IBM eGatherer ActiveX Code Execution Vulnerability
23 Aug. 2006
eEye Digital Security has discovered a security vulnerability in IBM's eGatherer ActiveX control. This is the second vulnerability found in this control by eEye Research, the first being from Drew Copley http://www.eeye.com/html/research/advisories/AD20040615B.html. This control is typically installed by default on IBM workstations and laptops, and is used by default for auto-finding drivers/updates on IBM's/Lenovo's support site.
* eGatherer ActiveX control versions prior to 3.20.0284.0
* eGatherer ActiveX control version 3.20.0284.0
IBM / Lenovo describes this ActiveX control as follows:
"The auto-detect feature automatically finds your system's machine-type, model, and serial number to help you get the files and information you need quickly and easily. It does not collect any personal information or compromise the security of your system in any way."
Despite their promise for not "compromising the security of the system in any way", a buffer overflow exists within the handling of a parameter of the ActiveX control that would allow a remote attacker to reliably overwrite the stack with arbitrary data and execute arbitrary code through the web browser with the privileges of the logged in users.
The vulnerability exists within the RunEgatherer function within the ActiveX. This method accepts one function, the specified file name for the eGatherer log output. It should be noted that even when setting the parameter with legitimate paths for output, the ActiveX remains to only write the log file to the SystemDrive. By filling the single parameter with a large string, a straight stack overflow occurs. The following sample would reproduce the crash for vulnerable ActiveX controls:
The vulnerability begins with a stack allocation for the string. This is not in itself vulnerable, but there has yet to be a length check the supplied string. The string is copied again one more into memory, slightly below the first, and then lower-cased: .text:10003BA1 lea eax, [ebp-118h]
.text:10003BA7 push esi ; unsigned __int8 *
.text:10003BA8 mov esi, ds:_mbscpy
.text:10003BAE push eax ; unsigned __int8 *
.text:10003BAF call esi ; _mbscpy
.text:10003BB1 lea eax, [ebp-118h]
.text:10003BB7 pop ecx
.text:10003BB8 test eax, eax
.text:10003BBA pop ecx
.text:10003BBB jz short loc_10003C23
.text:10003BBD lea eax, [ebp-118h]
.text:10003BC3 push eax ; unsigned __int8 *
.text:10003BC4 call sub_10003C45 ; TOLOWER SUBROUTINE
The original string remains untouched, and all future operations will be performed on the lower-case string. However, because there were no length checks on the string, the memory is copied straight into the undersized stack buffer and causes a simple buffer overflow.