[VIM] SA34559 / CVE-2007-4475 / OSVDB 53066
Carsten H. Eiram
che at secunia.com
Fri Sep 4 09:08:32 UTC 2009
The vulnerability is actually not in the EAI WebViewer3D ActiveX
control, but in MonikerUtil_dll.dll when creating monikers based on a
supplied file path. The ActiveX control's "SaveViewToSessionFile()"
method is, therefore, just an attack vector.
SAP initially addressed the vulnerability by preventing the ActiveX
control from being instantiated via IE, but since the vulnerability is
not within that particular ActiveX control, there could be other vectors
(we didn't identify any, though).
During analysis, I also noticed two more vulnerabilities in
MonikerUtil_dll.dll, which were reachable via other provided properties
and methods of the EAI WebViewer3D ActiveX control.
SAP was informed about the core problem of the original vulnerability
along with the two new vulnerabilities and had the MonikerUtil_dll.dll
software vendor fix them after which new versions of SAP GUI were
released + a new SAP note issued.
--
Med venlig hilsen / Kind regards
Carsten H. Eiram
Chief Security Specialist
Secunia
Weidekampsgade 14 A
DK-2300 Copenhagen S
Denmark
Phone +45 7020 5144
Fax +45 7020 5145
More information about the VIM
mailing list