory"); if (pdir && stridx(tolower(pdir), "%systemdrive%") == 0) { root = get_registry_value(handle:hklm, item:"SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot"); if (!isnull(root)) { share = hotfix_path2share(path:root); pdir = share - '$' + ':' + substr(pdir, strlen("%systemdrive%")); } } RegCloseKey(handle:hklm); close_registry(); return pdir; } if (!thorough_tests) audit(AUDIT_THOROUGH); profile_dir = get_profiles_dir(); if (isnull(profile_dir)) exit(1, "Could not get ProfilesDirectory from the registry."); # Split up the drive letter and the path matches = eregmatch(pattern:"^([A-Za-z]):(.)$", string:profile_dir); if (isnull(matches[0]) \|\| isnull(matches[1]) \|\| isnull(matches[2])) exit(1, "Malformed path returned from registry query."); drive = matches[1] + ":"; share = matches[1] + "$"; path = matches[2]; login = kb_smb_login(); pass = kb_smb_password(); domain = kb_smb_domain(); port = kb_smb_transport(); if(! smb_session_init()) audit(AUDIT_FN_FAIL, "smb_session_init"); rc = NetUseAdd(login:login, password:pass, domain:domain, share:share); if (rc != 1) { NetUseDel(); audit(AUDIT_SHARE_FAIL, share); } files = _list_dir(basedir:'\\Users', level:0, file_pat:"^TokenConverter[0-9]*\.exe$"); # This is the modification date of the first patched Windows version fixtimestamp = 1326208282; report = ""; audit_report = ""; vulnerable = FALSE; foreach file (files) { human_path = drive + file; handle = CreateFile( file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING ); if (isnull(handle)) { audit_report += "Could not open '" + human_path + '\'.\n'; continue; } ver = GetFileVersionEx(handle:handle); CloseFile(handle:handle); if (isnull(ver) \|\| isnull(ver["dwTimeDateStamp"]) \|\| uint(ver["dwTimeDateStamp"]) == 0) { audit_report += "Could not get timestamp of '" + human_path + '\'.\n'; continue; } timestamp = ver["dwTimeDateStamp"]; if (uint(timestamp) >= uint(fixtimestamp)) { audit_report += "'" + human_path + '\' is not vulnerable.\n'; continue; } report += '\n Path : ' + human_path + '\n File timestamp : ' + timestamp + '\n Fixed timestamp : ' + fixtimestamp + '\n'; vulnerable = TRUE; } NetUseDel(); if (audit_report == "" && report == "") audit(AUDIT_NOT_INST, "RSA SecurID Software Token Converter"); if (!vulnerable) exit(0, audit_report); security_hole(port:port, extra:report);

