Two critical ActiveX
flaws have been discovered in EnjoySAP, German business
software vendor SAP AG's new graphical user interface designed to
improve the end user experience.
The discovery was made by security researcher Mark Litchfield of
UK-based Next Generation Security (NGS) Software, who said the
flaws could be remotely exploited by an attacker to gain access to
a user's system.
"All the flaws discovered can be executed without any
authentication," Litchfield said in an email exchange.
Litchfield said a boundary error exists within the kwedit.dll
ActiveX control used when the GUI posts HTML coding. The flaw could
result in a stack-based buffer overflow, he said.
A second boundary error within the rfcguisink.rfcguisink.1
ActiveX control when the GUI is launched can be exploited to cause
a heap-based buffer overflow by passing an overly long string,
Litchfield said.
Danish vulnerability clearinghouse
Secunia rated the flaws "highly critical" in
its advisory.
SAP launched EnjoySAP in 2000 to update the aesthetics of the
graphical interface for end users. The new interface was
streamlined based on employee roles with help screens for certain
processes.
Litchfield said he is unaware of the flaws being exploited in
the wild. The vulnerabilities were discovered during an SAP
consultancy engagement. Litchfield said he started looking for
unauthenticated attacks against SAP to allow for privilege
escalation and made the discovery.
SAP said the ActiveX
flaws could be patched by updating to the latest version.
A less critical vulnerability in SAP Web Application Server was
also discovered by Litchfield, which can be exploited by an
attacker to cause a denial of service. In his advisory, Litchfield
said the Internet Communication Manager contains an error that can
be exploited by requesting an overly long, specially crafted
URL.
The affected versions are SAP Web Application Server 6.x and
7.x. SAP said the vulnerability is fixed in the latest version.