CVE-2004-2663

Vulnerability

The SetDebugging and RunEgatherer methods in the IBM Access Support eGatherer ActiveX control version 2.0.0.16 allow remote attackers to create files with arbitrary content on a target system. The control is signed by IBM and installed by default on many IBM PC models, making it possible for web pages to invoke it when the user trusts the IBM signature. The vulnerable methods accept a filename parameter without proper restrictions, enabling the creation of files such as a .hta file in the user's Startup folder. [1][2][3]

Exploitation

An attacker needs to host a malicious web page that instantiates the signed eGatherer ActiveX control. When a victim with the vulnerable control installed visits the page and accepts the trust prompt (if prompted), the attacker can call SetDebugging or RunEgatherer with a crafted filename argument pointing to a location like the Startup folder. The content written is constrained but still executable, allowing the attacker to drop a script or HTA file that runs when the user logs in. No additional authentication or user interaction beyond accepting the ActiveX prompt is required. [2][3]

Impact

Successful exploitation gives the attacker the ability to write arbitrary files to the file system, specifically to the Startup folder, leading to arbitrary code execution at the user's privilege level when the system is next started. This compromises confidentiality, integrity, and availability by allowing persistent execution of attacker-controlled code on the affected system. [2][3]

Mitigation

IBM did not release a patch for this vulnerability; the eGatherer ActiveX was later deprecated. Users should remove the control by unregistering it (e.g., regsvr32 /u egatherer.dll) or by disabling ActiveX execution in Internet Explorer zones. As of the disclosure date (June 15, 2004), no official fix was provided. [2][3]