[ERPSCAN-09-017] SAP GUI vsflexGrid ActiveX — Buffer Overflow vulnerability
Application: SAP GUI VSFlexGrid.VSFlexGridL (Part of SAP GUI, SAP BO 2005, SAP BO 2007)
Versions Affected: SAP GUI VSFlexGrid Activex Control SP<=14
Vendor URL: http://sap.com”
Bugs: Buffer Overflow
Vendor response: 27.11.2008
Date of Public Advisory: 06.10.2009
Originaly found by: Elazar Broad
Author: Alexandr Polyakov
Information about this vulnerability is in public since 2007 at http://www.securityfocus.com/bid/26467/info
We found out that a vulnerable component VSFlexGrid is not patched and still used in default SAP GUI Client installations.
- SAP Business One 2007 Client
- SAP Business One 2005 Client
- SAP GUI 7.10 (722.214.171.1248)
So every SAP client is vulnerable to remote buffer overflow.
An attacker can send a malicious link to an unaware user using e-mail, messaging or social networks. He also can insert this link into corporate portal. When clicking this link the end user browser will call vulnerable ActiveX component and overflow a stack buffer resulting in arbitrary code execution under the context of the user running the browser. It can be used by attacker to gain full control on victim’s workstation.