cbcvebase.
CVE-2005-4734
published 2005-12-31

CVE-2005-4734: Stack-based buffer overflow in IISWebAgentIF.dll in RSA Authentication Agent for Web (aka SecurID Web Agent) 5.2 and 5.3 for IIS allows remote attackers to…

PriorityP349medium6.4CVSS 2.0
AVNACLAuNCNIPAP
EXPLOIT
EPSS
54.48%
98.9th percentile
Stack-based buffer overflow in IISWebAgentIF.dll in RSA Authentication Agent for Web (aka SecurID Web Agent) 5.2 and 5.3 for IIS allows remote attackers to execute arbitrary code via a long url parameter in the Redirect method.

Affected

2 ranges
VendorProductVersion rangeFixed in
rsaauthentication_agent_for_web
rsaauthentication_agent_for_web

Detection & IOCsextracted from sources · hover to see the quote

path/WebID/IISWebAgentIF.dll
url/WebID/IISWebAgentIF.dll?Redirect?url=
url/WebID/IISWebAgentIF.dll?GetPic?image=msf
filenameIISWebAgentIF.dll
  • Detect exploitation attempts by monitoring HTTP requests to /WebID/IISWebAgentIF.dll with an abnormally long 'url' parameter in the Redirect method (overflow offset ~992–996 bytes).
  • Alert on HTTP requests to IISWebAgentIF.dll using the 'Redirect?url=' query string with payloads exceeding normal URL length (exploit uses 8192-byte alphanumeric pattern).
  • Probe/check requests can be identified by the query string 'GetPic?image=msf' to IISWebAgentIF.dll, with the response body containing 'RSA Web Access Authentication'.
  • Payload bad characters for this exploit include null bytes, whitespace, and several special characters; network signatures should flag long alphanumeric strings (no digits, no Z) sent to the vulnerable endpoint.
  • Version-specific SEH overwrite return addresses used in exploitation: 0x1001e694 (WebAgent 5.2 DLL), 0x10010e89 (WebAgent 5.3 DLL); presence of these addresses in network traffic is a strong exploit indicator.
  • ·The exploit terminates and may restart the IIS service (inetinfo.exe) upon each attempt, making exploitation noisy and potentially causing denial of service even on failed attempts.
  • ·The Metasploit module uses a StackAdjustment of -3500, meaning shellcode execution requires sufficient stack space; constrained environments may cause unreliable exploitation.
  • ·Payload space is limited to 1024 bytes; staged or large payloads will not fit and must be accounted for in detection logic (short shellcode only).
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.