IBM eGatherer eGatherer控件的RunEgatherer函数缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193792 漏洞类型 缓冲区溢出
发布时间 2006-08-16 更新时间 2007-10-04
CVE编号 CVE-2006-4221 CNNVD-ID CNNVD-200608-303
漏洞平台 N/A CVSS评分 9.3
|漏洞来源
https://www.securityfocus.com/bid/19554
https://cxsecurity.com/issue/WLB-2006080133
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200608-303
|漏洞详情
IBMeGatherer控件是IBM用于自动维护PC的解决方案。eGatherer控件的RunEgatherer函数实现上存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。这个函数会接受eGatherer日志输出的指定文件名。即使已经为输出设置了合法的路径参数,ActiveX仍会向SystemDrive写入日志文件。如果攻击者能够发送超长的参数的话,就会触发栈溢出漏洞,导致执行任意代码。
|漏洞EXP
IBM eGatherer ActiveX Code Execution Vulnerability

Release Date:
August 16, 2006

Date Reported:
July 3, 2006

Patch Development Time (in days):
44

Severity:
High (Remote Code Execution)

Vendor:
IBM / Lenovo

Systems Affected:
Windows NT 4.0 (All versions)
Windows 2000 (All versions)
Windows XP (All versions)
Windows 2003 (All versions)

Overview:
eEye Digital Security has discovered a security vulnerability in IBM's
eGatherer ActiveX control.  This is the second vulnerability found in
this control by eEye Research, the first being from Drew Copley
(http://www.eeye.com/html/research/advisories/AD20040615B.html).  This
control is typically installed by default on IBM workstations and
laptops, and is used by default for auto-finding drivers/updates on
IBM's/Lenovo's support site.

IBM / Lenovo describes this ActiveX control as follows:
"The auto-detect feature automatically finds your system's machine-type,
model, and serial number to help you get the files and information you
need quickly and easily. *It does not collect any personal information
or compromise the security of your system in any way.*"

Despite their promise for not "comprimising the security of the system
in any way", a buffer overflow exists within the handling of a parameter
of the ActiveX control that would allow a remote attacker to reliably
overwrite the stack with arbitrary data and execute arbitrary code
through the web browser with the privileges of the logged in user.

Technical Details:
The vulnerability exists within the RunEgatherer functionwithin the
ActiveX.  This method accepts one function, the specified file name for
the eGatherer log output.  It should be noted that even when setting the
parameter with legitimate paths for output, the ActiveX remains to only
write the log file to the SystemDrive.  By filling the single paramater
with a large string, a straight stack overflow occurs.  The following
sample would reproduce the crash for vulnerable ActiveX controls:

##<html>
##<object classid='clsid:74FFE28D-2378-11D5-990C-006094235084'
id='notCompromising'></object>
##<script language='vbscript'>
##overflowBuffer=String(300,"A")
##notCompromising.RunEgatherer overflowBuffer
##</script>

The vulnerable code is as follows:

.text:10003B73 push    dword ptr [ebp+0Ch] ; lpString
.text:10003B76 call    ds:lstrlenW
.text:10003B7C lea     edi, [eax+eax+2]
.text:10003B80 mov     eax, edi
.text:10003B82 add     eax, 3
.text:10003B85 and     al, 0FCh
.text:10003B87 call    __alloca_probe
.text:10003B8C mov     esi, esp
.text:10003B8E push    ebx             ; lpUsedDefaultChar = 0x0
.text:10003B8F push    ebx             ; lpDefaultChar = 0x0
.text:10003B90 push    edi             ; cchMultiByte = 1002 (eax*2 + 2)
.text:10003B91 push    esi             ; lpMultiByteStr = ESP (STACK)
.text:10003B92 push    0FFFFFFFFh      ; cchWideChar = -1
.text:10003B94 push    dword ptr [ebp+0Ch] ; lpWideCharStr = ptr to our
string
.text:10003B97 mov     [esi], bl
.text:10003B99 push    ebx             ; dwFlags = 0x0
.text:10003B9A push    ebx             ; CodePage = 0x0
.text:10003B9B call    ds:WideCharToMultiByte

The vulnerability begins with a stack allocation for the string.  This
is not in itself vulnerable, but there has yet to be a length check the
supplied string.
The string is copied again one more into memory, slightly below the
first, and then lower-cased:

.text:10003BA1 lea     eax, [ebp-118h]
.text:10003BA7 push    esi             ; unsigned __int8 *
.text:10003BA8 mov     esi, ds:_mbscpy
.text:10003BAE push    eax             ; unsigned __int8 *
.text:10003BAF call    esi ; _mbscpy   	
.text:10003BB1 lea     eax, [ebp-118h]
.text:10003BB7 pop     ecx
.text:10003BB8 test    eax, eax
.text:10003BBA pop     ecx
.text:10003BBB jz      short loc_10003C23
.text:10003BBD lea     eax, [ebp-118h]
.text:10003BC3 push    eax             ; unsigned __int8 *
.text:10003BC4 call    sub_10003C45    ; TOLOWER SUBROUTINE

The original string remains untouched, and all future operations will be
performed on the lower-case string.  However, because there were no
length checks on the string, the memory is copied straight into the
undersized stack buffer and causes a simple buffer overflow.

Protection:
Retina (http://www.eeye.com/html/Products/Retina/index.html) Network
Security Scanner has been updated to identify this vulnerability.
Blink (http://www.eeye.com/html/products/blink/index.html) Endpoint
Vulnerability Prevention preemptively protects from this vulnerability.

Vendor Status:
IBM UK has patched the vulnerability in their latest version of the
eGatherer ActiveX control (3.20.0284.0), available here:
http://www-307.ibm.com/pc/support/IbmEgath.cab.

Credit:
Andre Derek Protas

Greetings:
Barnz,D-Rock,Karl,HTP,Marc,Steve,Tequila,Ica,SyScan06,xbxice,The
Fam-Damnly, and (RIT(D|S))+.
|受影响的产品
IBM eGatherer 2.42.243 .0 IBM eGatherer 2.0 .16
|参考资料

来源:US-CERT
名称:VU#380277
链接:http://www.kb.cert.org/vuls/id/380277
来源:BID
名称:19554
链接:http://www.securityfocus.com/bid/19554
来源:VUPEN
名称:ADV-2006-3305
链接:http://www.frsirt.com/english/advisories/2006/3305
来源:www.eeye.com
链接:http://www.eeye.com/html/research/advisories/AD20060816.html
来源:SECUNIA
名称:21528
链接:http://secunia.com/advisories/21528
来源:XF
名称:egatherer-activex-runegatherer-bo(28418)
链接:http://xforce.iss.net/xforce/xfdb/28418
来源:BUGTRAQ
名称:20060829[ISR]-IBMeGathererActiveXCodeExecutionPoC
链接:http://www.securityfocus.com/archive/1/archive/1/444899/100/100/threaded
来源:BUGTRAQ
名称:20060816[EEYEB-20060703]IBMeGathererActiveXCodeExecutionVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/443471/100/0/threaded
来源:SECTRACK
名称:1016705
链接:http://securitytracker.com/id?1016705
来源:SREASON
名称:1424
链接:http://securityreason.com/securityalert/1424