e-Gatherer Buffer Overflow VulnerabilitySeverity: HighAffected Software:Systems with IBM Access Support installed and using:
- Internet Explorer 6
- Windows 2000 -or- Windows XP
- Other versions of Windows may also be affected.
SummaryeEye discovered a buffer overflow vulnerability in an IBM/Lenovo ActiveX control called e-Gatherer. The ActiveX control is used to report a multitude of characteristics of the client system, including: computer name, OS version, installed hardware, serial numbers, drivers installed, and other system-specific information. From the IBM and Lenovo Support sites:
The solutions use a variety of tools to perform tasks. We commonly use an IBM tool called e-Gatherer to collect the information about the system (however, we do not collect any information that would violate your privacy). We also frequently use tools and techniques available from Microsoft to check and adjust settings. In addition, we sometimes use tools developed by third party vendors to perform certain tasks such as hardware problem diagnosis.
e-Gatherer is a program that collects configuration information from a user's computer to help with the diagnosis of problems reported to IBM. e-Gatherer aims to improve customer satisfaction by reducing the time a customer spends collecting data from relevant machines and by reducing the time IBM spends in resolving problems by improving the content and accuracy of information gathered.
ExploitationBecause the ActiveX control can collect various pieces of information that might aid an attacker in exploiting a victim system, this vulnerability is particularly insidious. During the course of our investigation, the IBM Security Intelligence team was able to use the output from e-Gatherer to refine exploitatioin of specific systems based on OS version and Service Packs installed. Additionally, the system information collected by e-Gatherer may be used for further reconnaisance in exploiting other vulnerabilities that might exist on the client system.
The IBM Security Intelligence was able to determine that systems running Internet Explorer 6 installed on Windows 2000 and Windows XP are vulnerable to this attack. However, there are several mitigating factors:
- The user must visit a malicious Web site or be directed to a malicious Web site by clicking a link in an email, instant message, or other communique.
- Systems where the execution of ActiveX controls is disabled are not susceptible to this attack.
RemediationTo determine if e-Gatherer is installed:
- Open Internet Explorer 6.
- Click Tools.
- Click Internet Options.
- On the General tab, click Settings.
- Click View Objects. If IBM Access Support is displayed in the dialogue, then IBM e-Gatherer is installed.
Note: You can also check the properties of %SYTEMROOT%\SYSTEM32\IbmEgath.dll to determine the version of e-Gatherer installed. Within Windows Explorer, right-click the IbmEgath.dll file and choose Properties. The version of the DLL is displayed on the Version tab.
If your system shows the version of IBM Access Support is 3.20.0284.0 or higher, then the fix has been applied and no further action is required. If the version displayed is lower than 3.20.0284.0, users can perform any one of the following action to remediate the vulnerability:
- Disable all ActiveX content within Internet Explorer. The following Microsoft KnowledgeBase article explains how: http://support.microsoft.com/kb/q154036. Disabling all ActiveX content will eliminate a number of known vulnerabilities.
- Disable the e-Gatherer ActiveX control. Within Internet Explorer 6, click the Tools menu and choose Internet Options. From the Programs tab, click the Manage Add-ons button. From the list of Add-ons that have been used by Internet Explorer, highlight IBM Access Support and click the Disable radio button.
- Upgrade the e-Gatherer control from the vulnerable system. Visit http://www.lenovo.com/pc/support/ and click the Auto-detect this system link. This will prompt the user to install a newer version of the IBM Access Support software. Organizations that would like to distribute the software automatically can obtain the updated files here: http://www-307.ibm.com/pc/support/IbmEgath.cab.
Additionally, users can use the HTML on the following blog postfollowing HTML page to help users determine if they are vulnerable and point them to the updated version of e-Gatherer: http://www-03.ibm.com/developerworks/blogs/page/threat?entry=detecting_vulnerable_e_gatherer_installations