CVE-2008-4830
published 2009-04-16CVE-2008-4830: Insecure method vulnerability in the KWEdit ActiveX control in SAP GUI 6.40 Patch 29 (KWEDIT.DLL 6400.1.1.41) and 7.10 Patch 5 (KWEDIT.DLL 7100.1.1.43) allows…
PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
27.59%
97.8th percentile
Insecure method vulnerability in the KWEdit ActiveX control in SAP GUI 6.40 Patch 29 (KWEDIT.DLL 6400.1.1.41) and 7.10 Patch 5 (KWEDIT.DLL 7100.1.1.43) allows remote attackers to (1) overwrite arbitrary files via the SaveDocumentAs method or (2) read or execute arbitrary files via the OpenDocument method.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sap | sap_gui | — | — |
| sap | sap_gui | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect instantiation of the vulnerable ActiveX ProgID 'Kweditcontrol.KWedit.1' in browser script, which is the attack vector for CVE-2008-4830. ↗
- →Monitor calls to the 'Comp_Download' method on the KWedit ActiveX control, particularly where the destination path contains directory traversal sequences (e.g., '../../../../') targeting Startup folders. ↗
- →Alert on use of 'SaveDocumentAs' or 'OpenDocument' methods of the KWEdit ActiveX control (KWEDIT.DLL), which allow arbitrary file write and read/execute respectively. ↗
- →Watch for executable files dropped into 'Documents and Settings\All Users\Start Menu\Programs\Startup\' via directory traversal from a web-delivered ActiveX payload. ↗
- ·The Metasploit module uses a randomly generated executable filename and variable name, so static filename-based detection will not be reliable; focus on the ActiveX ProgID and method calls instead. ↗
- ·The payload is served as 'application/octet-stream' from an attacker-controlled HTTP server; the SRVHOST may be any IP, so network-layer detection should focus on the ActiveX method invocation rather than a fixed C2 address. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
EnjoySAP SAP GUI - ActiveX Control Arbitrary File Download (Metasploit)
exploitdb·2010-12-01
CVE-2008-4830 EnjoySAP SAP GUI - ActiveX Control Arbitrary File Download (Metasploit)
EnjoySAP SAP GUI - ActiveX Control Arbitrary File Download (Metasploit)
---
##
# $Id: enjoysapgui_comp_download.rb 11189 2010-12-01 03:18:05Z swtornio $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 OperatingSystems::WINDOWS,
:javascript => true,
:rank => NormalRanking,
:vuln_test => nil,
})
def initialize(info = {})
super(update_info(info,
'Name' => 'EnjoySAP SAP GUI ActiveX Control Arbitrary File Download',
'Description' => %q{
This module allows remote attackers to place arbitrary files on a users file system
by abusing the "Comp_Downl
Metasploit
EnjoySAP SAP GUI ActiveX Control Arbitrary File Download
metasploit
EnjoySAP SAP GUI ActiveX Control Arbitrary File Download
EnjoySAP SAP GUI ActiveX Control Arbitrary File Download
This module allows remote attackers to place arbitrary files on a users file system by abusing the "Comp_Download" method in the SAP KWEdit ActiveX Control (kwedit.dll 6400.1.1.41).
No writeups or analysis indexed.
http://secunia.com/advisories/32869http://secunia.com/secunia_research/2008-56/http://www.securityfocus.com/archive/1/502698/100/0/threadedhttp://www.securityfocus.com/bid/34524http://www.securitytracker.com/id?1022062http://www.vupen.com/english/advisories/2009/1043http://secunia.com/advisories/32869http://secunia.com/secunia_research/2008-56/http://www.securityfocus.com/archive/1/502698/100/0/threadedhttp://www.securityfocus.com/bid/34524http://www.securitytracker.com/id?1022062http://www.vupen.com/english/advisories/2009/1043
2009-04-16
Published