The 2013 Pwnie Nominee For Best Server-Side Bug

SAPRouter Remote Heap Overflow

Credit: Grigory Nosenko

SAProuter is an application which is to the Internet for providing updates to the corporate SAP systems and for connecting to different office locations and subcontractor systems. Almost every third company exposes this service at the default port 3299. This is a very small application which simply routes packets, but it contains multiple exploitable heap overflows, compromising many large enterprises.