CVE-2021-41569
published 2021-11-19CVE-2021-41569: SAS/Intrnet 9.4 build 1520 and earlier allows Local File Inclusion. The samples library (included by default) in the appstart.sas file, allows end-users of the…
PriorityP275high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
7.85%
93.9th percentile
SAS/Intrnet 9.4 build 1520 and earlier allows Local File Inclusion. The samples library (included by default) in the appstart.sas file, allows end-users of the application to access the sample.webcsf1.sas program, which contains user-controlled macro variables that are passed to the DS2CSF macro. Users can escape the context of the configured user-controllable variable and append additional functions native to the macro but not included as variables within the library. This includes a function that retrieves files from the host OS.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sas | sas_intrnet | < 9.4 | 9.4 |
| sas | sas_intrnet | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/cgi-bin/broker?csftyp=classic,+ssfile1%3d/etc/passwd&_SERVICE=targetservice&_DEBUG=131&_PROGRAM=sample.webcsf1.sas&sysparm=test&_ENTRY=SAMPLIB.WEBSAMP.PRINT_TO_HTML.SOURCE&BG=%23FFFFFF&DATASET=targetdataset&_DEBUG=131&TEMPFILE=Unknown&style=a+tcolor%3dblue&_WEBOUT=test&bgtype=COLOR↗
- →Look for HTTP GET requests to /cgi-bin/broker containing the parameters '_PROGRAM=sample.webcsf1.sas' and 'csftyp=classic' with a path traversal value in 'ssfile1' (e.g., ssfile1=/etc/passwd). This is the canonical exploit request pattern for CVE-2021-41569. ↗
- →Successful exploitation returns the contents of OS files (e.g., /etc/passwd). A response matching 'root:[x*]:0:0' with HTTP 200 confirms LFI exploitation. ↗
- →Monitor for the '_DEBUG=131' parameter in requests to the SAS broker CGI endpoint, as it is present in the exploit payload and may indicate active probing or exploitation. ↗
- →The exploit abuses the 'ssfile1' macro variable within sample.webcsf1.sas to pass a file path to the DS2CSF macro. Alert on any broker request where 'ssfile1' is set to an absolute OS path. ↗
- ·The vulnerability is only exploitable if the default samples library is included via appstart.sas. Installations that have removed or restricted access to the samples library are not exposed via this attack vector. ↗
- ·Affects SAS/Intrnet 9.4 build 1520 and earlier only. Versions beyond build 1520 may not be vulnerable. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6xqv-9mpx-wxjp: SAS/Intrnet 9
ghsa_unreviewed·2022-05-24
CVE-2021-41569 [HIGH] CWE-829 GHSA-6xqv-9mpx-wxjp: SAS/Intrnet 9
SAS/Intrnet 9.4 build 1520 and earlier allows Local File Inclusion. The samples library (included by default) in the appstart.sas file, allows end-users of the application to access the sample.webcsf1.sas program, which contains user-controlled macro variables that are passed to the DS2CSF macro. Users can escape the context of the configured user-controllable variable and append additional functions native to the macro but not included as variables within the library. This includes a function that retrieves files from the host OS.
VulnCheck
sas sas\/intrnet Inclusion of Functionality from Untrusted Control Sphere
vulncheck·2021·CVSS 7.5
CVE-2021-41569 [HIGH] sas sas\/intrnet Inclusion of Functionality from Untrusted Control Sphere
sas sas\/intrnet Inclusion of Functionality from Untrusted Control Sphere
SAS/Intrnet 9.4 build 1520 and earlier allows Local File Inclusion. The samples library (included by default) in the appstart.sas file, allows end-users of the application to access the sample.webcsf1.sas program, which contains user-controlled macro variables that are passed to the DS2CSF macro. Users can escape the context of the configured user-controllable variable and append additional functions native to the macro but not included as variables within the library. This includes a function that retrieves files from the host OS.
Affected: sas sas\/intrnet
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
E
No detection rules found.
Nuclei
SAS/Internet 9.4 1520 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2021-41569 [HIGH] SAS/Internet 9.4 1520 - Local File Inclusion
SAS/Internet 9.4 1520 - Local File Inclusion
SAS/Internet 9.4 build 1520 and earlier allows local file inclusion. The samples library (included by default) in the appstart.sas file, allows end-users of the application to access the sample.webcsf1.sas program, which contains user-controlled macro variables that are passed to the DS2CSF macro.
Template:
id: CVE-2021-41569
info:
name: SAS/Internet 9.4 1520 - Local File Inclusion
author: 0x_Akoko
severity: high
description: SAS/Internet 9.4 build 1520 and earlier allows local file inclusion. The samples library (included by default) in the appstart.sas file, allows end-users of the application to access the sample.webcsf1.sas program, which contains user-controlled macro variables that are passed to the DS2CSF macro.
impact: |
Successful e
No writeups or analysis indexed.
2021-11-19
Published
Exploited in the wild