SAP GUI SAPBExCommonResources ActiveX Command Execution

2009-03-29T00:00:00
ID SAINT:1368EB4DFA1B70106948AEF8F084B150
Type saint
Reporter SAINT Corporation
Modified 2009-03-29T00:00:00

Description

Added: 03/29/2009

Background

The SAP GUI is the GUI client in SAP's 3-tier architecture of database, application server and client. The SAP GUI family is available for Windows, Java, and HTML/Internet Transaction Server (ITS) environment. SAP GUI for Windows registers the SAPBExCommonResources.BExGlobal ActiveX control.

Problem

A buffer overflow vulnerability in the SAPBExCommonResources.BExGlobal ActiveX control allows command execution when a user loads a web page which invokes the Execute method with crafted arguments specifiying the full path to the executable file.

Resolution

Apply the patches referenced in note 1407285.

References

<http://securitytracker.com/alerts/2010/Mar/1023760.html>

Limitations

Exploit works on SAP GUI 7.1 for Windows and requires the user to open the exploit page using Internet Explorer 6.

The Internet Explorer option "Initialize and script ActiveX controls not marked as safe" on the target must be enabled.

The SAINTexploit host must be in the "Local intranet" zone or the "Trusted sites" zone for the target.

Since this exploit uses TFTP, the exploit on the target host must be able to bind to port 69/UDP.

Platforms

Windows