ID

VAR-200904-0224

CVE

CVE-2008-4830

TITLE

SAP GUI of KWEdit ActiveX Vulnerability to overwrite arbitrary files in Control

DESCRIPTION

Insecure method vulnerability in the KWEdit ActiveX control in SAP GUI 6.40 Patch 29 (KWEDIT.DLL 6400.1.1.41) and 7.10 Patch 5 (KWEDIT.DLL 7100.1.1.43) allows remote attackers to (1) overwrite arbitrary files via the SaveDocumentAs method or (2) read or execute arbitrary files via the OpenDocument method. SAP AG SAPgui KWEdit ActiveX control is prone to a remote code-execution vulnerability. Successfully exploiting this issue allows an attacker to execute arbitrary code in the context of the application running the affected control (typically Internet Explorer). This issue affects the following: SAPgui 6.40 Patch Level 29 with KWEDIT.DLL 6400.1.1.41 SAPgui 7.10 Patch Level 5 with KWEDIT.DLL 7100.1.1.43 Other versions may be vulnerable as well. ---------------------------------------------------------------------- Secunia is pleased to announce the release of the annual Secunia report for 2008. Other versions may also be affected. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2008-56/ SAP Note 1294913: https://service.sap.com/sap/support/notes/1294913 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ====================================================================== 2) Severity Rating: Highly critical Impact: System compromise Where: Remote ====================================================================== 3) Vendor's Description of Software "SAP GUI is SAP's universal client for accessing SAP functionality in SAP applications such as - SAP ERP, SAP Business Suite (SAP CRM, SAP SCM and SAP PLM), SAP Business Intelligence and so on. SAP GUI functions like a browser. It gets information from the SAP server like what, where, when and how, to display contents in its window.". Product Link: https://www.sdn.sap.com/irj/sdn/sap-gui ====================================================================== 4) Description of Vulnerability Secunia Research has discovered a security issue in SAP GUI, which can be exploited by malicious people to gain knowledge of sensitive information, corrupt files, or compromise a user's system. The problem is that the bundled KWEdit ActiveX control (KWEDIT.DLL) provides the insecure method "SaveDocumentAs()", which saves an HTML document to a specified location. This can be exploited in combination with e.g. ====================================================================== 5) Solution Update to the latest versions, which reportedly set the kill-bit for the ActiveX control. ====================================================================== 6) Time Table 28/11/2008 - Vendor notified. 28/11/2008 - Vendor response. 14/01/2009 - Vendor provides patch for testing. 16/01/2009 - Vendor informed that patch prevents exploitation. 02/03/2009 - Status update requested. 02/03/2009 - Vendor provides status update. 15/04/2009 - Public disclosure. ====================================================================== 7) Credits Discovered by Carsten Eiram, Secunia Research. ====================================================================== 8) References SAP Note 1294913: https://service.sap.com/sap/support/notes/1294913 The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2008-4830 for the vulnerability. ====================================================================== 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ ====================================================================== 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2008-56/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ======================================================================

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

other

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Carsten Eiram

SOURCES

LAST UPDATE DATE

2024-11-23T22:50:02.037000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE