Blog

New ActiveX control vulnerabilities surface and are exploited for nefarious purposes every day. Just two days ago, an ActiveX control vulnerability in LinkedIn's IE toolbar was published along with a proof-of-concept exploit code. What are they exactly, and how do attackers use them? This post will focus on a vulnerabilities that exist in ActiveX controls. We will see how and why attackers hunt for vulnerabilities like these, and how to exploit them.

So what is an ActiveX control? An ActiveX control is a special type of ActiveX object that is designed to be used similar to a Java applet. These ActiveX controls are DLL modules that sometimes come with an .OCX extension and have unique class id that looks like: {A09AE68F-B14D-43ED-B713-BA413F034904}

Some ActiveX controls are shipped with the Windows OS and some come when one installs 3rd party software like WinZip, Flash, or Acrobat. How can we list the installed ActiveX controls on our system? My favorite tool for such job is the TLB Viewer v2.03 by Jose Roca.

We just saw a list of all our installed ActiveX controls. Some of those controls are marked safely scriptable, which means that one can call those controls object from over the web. So let us see how an attacker might find which one is safely scriptable and how he could use them over the web. For the first task of finding which one are safely scriptable, we will use a tool from MS Platform SDK called OLE Viewer

Now that we know which controls are marked as safely scriptable, we need to answer the question of how to use them. One can simply use the HTML object tag or jscript/vbscript code to do so.

Example: OBJECT ID="WZFILEVIEW" WIDTH=50 HEIGHT=50 CLASSID="CLSID: A09AE68F-B14D-43ED-B713-BA413F034904"

Now that we have a little background about ActiveX controls, lets dig deeper and see how an attacker can hunt for vulnerabilities inside of these controls. We will focus on the recently patched WinZip 10.0 ActiveX control called “WZFILEVIEW.FileViewCtrl” located at C:\Program Files\WinZip\WZFILVW.OCX. First, the attacker may use the OLE Viewer tool to verify that the WZFILEVIEW is marked safely scriptable, so that he knows that if he should find a vulnerability, it will be exploitable remotely from the web by crafting a malformed web page. After verifying that ZFILEVIEW.FileViewCtrl is exploitable from the web, he will then try to discover the objects and interfaces exported by the ActiveX control using the TLB Viewer by Jose Roca.

Here, we see the list of exported objects and interfaces. The attacker's next step is to hunt for a vulnerability in those objects and interfaces by fuzzing the ActiveX control or alternatively, do a code review on it (the neater way!). Granted, the attacker may not own the source code to the ActiveX control, but the attacker is armed with the knowledge of x86 assembly. To accomplish that, the attacker will open the module WZFILVW.OCX in tool called IDA Pro by Data Rescue which will present the module in pure assembler code. Now, you may be thinking to yourself, what a huge mess it is, having to sift through all that assembler code to find the objects and interfaces exported by the ActiveX control. But do not be fooled, it will take the attacker no more than 5 minutes to identify these objects and interfaces.

Since the attacker knows that he is dealing with an ActiveX object that may export type libraries (If you want to know more about type libraries, check this link), he will try to just do a search for the function name. If the search yields no results, he will then try writing a simple test code to load the ActiveX object and print out the virtual table address of each object. From there, he can then get the real address of the function that the object exported. So let’s try the first method by searching for the name of the function. We will choose the function named "CreateNewFolderFromName". A search in IDA for that function name gives us the following result:

Here, we find the address of the function. All attacker has left to do is jump to the function address and begin the code review there. Here is the beginning of the CreateNewFolderFromName function, and the attacker can easily see that it takes one parameter named "Source", of type char* (which is a ASCII string).

The attacker will now walk through the assembly code with hopes of catching a vulnerability in the CreateNewFolderFromName function. It will take an experienced attacker no more than 2 minutes to spot a vanilla stack based overflow.

If you think that the lines of code above look vulnerable, you would be right. A call to _strcat with no boundary limit on the Source parameter can lead to a stack based buffer overflow when the destination buffer is allocated on the stack, especially when the Source parameter is provided by the attacker. How do we know that this may be a security concern? Click here to read the security note from MSDN, which says “Because strcat does not check for sufficient space in strDestination before appending strSource, it is a potential cause of buffer overruns. Consider using strncat instead."

And now my friends, the game is now over for the ActiveX control! All the attacker has left to do is to craft webpage that will exploit the vulnerability. The web page will look something like this:

The above web page will spray the heap with shell code and exploit the CreateNewFolderFromName by overflowing the stack and overwriting the return address with the address of the allocated heap which contain the attacker's shell code. We have just seen how easy it is for attackers to hunt for vulnerabilities in ActiveX controls. The patch to the above vulnerability can be found at: http://www.winzip.com/wz7245.htm

As a side note, I will be presenting with Stephan Chenette at Black Hat USA 2007 in a few days, so do stop by the Websense booth to say hi. The title of our presentation is "Defeating Web Browser Heap Spray Attacks".

Here are the links the tools used in the explanation above:

TLB Viewer by Jose Roca
http://www.jose.it-berater.org

IDA Pro Disassembler
http://www.datarescue.com

OLE/COM Object Viewer
http://www.microsoft.com/downloads/details.aspx?familyid=5233b70d-d9b2-4cb5-aeb6-45664be858b6&displaylang=en

List of last 10 ActiveX Vulnerabilities

IAKey ActiveX Control Buffer Overflow Vulnerability
http://secunia.com/advisories/25739/

InterActual Player Two ActiveX Controls Buffer Overflow Vulnerabilities
http://secunia.com/advisories/25718/

EnjoySAP Two ActiveX Controls Buffer Overflow Vulnerabilities
http://secunia.com/advisories/25959/

AMX VNC ActiveX Control Buffer Overflow Vulnerabilities
http://secunia.com/advisories/25891/

NCTsoft Products NCTWMAFile2 ActiveX Control "CreateFile()" Insecure Method
http://secunia.com/advisories/25825/

HP PSC All-in-One Series XMLData ActiveX Control Two Insecure Methods
http://secunia.com/advisories/25869/

Novell exteNd Director LocalExec ActiveX Control "launch()" Insecure Method
http://secunia.com/advisories/25710/

Yahoo! Messenger Two ActiveX Controls Buffer Overflows
http://secunia.com/advisories/25547/

WinZip FileView ActiveX Control Multiple Vulnerabilities
http://secunia.com/advisories/22891/

Symantec Products NAVOpts.dll ActiveX Control Security Bypass Vulnerability
http://secunia.com/advisories/25172/

McAfee SecurityCenter Subscription Manager ActiveX Control Buffer Overflow
http://secunia.com/advisories/25173/

PowerPoint Viewer OCX ActiveX Control Buffer Overflow Vulnerabilities
http://secunia.com/advisories/25092/

Microsoft Windows HTML Help ActiveX Control Vulnerability
http://secunia.com/advisories/24136/

Security Researcher: Moti Joseph, mjoseph | at | websense.com