[ERPSCAN-09-017] SAP GUI vsflexGrid ActiveX — Buffer Overflow vulnerability

DSECRG Advisories

Application: SAP GUI VSFlexGrid.VSFlexGridL (Part of SAP GUI, SAP BO 2005, SAP BO 2007)
Versions Affected: SAP GUI VSFlexGrid Activex Control SP<=14
Vendor URL: http://sap.com”
Bugs: Buffer Overflow
Exploits: YES
Reported: 26.11.2008
Vendor response: 27.11.2008
Date of Public Advisory: 06.10.2009
Originaly found by: Elazar Broad
Author: Alexandr Polyakov

Information about this vulnerability is in public since 2007 at http://www.securityfocus.com/bid/26467/info

We found out that a vulnerable component VSFlexGrid is not patched and still used in default SAP GUI Client installations.

Tested on:

  • SAP Business One 2007 Client
  • SAP Business One 2005 Client
  • SAP GUI 7.10 (7100.2.7.1038)

So every SAP client is vulnerable to remote buffer overflow.

Business Risk
An attacker can send a malicious link to an unaware user using e-mail, messaging or social networks. He also can insert this link into corporate portal. When clicking this link the end user browser will call vulnerable ActiveX component and overflow a stack buffer resulting in arbitrary code execution under the context of the user running the browser. It can be used by attacker to gain full control on victim’s workstation.