Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] IBM eGatherer ActiveX Code Execution Vulnerability

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] IBM eGatherer ActiveX Code Execution Vulnerability
Date: 23 Aug 2006 10:26:20 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  IBM eGatherer ActiveX Code Execution Vulnerability
------------------------------------------------------------------------


SUMMARY

eEye Digital Security has discovered a security vulnerability in IBM's 
eGatherer ActiveX control. This is the second vulnerability found in this 
control by eEye Research, the first being from Drew Copley  
<http://www.eeye.com/html/research/advisories/AD20040615B.html> 
http://www.eeye.com/html/research/advisories/AD20040615B.html. This 
control is typically installed by default on IBM workstations and laptops, 
and is used by default for auto-finding drivers/updates on IBM's/Lenovo's 
support site.

DETAILS

Vulnerable Systems:
 * eGatherer ActiveX control versions prior to 3.20.0284.0

Immune Systems:
 * eGatherer ActiveX control version 3.20.0284.0

IBM / Lenovo describes this ActiveX control as follows:
"The auto-detect feature automatically finds your system's machine-type, 
model, and serial number to help you get the files and information you 
need quickly and easily. It does not collect any personal information or 
compromise the security of your system in any way."

Despite their promise for not "compromising the security of the system in 
any way", a buffer overflow exists within the handling of a parameter of 
the ActiveX control that would allow a remote attacker to reliably 
overwrite the stack with arbitrary data and execute arbitrary code through 
the web browser with the privileges of the logged in users.

Technical Details:
The vulnerability exists within the RunEgatherer function within the 
ActiveX. This method accepts one function, the specified file name for the 
eGatherer log output. It should be noted that even when setting the 
parameter with legitimate paths for output, the ActiveX remains to only 
write the log file to the SystemDrive. By filling the single parameter 
with a large string, a straight stack overflow occurs. The following 
sample would reproduce the crash for vulnerable ActiveX controls:

<html>
<object classid='clsid:74FFE28D-2378-11D5-990C-006094235084' 
id='notCompromising'></object>
<script language='vbscript'>
overflowBuffer=String(300,"A")
notCompromising.RunEgatherer overflowBuffer </script>

The vulnerable code is as follows:
text:10003B73 push dword ptr [ebp+0Ch] ; lpString
text:10003B76 call ds:lstrlenW
text:10003B7C lea edi, [eax+eax+2]
text:10003B80 mov eax, edi
text:10003B82 add eax, 3
text:10003B85 and al, 0FCh
text:10003B87 call __alloca_probe
text:10003B8C mov esi, esp
text:10003B8E push ebx ; lpUsedDefaultChar = 0x0
text:10003B8F push ebx ; lpDefaultChar = 0x0
text:10003B90 push edi ; cchMultiByte = 1002 (eax*2 + 2)
text:10003B91 push esi ; lpMultiByteStr = ESP (STACK)
text:10003B92 push 0FFFFFFFFh ; cchWideChar = -1
text:10003B94 push dword ptr [ebp+0Ch] ; lpWideCharStr = ptr to our 
string
text:10003B97 mov [esi], bl
text:10003B99 push ebx ; dwFlags = 0x0
text:10003B9A push ebx ; CodePage = 0x0
text:10003B9B call ds:WideCharToMultiByte

The vulnerability begins with a stack allocation for the string. This is 
not in itself vulnerable, but there has yet to be a length check the 
supplied string. The string is copied again one more into memory, slightly 
below the first, and then lower-cased:
text:10003BA1 lea eax, [ebp-118h]
text:10003BA7 push esi ; unsigned __int8 *
text:10003BA8 mov esi, ds:_mbscpy
text:10003BAE push eax ; unsigned __int8 *
text:10003BAF call esi ; _mbscpy
text:10003BB1 lea eax, [ebp-118h]
text:10003BB7 pop ecx
text:10003BB8 test eax, eax
text:10003BBA pop ecx
text:10003BBB jz short loc_10003C23
text:10003BBD lea eax, [ebp-118h]
text:10003BC3 push eax ; unsigned __int8 *
text:10003BC4 call sub_10003C45 ; TOLOWER SUBROUTINE

The original string remains untouched, and all future operations will be 
performed on the lower-case string. However, because there were no length 
checks on the string, the memory is copied straight into the undersized 
stack buffer and causes a simple buffer overflow.

Vendor Status:
IBM UK has patched the vulnerability in their latest version of the 
eGatherer ActiveX control (3.20.0284.0), available here:  
<http://www-307.ibm.com/pc/support/IbmEgath.cab> 
http://www-307.ibm.com/pc/support/IbmEgath.cab


ADDITIONAL INFORMATION

The information has been provided by Andre Derek Protas.
The original article can be found at:  
<http://www.eeye.com/html/research/advisories/AD20060816.html> 
http://www.eeye.com/html/research/advisories/AD20060816.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] IBM eGatherer ActiveX Code Execution Vulnerability, SecuriTeam <=
Previous by Date:  [NT] MDaemon POP3 Server Buffer Overflow (preauth), SecuriTeam
Next by Date:  [NT] MS06-042 Related Internet Explorer 'Crash' is Exploitable, SecuriTeam
Previous by Thread:  [NT] MDaemon POP3 Server Buffer Overflow (preauth), SecuriTeam
Next by Thread:  [NT] MS06-042 Related Internet Explorer 'Crash' is Exploitable, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]