=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN304
_____________________________________________________________________

DATE                      : 12/08/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running SAP Crystal Reports.

======================================================================
http://dvlabs.tippingpoint.com/advisory/TPTI-10-07
______________________________________________________________________

SAP Crystal Reports 2008 GIOP Message Size Integer Overflow Remote Code
Execution Vulnerability

TPTI-10-07: August 11th, 2010
CVE ID

Affected Vendors
      SAP

Affected Products
      Crystal Reports

TippingPoint™ IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by
Digital Vaccine protection filter ID 9846. For further product information
on the TippingPoint IPS:

      http://www.tippingpoint.com

Vulnerability Details
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of SAP Crystal Reports. Authentication is not
required to exploit this vulnerability.

The specific flaw exists within the ebus-3-3-2-6.dll module responsible for
parsing GIOP requests for multiple processes. While parsing the first packet
the function OBGIOPServerWorker::extractHeader trusts the provided size of
the next packet and attempts to re-allocate a buffer. By providing a large
enough value an integer overflow can occur and the buffer can become undersized.
A later memory copy using the original value specified in the packet can copy
controlled data to the heap buffer. The affected services spawn multiple
threads frequently enough that an attacker can theoretically win a race
condition by sending multiple requests thus forcing the process to access
the corrupted memory while the overflow is occurring. Successful exploitation
would lead to remote code execution in the context of the SYSTEM user.


Vendor Response
SAP has issued an update to correct this vulnerability.
More details can be found at:

      https://service.sap.com/sap/support/notes/1473327

Disclosure Timeline

      2010-05-03 - Vulnerability reported to vendor
      2010-08-11 - Coordinated public release of advisory


Credit
This vulnerability was discovered by:

      Aaron Portnoy, TippingPoint DVLabs

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================