NASL family	Misc.
NASL id	RSA_CONVERTER_OVERFLOW_LINUX.NASL
description	RSA SecurID Software Token Converter prior to version 2.6.1 is affected by an overflow condition. A boundary error occurs when handling XML-formatted
last seen	2020-06-01
modified	2020-06-02
plugin id	69514
published	2013-08-30
reporter	This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/69514
title	RSA SecurID Software Token Converter Buffer Overflow
code	#TRUSTED 40e264d3a7c2d70673572460af70c665963e37373713025d5015fc3b41ec71b0bf4cb4ab9c478987fcd0c0f30999cb98e5c1dccd500b6d8ec4fe26638a422cdb9259df3e7e2e3e52abcd2a759028d30038759a2d0a25dae120305f2c8b8bd938eecc343d9162f51cf8fe801ae1b1c13c3bdb8ac7ec1f3cde4b2ed0a65760f8b55ace1d456f9c6cf1ebe769c85083fdf26b07c3b312cd960ea49d77f1f3e56b9520a203f2350c284a1f24d7072e4cacb1c03c81cd2baafbfb8324c1d036baf24ea0d0b486cb0188ca082e7a2b619f501ab1f4cbcd596f77bc28184758251622e620c663056ed08802bcfe9a4be6ecd16b4b662b981a7b1cac257421bc5f342d38a3a0b7f56aaae61e48aaf6467f919715c78409b8a05fb71bb938910b9e6929f71d0704c523461943ae3f1b096a4cd32bf548e5d061e2fee337c1254a4efac1211b52ae718f8bc4ad7e2ac3642c6a39cc48b7c195473cc36851949363ccaaef13156b8fe164997d6a29d1bfca35a29636394d20c4c67c6c4cabc7465c30beb6ee1ba086d54a3f241143042ea44eb1a72ac8b7463d8abb9e3739c479311452a9e18a6c75c9d45e91467caf52cd16a365d8e4accb8405f70f37ce26c94a51977a58ff4dbb0105a1d76d0f1b0a99febf59e6771fbb22750ef45247bfe2209d26d0cb3f41dc20c98b0a3d57e94f5dfba5a5c2eb396688f9bf7b1615156dd3acbda845 # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(69514); script_version("1.19"); script_cvs_date("Date: 2019/11/27"); script_cve_id("CVE-2012-0397"); script_bugtraq_id(52315); script_xref(name:"IAVB", value:"2012-B-0027"); script_name(english:"RSA SecurID Software Token Converter Buffer Overflow"); script_summary(english:"Looks for the affected application in common locations."); script_set_attribute(attribute:"synopsis", value: "The remote Linux host has an application that may be affected by a buffer overflow condition."); script_set_attribute(attribute:"description", value: "RSA SecurID Software Token Converter prior to version 2.6.1 is affected by an overflow condition. A boundary error occurs when handling XML-formatted '.sdtid' file strings. By convincing a user to run the converter with a crafted file, an attacker can execute arbitrary code."); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2012/Mar/att-16/esa-2012-013.txt"); script_set_attribute(attribute:"solution", value: "Update to version 2.6.1 or higher."); script_set_attribute(attribute:"agent", value:"unix"); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-0397"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/03/06"); script_set_attribute(attribute:"patch_publication_date", value:"2012/03/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/08/30"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:rsa:securid_software_token_converter"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl", "command_builder_init.nasl"); script_require_keys("Host/local_checks_enabled", "Host/uname"); script_require_ports("Services/ssh", 22); exit(0); } include("global_settings.inc"); include("audit.inc"); include("misc_func.inc"); include("ssh_func.inc"); include("hostlevel_funcs.inc"); include("telnet_func.inc"); include("sh_commands_find.inc"); if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS) enable_ssh_wrappers(); else disable_ssh_wrappers(); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if ("Linux" >!< get_kb_item_or_exit("Host/uname")) audit(AUDIT_OS_NOT, "Linux"); fixed_ver = "2.6.1"; grep_template = "sed 's/\x00/ /g' '%%%' \| egrep -oa -- '-(android\|iphone) -o -p -v [0-9]+\.[0-9]+(+\.[0-9]+)? \%s'"; ret = ssh_open_connection(); if (ret == 0) audit(AUDIT_SVC_FAIL, "SSH", kb_ssh_transport()); info_t = INFO_SSH; sock_g = ret; find_args = make_list('/bin', '/sbin', '/usr/bin', '/usr/sbin', '/usr/local/bin', '/usr/local/sbin'); if (thorough_tests) { find_args = make_list(find_args, '/root', '/home'); } find_args = make_list(find_args, '-xautofs', '-tenb_fstype_exclusions', '-tenb_path_exclusions', '-maxdepth', '4', '-type', 'f', '-name', 'TokenConverter*'); find_output = sh_commands::find(args:find_args, timeout:60); if (find_output[0] == sh_commands::CMD_OK) { find_output = find_output[1]; } else if (find_output[0] == sh_commands::CMD_TIMEOUT) { exit(1, 'Find command timed out.'); } else { exit(1, find_output[1]); } audit_report = 'Fixed version is ' + fixed_ver + '.\n'; vuln_report = ""; vulnerable = FALSE; instances_found = 0; filenames = make_list(); if (!isnull(find_output)) filenames = split(find_output, sep:'\n'); foreach filename (filenames) { # Remove newline filename = chomp(filename); # Skip blank lines if (filename == "") continue; # Skip filenames that don't match a strict whitelist of characters. # We are putting untrusted input (directory names) into a command that # is run as root. if (filename =~ "[^a-zA-Z0-9/_-]") continue; grep_cmd = str_replace(find:"%%%", replace:filename, string:grep_template); grep_output = ssh_cmd(cmd:grep_cmd, nosh:TRUE, nosudo:FALSE); if (isnull(grep_output)) continue; if (grep_output !~ "-o -p -v") { audit_report += filename + ' does not look like a TokenConverter executable.\n'; continue; } # This could fail if grep on the remote host doesn't operate like we expect matches = pregmatch(pattern:"-v ([0-9]+\.[0-9]+(\.[0-9]+)?) ", string:grep_output); if (isnull(matches) \|\| isnull(matches[1])) continue; instances_found++; ver = matches[1]; if (ver_compare(ver:ver, fix:fixed_ver, strict:FALSE) != -1) { audit_report += filename + ' is version ' + ver + '.\n'; continue; } vulnerable = TRUE; vuln_report += '\n Path : ' + filename + '\n Version : ' + ver + '\n Fixed version : ' + fixed_ver + '\n'; } ssh_close_connection(); not_found_report = "RSA SecurID Software Token Converter does not appear to be installed."; if (!thorough_tests) { not_found_report += " Note that Nessus only looked in common locations (/bin, /sbin, etc.) for the software. If you would like Nessus to check home directories in addition to the common locations, please enable the 'Perform thorough tests' setting and re-scan."; } if (instances_found == 0) exit(0, not_found_report); if (!vulnerable) exit(0, audit_report); security_hole(port:kb_ssh_transport(), extra:vuln_report);

References

http://www.securityfocus.com/archive/1/521885