F-Secure
Tools
SAP GUI TabOne ActiveX Control Caption List Buffer Overflow
| Report ID: | SA200900238 |
| Source: | Secunia |
| Date of Discovery: | 08.01.2009 |
| Criticality: | Urgent |
| Affects: | SAP GUI 6.x SAP GUI 7.x |
| Compromise From: | From remote |
| Compromise Type: | System access |
Summary
A vulnerability has been discovered in SAP GUI, which can be exploited by malicious people to compromise a user's system.
Detailed Description
The vulnerability is caused due to a boundary error in the included TabOne ActiveX control (sizerone.ocx) when copying tab captions. This can be exploited to cause a heap-based buffer overflow by e.g. adding multiple tabs via the "AddTab()" method.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is confirmed in SAP GUI 6.40 Patch 29 and SAP GUI 7.10 including sizerone.ocx version 7.0.0.16. Other versions may also be affected.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is confirmed in SAP GUI 6.40 Patch 29 and SAP GUI 7.10 including sizerone.ocx version 7.0.0.16. Other versions may also be affected.
Solution
Update to the latest 7.10 PL, which sets the kill-bit for the ActiveX control.
Users can also set the kill-bit manually by following the procedure explained in SAP note 1092631.
Users can also set the kill-bit manually by following the procedure explained in SAP note 1092631.