An attacker can create EMF files by using a 3rd-party 3D printing tool. In order to make it more likely that a victim will open such an email attachment, the attacker can use a variety of social engineering tricks such as adding a malicious link in an email, publishing a malicious EMF file on a website, etc. After the victim opens the EMF file and renders the scene, it is possible that a RCE can be triggered when the victim’s machine has insufficient memory or no kernel-mode driver for the hardware. Due to lack of proper memory management, when a victim opens a manipulated Enhanced Metafile (.emf, emf.x3d) file received from untrusted sources in SAP 3D Visual Enterprise, it is possible that a Remote Code Execution can be triggered when payload forces a stack-based overflow or a re-use of dangling pointer which refers to overwritten space in memory. An attacker can create EMF files by using a 3rd-party 3D printing tool. In order to make it more likely that a victim will open such an email attachment, the attacker can use a variety of social engineering tricks such as adding a malicious link in an email, publishing a malicious EMF file on a website, etc. After the victim opens the EMF file and renders the scene, it is possible that a RCE can be triggered when the victim’s machine has insufficient memory or no kernel-mode driver for the hardware
Multiple SAP products are affected
The following SAP products are affected:
· SAP Netweaver 7.31
· SAP Netweaver 7.40
· SAP Notebook 9.0
· SAP Visual Enterprise 8.5
· SAP Business Warehouse 10
This vulnerability affects all supported configurations of the above products, including the ones that use Linux Kernels 2.6 and 2.4, which are the most used Linux versions among enterprise customers.
Vulnerability Analysis
There are multiple reasons why this vulnerability is desirable. The most obvious reason is that the attack vector is passive, which means there’s no need for user interaction in order to exploit the vulnerability. Another reason is that the EMF file can be delivered as an email attachment, and since it will be rendered on the victim’s machine and displayed in 3D it will seem realistic to a human eye. In order to make it more likely that a victim will open such an email attachment, the attacker can use a variety of social engineering tricks such as adding a malicious link in an email, publishing a malicious EMF file on a website, etc. After the victim opens the EMF file and renders the scene, it is possible that a RCE can be triggered when the victim’s machine has insufficient memory or no kernel-mode driver for the hardware.
EMF File Format
The Enhanced Metafile Format is an international standard for the interchange and editing of 2D vector graphics. It is a file format with significant capabilities, including support for animations, transparency, alpha compositing, and non-rectangular shapes.
EMF files are typically rendered by software that can read and render EMF files. However, they can also be rasterized to produce bitmap images or displayed in 3D applications such as Adobe Reader, Acrobat Reader DC, or Microsoft Windows.
CVE-2022-41176
An attacker can create EMF files by using a 3rd-party 3D printing tool. In order to make it more likely that a victim will open such an email attachment, the attacker can use a variety of social engineering tricks such as adding a malicious link in an email, publishing a malicious EMF file on a website, etc. After the victim opens the EMF file and renders the scene, it is possible that RCE can be triggered when the victim’s machine has insufficient memory or no kernel-mode driver for the hardware. The vulnerability exists because SAP 3D Visual Enterprise does not validate whether CreateInstance() succeeds before calling LoadFile()
Timeline
Published on: 10/11/2022 21:15:00 UTC
Last modified on: 10/12/2022 19:57:00 UTC