Application: SAP GUI
Versions Affected: SAP GUI (SAP GUI 7.1)
Vendor URL: http://sap.com
Bugs: Insecure method, Code Execution
Vendor response: 27.10.2009
Date of Public Advisory: 23.03.2010
Author: Sintsov Alexey
Insecure method was founded in SAPBExCommonResources (class BExGlobal) activeX control component which is a part of SAP GUI. One of the methods (Execute) can be used to execute files on users system.
An attacker can send a malicious link to an unaware user using e-mail, messaging or social networks. He also can insert this link into corporate portal. When clicking this link the end user browser will call vulnerable ActiveX component and overflow a stack buffer resulting in arbitrary code execution under the context of the user running the browser. It can be used by attacker to gain full control on victim's workstation.