[ERPSCAN-09-043] SAP GUI 7.1 WebViewer2D ActiveX — Insecure Methods

DSECRG Advisories

Application: EAI WebViewer2D (EnjoySAP, SAP GUI for Windows 6.4 and 7.1)
Versions Affected:Tested on 7100.2.7.1038 PL 7
Vendor URL: http://sap.com
Bugs: Insecure method, File owervriting
Exploits: YES
Reported: 02.07.2009
Vendor response: 02.07.2009
Date of Public Advisory: 28.09.2009
Author: Alexandr Polyakov

SAP GUI for Windows 7.1 and 6.4 contains ActiveX component EAI WebViewer2D (file WebViewer2D.dll) Lib GUID: {A76CEBEE-7364-11D2-AA6B-00E02924C34E} which contains insecure method that can overwrite any file in the system.

Business Risk
An attacker can send a malicious link to an unaware user via an e-mail, messaging or social networks. He also can insert this link into corporate portal. When clicking this link the end user browser will call vulnerable ActiveX component which can delete any file on victim’s workstation. It is possible to delete configuration files of critical binaries that can lead to denial of service attack and stopping business until files will be repaired. This scenario is critical if user works with SAP for Logistics or SAP for Banking applications.