CVE-2007-3605
published 2007-07-06CVE-2007-3605: Stack-based buffer overflow in the kweditcontrol.kwedit.1 ActiveX control in FrontEnd\SapGui\kwedit.dll in the EnjoySAP SAP GUI allows remote attackers to…
PriorityP355high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
69.91%
99.3th percentile
Stack-based buffer overflow in the kweditcontrol.kwedit.1 ActiveX control in FrontEnd\SapGui\kwedit.dll in the EnjoySAP SAP GUI allows remote attackers to execute arbitrary code via a long argument to the PrepareToPostHTML function.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect ActiveX instantiation of the vulnerable control by its ProgID 'kweditcontrol.kwedit.1' in HTML/script content, particularly followed by a call to PrepareToPostHTML() with a long string argument. ↗
- →The Metasploit exploit builds a buffer of 1036 random alpha bytes followed by a short JMP (Rex::Arch::X86.jmp_short(6)) before the return address — look for oversized strings (~1036+ bytes) passed to PrepareToPostHTML in network traffic or HTML. ↗
- →The exploit payload space is 800 bytes with a stack adjustment of -3500; shellcode embedded in the overly long PrepareToPostHTML argument will exhibit this stack pivot pattern. ↗
- →Monitor for browser-delivered HTML pages that create a JavaScript String of 1000+ characters and pass it directly to an ActiveX object's PrepareToPostHTML method. ↗
- ·The vulnerable DLL is installed as part of EnjoySAP GUI (SAP GUI for Windows). The control is marked 'Safe for Scripting', meaning it can be invoked from any web page without an ActiveX prompt, broadening the attack surface. ↗
- ·The Metasploit module targets specific return addresses per OS: Windows XP Pro SP0/SP1 English (0x71aa32ad) and Windows 2000 Pro English All (0x75022ac4). Exploitability on other OS versions/service packs is not confirmed by these sources. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
EnjoySAP SAP GUI - ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-06-15
CVE-2007-3605 EnjoySAP SAP GUI - ActiveX Control Buffer Overflow (Metasploit)
EnjoySAP SAP GUI - ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: enjoysapgui_preparetoposthtml.rb 9525 2010-06-15 07:18:08Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'EnjoySAP SAP GUI ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in SAP KWEdit ActiveX
Control (kwedit.dll 6400.1.1.41) provided by EnjoySAP GUI. By sending
an overly long string to the "PrepareToPostHTML()" method, an attacker
may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Auth
Exploit-DB
EnjoySAP ActiveX kweditcontrol.kwedit.1 - Remote Stack Overflow (PoC)
exploitdb·2007-07-05
CVE-2007-3608 EnjoySAP ActiveX kweditcontrol.kwedit.1 - Remote Stack Overflow (PoC)
EnjoySAP ActiveX kweditcontrol.kwedit.1 - Remote Stack Overflow (PoC)
---
Vendor: SAP
Vendor Reference: SECRES-289
Systems Affected: All Versions
Risk: High
Status: Fixed
TimeLine
Discovered: 4 January 2007
Released: 19 January 2007
Approved: 29 January 2007
Reported: 11 January 2007
Fixed: 18 May 2007
Published:
Description
EnjoySAP, also know as Enjoy is the most popular SAP GUI used today. The
latest version can be obtained from ftp://ftp.sap.com/pub/sapgui/win/
When installing EnjoySAP, in appreciation of its vast size for being a
client (around 500MB), there are an astounding 1102 ActiveX controls
installed.
A relatively brief examinaton of these controls, found a large number of
instances that would terminate EnjoySAP process, there were a number that
could create files on the
Metasploit
EnjoySAP SAP GUI ActiveX Control Buffer Overflow
metasploit
EnjoySAP SAP GUI ActiveX Control Buffer Overflow
EnjoySAP SAP GUI ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in SAP KWEdit ActiveX Control (kwedit.dll 6400.1.1.41) provided by EnjoySAP GUI. By sending an overly long string to the "PrepareToPostHTML()" method, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://osvdb.org/37690http://secunia.com/advisories/25959http://securityreason.com/securityalert/2873http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-enjoysap-stack-overflow/http://www.securityfocus.com/archive/1/472887/100/0/threadedhttp://www.securityfocus.com/bid/24772http://www.securityfocus.com/bid/24776http://www.vupen.com/english/advisories/2007/2449https://exchange.xforce.ibmcloud.com/vulnerabilities/35267https://www.exploit-db.com/exploits/4148http://osvdb.org/37690http://secunia.com/advisories/25959http://securityreason.com/securityalert/2873http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-enjoysap-stack-overflow/http://www.securityfocus.com/archive/1/472887/100/0/threadedhttp://www.securityfocus.com/bid/24772http://www.securityfocus.com/bid/24776http://www.vupen.com/english/advisories/2007/2449https://exchange.xforce.ibmcloud.com/vulnerabilities/35267https://www.exploit-db.com/exploits/4148
2007-07-06
Published