WeOnlyDo! SFTP ActiveX control fails to properly restrict access to methods

Overview

The WeOnlyDo! SFTP ActiveX control is incorrectly marked safe for scripting. This may allow a remote unauthenticated attacker to upload arbitrary files from a vulnerable system to an SFTP server or download arbitrary files from an SFTP server to a vulnerable system.

Description

ActiveX

ActiveX is a technology that allows programmers to create reusable software components that can be incorporated into applications to extend their functionality. Internet Explorer is a common Windows application that makes use of ActiveX controls.

ActiveX safety determination

Internet Explorer determines if an ActiveX control is safe by querying the IObjectSafety interface of the object and by querying the Implemented Categories registry key for the control, as specified by Microsoft Knowledge Base Article 216434 and the MSDN ActiveX safety article.

ActiveX security options

Through either the IObjectSafety interface or the appropriate registry values, an ActiveX control can be marked as “safe for scripting” and/or “safe for initialization.” According to the MSDN article Signing and Marking ActiveX Controls:

If you mark your control as safe for initializing, you are asserting that no matter what values are used to initialize your control, it won’t do anything that would damage a user’s system or compromise the user’s security.

If you mark your control as safe for scripting, you are asserting that your control won’t do anything to damage a user’s system or compromise the user’s security, regardless of how your control’s methods and properties are manipulated by the Web page’s script. In other words, it has to accept any method calls (with any parameters) and/or property manipulations in any order without doing anything bad.
The MSDN article Designing Secure ActiveX Controls states:

Controls are marked as not safe for scripting or data initialization by default. Don’t implement them unless the functionality of the control is hampered without them.
** wodSFTP control**

The WeOnlyDo! SFTP (wodSFTP) ActiveX control is an ActiveX component that provides Secure File Transfer Protocol (SFTP) functionality to the application that uses it.

The problem

The wodSFTP ActiveX control can download arbitrary files to the local file system, but it is marked as “safe for scripting” via the IObjectSafety interface. It can also upload arbitrary files from the local file system. These methods require no user interaction to complete.

---

Impact

By convincing a victim to view an HTML document (web page, HTML email, or email attachment), an attacker could download arbitrary files to a vulnerable system within the security context of the user running IE. These files could contain code that could be executed through other means. The user may click the file inadvertently, or the file may be placed in a sensitive location, such as the Windows Startup folder where it will automatically execute the next time the user logs onto the system. An attacker can also retrieve arbitrary files from a victim’s computer.

---

Solution

We are currently unaware of a practical solution to this problem.

---

Disable the wodSFTP control

Disable the wodSFTP control by setting the kill bit as described in Microsoft Knowledge Base article 240797. The CLSID for the wodSFTP control is:

{6795FA0F-35C3-4BEB-B3AA-F19DB0B228EA}
This will prevent the wodSFTP control from being used in Internet Explorer but should not interfere with other applications that happen to use the control.

Disable Active scripting and ActiveX

Disabling Active scripting and ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. With ActiveX controls disabled, the wodSFTP ActiveX control will not be instantiated. With Active scripting disabled, the wodSFTP ActiveX control cannot be scripted by a web site. Instructions for disabling Active scripting and ActiveX in the Internet Zone can be found in the Securing Your Web Browser document and the Malicious Web Scripts FAQ.

---

Vendor Information

378604

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

WeOnlyDo! Software __ Affected

Notified: May 25, 2006 Updated: May 31, 2006

Status

Affected

Vendor Statement

We are fully aware of this issue, but have no plans to update our software at this time. In our opinion this vulnerability note does not affect wodSFTP’s security or strength - it only explains that wodSFTP can be used by malicious software.

Trying to remove ‘safe for scripting’ flag would affect wodSFTP’s functionality and it wouldn’t be usable in certain environments at all.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We believe the wodSFTP control be be vulnerable because it does not follow Microsoft’s “Designing Secure ActiveX Controls” guidelines. If you do not need to use the wodSFTP control in a web page, we recommend setting the kill bit for the control, as specified in VU#378604.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23378604 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.cert.org/reports/activeX_report.pdf&gt;
• <http://www.weonlydo.com/index.asp?showform=SFTP&gt;
• <http://support.microsoft.com/kb/216434/&gt;
• <http://msdn.microsoft.com/workshop/components/activex/safety.asp&gt;
• <http://msdn.microsoft.com/workshop/components/activex/security.asp&gt;

Acknowledgements

Thanks to Will Dormann of CERT/CC for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

CVE IDs:	CVE-2006-1175
Severity Metric:	5.05 Date Public: