SAP GUI Arbitrary Command Execution (Mar 25, 2010)


A command execution vulnerability exists in the SAP GUI SAPBExCommonResources ActiveX Control. The SAP GUI is the GUI client in SAP’s 3-tier architecture. When installing SAP GUI in Windows, an ActiveX control will be registered (with CLSID “A009C90D-814B-11D3-BA3E-080009D22344” and ProgID “SAPBExCommonResources.BExGlobal“). It can be instantiated in a web page using the tag or via scripting.

One of the methods exposed in SAPBExCommonResources.BExGlobal ActiveX control is Execute. The method is defined as follows:

Int32 Execute(String, String, String, Int32, String, SAPBExCommonResources_3_6.tShowWindow)

When Execute method is invoked, the vulnerable code will execute the specified command (the first parameter) on the web client. By enticing the target user to open a crafted HTML page, attackers could exploit the vulnerability, result in execution of arbitrary commands within the security context of the logged-in user.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 3540 SAP GUI SAPBExCommonResources ActiveX Control Execute Invocation
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.

Pin It on Pinterest