[VIM] SA34559 / CVE-2007-4475 / OSVDB 53066

Carsten H. Eiram che at secunia.com
Fri Sep 4 09:08:32 UTC 2009

The vulnerability is actually not in the EAI WebViewer3D ActiveX
control, but in MonikerUtil_dll.dll when creating monikers based on a
supplied file path. The ActiveX control's "SaveViewToSessionFile()"
method is, therefore, just an attack vector.

SAP initially addressed the vulnerability by preventing the ActiveX
control from being instantiated via IE, but since the vulnerability is
not within that particular ActiveX control, there could be other vectors
(we didn't identify any, though).

During analysis, I also noticed two more vulnerabilities in
MonikerUtil_dll.dll, which were reachable via other provided properties
and methods of the EAI WebViewer3D ActiveX control.

SAP was informed about the core problem of the original vulnerability
along with the two new vulnerabilities and had the MonikerUtil_dll.dll
software vendor fix them after which new versions of SAP GUI were
released + a new SAP note issued.


Med venlig hilsen / Kind regards

Carsten H. Eiram
Chief Security Specialist

Weidekampsgade 14 A
DK-2300 Copenhagen S

Phone  +45 7020 5144
Fax    +45 7020 5145

More information about the VIM mailing list