ActiveX security flaws plague SAP GUI

SAP recently plugged holes in its new SAP GUI to eliminate flaws that could allow an attacker to gain access to a system remotely.

Two critical ActiveX flaws have been discovered in EnjoySAP, German business software vendor SAP AG's new graphical user interface designed to improve the end user experience.

The discovery was made by security researcher Mark Litchfield of UK-based Next Generation Security (NGS) Software, who said the flaws could be remotely exploited by an attacker to gain access to a user's system.

"All the flaws discovered can be executed without any authentication," Litchfield said in an email exchange.

Litchfield said a boundary error exists within the kwedit.dll ActiveX control used when the GUI posts HTML coding. The flaw could result in a stack-based buffer overflow, he said.

A second boundary error within the rfcguisink.rfcguisink.1 ActiveX control when the GUI is launched can be exploited to cause a heap-based buffer overflow by passing an overly long string, Litchfield said.

Danish vulnerability clearinghouse Secunia rated the flaws "highly critical" in its advisory.

SAP launched EnjoySAP in 2000 to update the aesthetics of the graphical interface for end users. The new interface was streamlined based on employee roles with help screens for certain processes.

Litchfield said he is unaware of the flaws being exploited in the wild. The vulnerabilities were discovered during an SAP consultancy engagement. Litchfield said he started looking for unauthenticated attacks against SAP to allow for privilege escalation and made the discovery.

SAP said the ActiveX flaws could be patched by updating to the latest version.

A less critical vulnerability in SAP Web Application Server was also discovered by Litchfield, which can be exploited by an attacker to cause a denial of service. In his advisory, Litchfield said the Internet Communication Manager contains an error that can be exploited by requesting an overly long, specially crafted URL.

The affected versions are SAP Web Application Server 6.x and 7.x. SAP said the vulnerability is fixed in the latest version.

Read more on Antivirus, firewall and IDS products