Two vulnerabilities have been discovered in SAP GUI, which can be exploited by malicious people to gain knowledge of sensitive information, corrupt files, and compromise a user's system.

1) An error in the bundled KWEdit ActiveX control due to an insecure method "SaveDocumentAs()", which saves an HTML document to a specified location can be exploited in combination with e.g. the "OpenDocument()" method to disclose the contents of files or to execute arbitrary code on a user's system.

2) An input validation error in the bundled KWEdit ActiveX control when processing certain methods e.g. "Comp_Download()" and "DocumentDownload()" can be exploited to download a file and save it to an arbitrary location using directory traversal specifiers in the "strFilename" parameter.

The vulnerabilities are confirmed in SAP GUI 6.40 Patch 29 including KWEDIT.DLL version 6400.1.1.41 and in SAP GUI 7.10 Patch 5 including KWEDIT.DLL version 7100.1.1.43. Other versions may also be affected.

Solution
Update to the latest versions, which reportedly set the kill-bit for the ActiveX control.

Provided and/or discovered by
1) Carsten Eiram, Secunia Research.
2) Alexander Polyakov and Alexey Troshichev, Digital Security Research Group

Changelog
Further details available in Customer Area

Original Advisory
Secunia Research:
http://secunia.com/secunia_research/2008-56/

SAP Note 1294913:
https://service.sap.com/sap/support/notes/1294913

Digital Security Research Group:
http://dsecrg.com/files/pub/pdf/Alexander%20Polyakov%20-%20Attacking%20SAP%20Users%20with%20sapsploit%20Extended.pdf

Technical Analysis
Further details available in Customer Area

Alternate/detailed remediation
Further details available in Customer Area

Deep Links
Links available in Customer Area