[ERPSCAN-09-064] SAP GUI 7.1 — Insecure Method, Code execution

DSECRG Advisories

Application: SAP GUI
Versions Affected: SAP GUI (SAP GUI 7.1)
Vendor URL: http://sap.com
Bugs: Insecure method, Code Execution
Exploits: YES
Reported: 16.10.2009
Vendor response: 27.10.2009
Date of Public Advisory: 23.03.2010
Author: Sintsov Alexey

Insecure method was founded in SAPBExCommonResources (class BExGlobal) activeX control component which is a part of SAP GUI. One of the methods (Execute) can be used to execute files on users system.

Business Risk
An attacker can send a malicious link to an unaware user using e-mail, messaging or social networks. He also can insert this link into corporate portal. When clicking this link the end user browser will call vulnerable ActiveX component and overflow a stack buffer resulting in arbitrary code execution under the context of the user running the browser. It can be used by attacker to gain full control on victim’s workstation.