CVE-2005-4734
published 2005-12-31CVE-2005-4734: Stack-based buffer overflow in IISWebAgentIF.dll in RSA Authentication Agent for Web (aka SecurID Web Agent) 5.2 and 5.3 for IIS allows remote attackers to…
PriorityP349medium6.4CVSS 2.0
AVNACLAuNCNIPAP
EXPLOIT
EPSS
54.48%
98.9th percentile
Stack-based buffer overflow in IISWebAgentIF.dll in RSA Authentication Agent for Web (aka SecurID Web Agent) 5.2 and 5.3 for IIS allows remote attackers to execute arbitrary code via a long url parameter in the Redirect method.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rsa | authentication_agent_for_web | — | — |
| rsa | authentication_agent_for_web | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring HTTP requests to /WebID/IISWebAgentIF.dll with an abnormally long 'url' parameter in the Redirect method (overflow offset ~992–996 bytes). ↗
- →Alert on HTTP requests to IISWebAgentIF.dll using the 'Redirect?url=' query string with payloads exceeding normal URL length (exploit uses 8192-byte alphanumeric pattern). ↗
- →Probe/check requests can be identified by the query string 'GetPic?image=msf' to IISWebAgentIF.dll, with the response body containing 'RSA Web Access Authentication'. ↗
- →Payload bad characters for this exploit include null bytes, whitespace, and several special characters; network signatures should flag long alphanumeric strings (no digits, no Z) sent to the vulnerable endpoint. ↗
- →Version-specific SEH overwrite return addresses used in exploitation: 0x1001e694 (WebAgent 5.2 DLL), 0x10010e89 (WebAgent 5.3 DLL); presence of these addresses in network traffic is a strong exploit indicator. ↗
- ·The exploit terminates and may restart the IIS service (inetinfo.exe) upon each attempt, making exploitation noisy and potentially causing denial of service even on failed attempts. ↗
- ·The Metasploit module uses a StackAdjustment of -3500, meaning shellcode execution requires sufficient stack space; constrained environments may cause unreliable exploitation. ↗
- ·Payload space is limited to 1024 bytes; staged or large payloads will not fit and must be accounted for in detection logic (short shellcode only). ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft IIS - ISAPI RSA WebAgent Redirect Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2005-4734 Microsoft IIS - ISAPI RSA WebAgent Redirect Overflow (Metasploit)
Microsoft IIS - ISAPI RSA WebAgent Redirect Overflow (Metasploit)
---
##
# $Id: rsa_webagent_redirect.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft IIS ISAPI RSA WebAgent Redirect Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the SecurID Web
Agent for IIS. This ISAPI filter runs in-process with
inetinfo.exe, any attempt to exploit this flaw will result
in the termination and potential restart of the IIS service.
},
'Author' => [ 'hdm' ],
'License' => MSF_
Metasploit
Microsoft IIS ISAPI RSA WebAgent Redirect Overflow
metasploit
Microsoft IIS ISAPI RSA WebAgent Redirect Overflow
Microsoft IIS ISAPI RSA WebAgent Redirect Overflow
This module exploits a stack buffer overflow in the SecurID Web Agent for IIS. This ISAPI filter runs in-process with inetinfo.exe, any attempt to exploit this flaw will result in the termination and potential restart of the IIS service.
No writeups or analysis indexed.
http://secunia.com/advisories/17281http://www.metasploit.com/projects/Framework/exploits.html#rsa_iiswebagent_redirecthttp://www.osvdb.org/20151http://www.securityfocus.com/bid/26424https://knowledge.rsasecurity.com/dlcpages/rsa_securid/securid_dlc_aaweb.asphttp://secunia.com/advisories/17281http://www.metasploit.com/projects/Framework/exploits.html#rsa_iiswebagent_redirecthttp://www.osvdb.org/20151http://www.securityfocus.com/bid/26424https://knowledge.rsasecurity.com/dlcpages/rsa_securid/securid_dlc_aaweb.asp
2005-12-31
Published