Vigil@nce - SAP Crystal Reports: code execution via GIOP
August 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can send a malicious GIOP message to SAP Crystal
Reports, in order to generate an overflow leading to code
execution.
Severity: 2/4
Creation date: 12/08/2010
DESCRIPTION OF THE VULNERABILITY
The SAP Crystal Reports server communicates using GIOP (General
Inter-ORB Protocol) messages.
The OBGIOPServerWorker::extractHeader() method of the
ebus-3-3-2-6.dll library decodes GIOP headers. However, it does
not check the announced size of packet data, which creates a
buffer overflow.
An attacker can therefore send a malicious GIOP message to SAP
Crystal Reports, in order to generate an overflow leading to code
execution.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/SAP-Crystal-Reports-code-execution-via-GIOP-9843