You are here

T-615: IBM Rational System Architect ActiveBar ActiveX Control Lets Remote Users Execute Arbitrary Code

May 4, 2011 - 7:15am

Addthis

PROBLEM:

A vulnerability was reported in IBM Rational System Architect. A remote user can cause arbitrary code to be executed on the target user's system.

PLATFORM:

IBM Rational System 11.4 and prior versions

ABSTRACT:

There is a high risk security vulnerability with the ActiveBar ActiveX controls used by IBM Rational System Architect.

reference  LINKS:

IBM Advisory: 21497689
SecurityTracker Alert ID: 1025464
CVE-2011-1207
Secunia Advisory: SA43399

IMPACT ASSESSMENT:

High

Discussion:

A remote user can create a specially crafted HTML that, when loaded by the target user, will exploit the Save(), SaveLayoutchanges(), SaveMenuUsageData() and SetLayoutData() methods in the ActiveBar ActiveX controls (actbar.ocx and actbar2.ocx) to execute arbitrary code on the target system. The code will run with the privileges of the target user. The vulnerability resides in the ActiveBar ActiveX controls used by IBM Rational System Architect.

Impact:

A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
It is possible for an attacker to compromise the ActiveBar ActiveX controls (actbar.ocx and actbar2.ocx) used within Rational System Architect to execute arbitrary code by instantiating these controls from Microsoft Internet Explorer Web browsers (see CVE-2011-1207). Known methods of exploiting the vulnerability in these controls include Save(), SaveLayoutchanges() and SaveMenuUsageData(). In ActiveBar1, an additional method - SetLayoutData() - has been identified to exploit the vulnerability.

Solution:

For a remote attacker to exploit the vulnerability in System Architect releases the following must be accomplished:
1. The user must have Rational System Architect installed on the machine. (Important Note: Continuous use of System Architect is not required; the vulnerability attacks the ActiveX controls regardless of the use of Rational System Architect.)
2. Attacker needs to create malicious code that would exploit the ActiveX control. This code could be part of an attachment by means of e-mail or Web page.
3. User must be persuaded to execute the attachment or follow a Web site link that contains the malicious code via a Microsoft Internet Explorer Web browser.
4. On Internet Zone the user must authorize the ActiveX popup dialog before it could be used.

Upgrade to 11.4.0.3 (eGA 29 April 2011) or later. Note that 11.4.0.2 (eGA 25 March 2011) removed actbar2.ocx component, however, 11.4.0.3 also removes actbar.ocx.
System Architect 11.4.x.x Fix Download
11.3.x.x Upgrade to 11.3.1.4 (eGA 29 April 2011) or later. Consider upgrade to 11.4.0.3 or later. Note that 11.3.1.4 will remove both actbar.ocx and actbar2.ocx.
System Architect 11.3.x.x Fix Download

 

Addthis