SAP GUI Heap Overflow Vulnerability (Jan 08, 2009)


In SAP’s 3-tier architecture of database, application server and client, SAPGUI (client) is the platform used for remote access to the SAP central server in a company network.

SAPGUI for Windows environment is shipped with ActiveX control component TabOne. TabOne has a method named AddTab, which expects a Caption string parameter. The ActiveX control allocates a heap-based buffer when its been instantiated. Each time AddTab() is called, the Caption parameter is concatenated to the string in the said buffer with a prefix “|” character.

A heap buffer overflow vulnerability exists in the ActiveX control TabOne (the vulnerability has been assigned as CVE-2008-4827). Since AddTab method is performed without proper boundary check, excessive number of Caption strings would overflow the destination buffer. An attacker could host a crafted web page and entice a user to visit. When a victim (who has installed the vulnerable software) views the web page, a heap buffer overflow will occur. Successful exploitation would lead to arbitrary code execution with the privileges of the currently logged-in user.

SonicWALL has released the following IPS signatures that will detect and prevent the instantiation of TabOne ActiveX control. The signatures to address this vulnerability are:

  • 3708 SAP GUI TabOne ActiveX Control Instantiation 1
  • 3723 SAP GUI TabOne ActiveX Control Instantiation 2
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.