SAP GUI Heap Overflow Vulnerability (Jan 08, 2009)

In SAP’s 3-tier architecture of database, application server and client, SAPGUI (client) is the platform used for remote access to the SAP central server in a company network.

SAPGUI for Windows environment is shipped with ActiveX control component TabOne. TabOne has a method named AddTab, which expects a Caption string parameter. The ActiveX control allocates a heap-based buffer when its been instantiated. Each time AddTab() is called, the Caption parameter is concatenated to the string in the said buffer with a prefix “|” character.

A heap buffer overflow vulnerability exists in the ActiveX control TabOne (the vulnerability has been assigned as CVE-2008-4827). Since AddTab method is performed without proper boundary check, excessive number of Caption strings would overflow the destination buffer. An attacker could host a crafted web page and entice a user to visit. When a victim (who has installed the vulnerable software) views the web page, a heap buffer overflow will occur. Successful exploitation would lead to arbitrary code execution with the privileges of the currently logged-in user.

SonicWALL has released the following IPS signatures that will detect and prevent the instantiation of TabOne ActiveX control. The signatures to address this vulnerability are:

  • 3708 SAP GUI TabOne ActiveX Control Instantiation 1
  • 3723 SAP GUI TabOne ActiveX Control Instantiation 2