SAP GUI Arbitrary Command Execution

March 25, 2010

A command execution vulnerability exists in the SAP GUI SAPBExCommonResources ActiveX Control. The SAP GUI is the GUI client in SAP's 3-tier architecture. When installing SAP GUI in Windows, an ActiveX control will be registered (with CLSID "A009C90D-814B-11D3-BA3E-080009D22344" and ProgID "SAPBExCommonResources.BExGlobal"). It can be instantiated in a web page using the tag or via scripting.

One of the methods exposed in SAPBExCommonResources.BExGlobal ActiveX control is Execute. The method is defined as follows:

Int32 Execute(String, String, String, Int32, String, SAPBExCommonResources_3_6.tShowWindow)

When Execute method is invoked, the vulnerable code will execute the specified command (the first parameter) on the web client. By enticing the target user to open a crafted HTML page, attackers could exploit the vulnerability, result in execution of arbitrary commands within the security context of the logged-in user.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 3540 SAP GUI SAPBExCommonResources ActiveX Control Execute Invocation