Executive Summary
Summary | |
---|---|
Title | SAP AG SAPgui EAI WebViewer3D ActiveX control stack buffer overflow |
Informations | |||
---|---|---|---|
Name | VU#985449 | First vendor Publication | 2009-03-31 |
Vendor | VU-CERT | Last vendor Modification | 2009-04-13 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#985449SAP AG SAPgui EAI WebViewer3D ActiveX control stack buffer overflowOverviewThe Siemens Unigraphics Solutions Teamcenter Visualization EAI WebViewer3D ActiveX control, which comes with SAPgui, contains a stack buffer overflow. This may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.I. DescriptionSAP AG SAPgui includes an ActiveX control called EAI WebViewer3D, which is produced by Unigraphics Solutions, a division of Siemens. The EAI WebViewer3D ActiveX control, which is provided by webviewer3d.dll, contains a stack buffer overflow in the SaveViewToSessionFile() method. Although the ActiveX control is produced by Siemens, it is reported to only be used by SAP.II. ImpactBy convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause the web browser to crash.III. SolutionApply an updateThis issue is addressed with SAPgui 7.10 Patch Level 9. This update sets the kill bit for the vulnerable control, since it was not intended for use in Internet Explorer. Although the SAPgui 7.10 Patch Level 8 release notes indicate that the control is disabled via the kill bit, please note that the kill bit was not properly set until Patch Level 9. Please also consider the following workarounds:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{AFBBE070-7340-11d2-AA6B-00E02924C34E}] "Compatibility Flags"=dword:00000400 Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document. Systems Affected
Referenceshttp://www.cert.org/tech_tips/securing_browser/#Internet_Explorer This vulnerability was reported by Will Dormann of the CERT/CC. This document was written by Will Dormann.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/985449 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
CPE : Common Platform Enumeration
SAINT Exploits
Description | Link |
---|---|
SAPgui EAI WebViewer3D ActiveX control SaveViewToSessionFile buffer overflow | More info here |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
62678 | SAP GUI (sapgui) EAI WebViewer3D ActiveX (webviewer3d.dll) Multiple Method Do... A buffer overflow exists in SAPgui. The WebViewer 3D ActiveX control fails to validate domain information data passed to multiple methods resulting in a stack overflow. With a specially crafted website, a context-dependent attacker can cause arbitrary code execution resulting in a loss of integrity. |
62677 | SAP GUI (sapgui) EAI WebViewer3D ActiveX (webviewer3d.dll) Multiple Method Fi... A buffer overflow exists in SAPgui. The WebViewer 3D ActiveX control fails to validate file path data passed to the multiple methods resulting in a stack overflow. With a specially crafted website, a context-dependent attacker can cause arbitrary code execution resulting in a loss of integrity. |
53066 | SAP GUI (sapgui) EAI WebViewer3D ActiveX (webviewer3d.dll) SaveViewToSessionF... A buffer overflow exists in SAPgui. The WebViewer 3D ActiveX control fails to validate data passed to the SaveViewToSessionFile() method resulting in a stack overflow. With a specially crafted website, a context-dependent attacker can cause arbitrary code execution resulting in a loss of integrity. |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | SAP AG SAPgui EAI WebViewer3D ActiveX function call unicode access RuleID : 16794 - Revision : 3 - Type : WEB-ACTIVEX |
2014-01-10 | SAP AG SAPgui EAI WebViewer3D ActiveX function call access RuleID : 16793 - Revision : 7 - Type : BROWSER-PLUGINS |
2014-01-10 | SAP AG SAPgui EAI WebViewer3D ActiveX clsid unicode access RuleID : 16792 - Revision : 3 - Type : WEB-ACTIVEX |
2014-01-10 | SAP AG SAPgui EAI WebViewer3D ActiveX clsid access RuleID : 16791 - Revision : 7 - Type : BROWSER-PLUGINS |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2009-04-01 | Name : The remote Windows host has an ActiveX control that is affected by multiple b... File : sap_sapgui_activex.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2020-05-23 13:17:16 |
|
2014-02-17 12:08:20 |
|