Local Buffer Overflow vulnerability in SAS for Windows

SEC Consult Vulnerability Lab Security Advisory < 20140227-0 >


title: Local Buffer Overflow vulnerability

product: SAS for Windows (Statistical Analysis System)

vulnerable version: SAS 9.2, 9.3 and 9.4

fixed version: SAS 9.4 TS 1M1

CVE number: -

impact: High

homepage: www.sas.com

found: 2013-08-08

by: René Freingruber

SEC Consult Vulnerability Lab



Vendor/product description:


"SAS is a software suite developed by SAS Institute for advanced analytics,

business intelligence, data management, and predictive analytics.

It is the largest market-share holder for advanced analytics.

SAS is a software suite that can mine, alter, manage and retrieve data from

a variety of sources and perform statistical analysis on it. It is widely

used in insurance, public health, scientific research, finance, human resources,

IT, utilities, and retail, and is used for operations research, project

management, quality improvement, forecasting and decision-making. It is the

standard statistical analysis software for submitting clinical pharmaceutical

trials to the US Food and Drug administration. SAS provides a graphical

point-and-click user interface for non-technical users and more advanced

options through the SAS programming language. SAS programs have a DATA step,

which retrieves and manipulates data, and a PROC step, which analyzes data."

URL: en.wikipedia.org/wiki/SAS_%28software%29


Business recommendation:


Attackers are able to completely compromise SAS clients when a malicious

SAS program gets executed.

The scope of the test, where the vulnerabilities had been identified, was a

very short crash-test of the application. It is assumed that further

vulnerabilities exist within this product!

It is highly recommended by SEC Consult not to use this software until a

thorough security review has been performed by security professionals and all

identified issues have been resolved.


Vulnerability overview/description:


It is possible to exploit a buffer overflow in the SAS client application by

creating a malicious SAS program. When a user opens the SAS program the

malicious content will be hidden because the enhanced editor does not display

overlong lines. If the user executes the program a buffer overflow will be

triggered resulting in arbitrary code execution. It was possible to exploit

this vulnerability on a updated standard Windows 7 installation.


Proof of concept:


The detailed proof of concept exploit was removed for this vulnerability.

SEC Consult has released a proof of concept video demonstrating the issue:



Vulnerable / tested versions:


The vulnerabilities have been verified to exist in SAS 9.3 TS Level 1M1.

According to the vendor the following versions are also affected:

SAS 9.2 TS 2M3

SAS 9.3 TS 1M1 & SAS 9.3 TS 1M2

SAS 9.4 TS 1M0


Vendor contact timeline:


2013-11-04: Contacted vendor through office@aut.sas.com

2013-11-04: Initial vendor response.

2013-11-06: Issue will be verified, internal tracker created.

2014-01-17: Patch released by vendor.

2014-02-27: SEC Consult releases coordinated security advisory.




Apply the provided fix:

SAS 9.4 TS 1M1 : includes the fix

SAS 9.4 TS 1M0 - ftp.sas.com/techsup/download/hotfix/HF2/L08.html

SAS 9.3 TS 1M2 - ftp.sas.com/techsup/download/hotfix/HF2/I22.html

SAS 9.3 TS 1M1 - Apply maintenance M2 before applying fix for SAS 9.3 TS 1M2

SAS 9.2 TS 2M3 - ftp.sas.com/techsup/download/hotfix/HF2/B25.html




No workaround available.


Advisory URL:





SEC Consult Vulnerability Lab

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius


Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

Interested in working with the experts of SEC Consult?

Write to career@sec-consult.com

EOF René Freingruber / @2014