Pwnie Awards 2017

The 2015 Pwnie Award For Best Server-Side Bug

SAP LZC LZH Compression Multiple Vulnerabilities

Martin Gallo

SAP products make use of a proprietary implementation of the Lempel-Ziv-Thomas (LZC) adaptive dictionary compression algorithm and the Lempel-Ziv-Huffman (LZH) compression algorithm. These compression algorithms are used across several SAP products and programs. Vulnerabilities were found in the decompression routines that could be triggered in different scenarios, and could lead to execution of arbitrary code and denial of service conditions. Basically a single bug that pwns almost ALL SAP products and services.