ActiveX Xploitation In 2009
Who The Hell Am I ?
Hi, My Name Is Paul Craig. Principal Security Consultant . Security-Assessment.com “I hack things.” Google Me (I have hacked lots of things)
Agenda
What Is ActiveX & How Does it Work
ActiveX Vulnerabilities
Finding ActiveX Vulnerabilities
Why Everything Is Different With IE 8
Shell Poppin’
What Is ActiveX? ActiveX Is part of COM
Component Object Model Includes: OLE, OLE Automation, ActiveX, COM+, DCOM COM is a language neutral method of implementing objects. Objects can be easily reused by other applications.
1996 Microsoft renamed Internet OLE controls to ‘ActiveX’. ActiveX was designed as the internet component of COM. Widely used throughout the Windows environment. Become the most popular component of COM.
COM objects are referenced by a ClassID or ProgID “CLSID is a 128 bit unique-id for a software application”
Eg: CLSID = {AE7AB96B-FF5E-4dce-801E-14DF2C4CD681} Programmatic Identifier is a human readable name:
WMP11.AssocFile Control’s must be registered before use (Regsvr32.exe control.dll).
ActiveX controls can be loaded by IE <object classid="clsid:22D6F312-B0F6-11D0-94AB-
0080C74C7E95"> IE uses the CoCreateInstance() method of COM. Creates a single uninitialized object of the class associated with a
specified CLSID.
Interfaces and Methods COM is based on Object Oriented Programming
COM Objects expose interfaces. Interfaces expose methods.
Methods = Functions of procedural programming.
Object.Interface.Method()
MSNETOBJ.IRMGetLicense.GetLicenseFromURL(‘http://www...’)
COM Objects Are Not Typical DLL Libraries
Standard DLL ‘Exported Functions’ Not Present in COM. Available Methods are exposed through DllRegisterServer Abstracted from native operations.
All CLSIDs on Windows can be found at HKEY_CLASSES_ROOT\CLSID Which is an alias to HKEY_LOCAL_MACHINE\Software\
Classes\CLSID
ActiveX Controls Have Opt-In Security Categories For IE. Safe For Initialisation. Safe For Scripting.
Category Membership Found At: HKEY_CLASSES_ROOT\CLSID\{CLSID}\Implemented
Categories 7DD95801-9882-11CF-9FA9-00AA06C42C4 = SFI 7DD95802-9882-11CF-9FA9-00AA06C42C4 = SFS
Not supported under Windows CE.
ActiveX Security Measures
Safe For Initialization Allows a control to be initialised with persistent data. Persistent data is supplied when the control is initialised.
Input supplied using an IPersist interface. <object ...><param name=play value=test.wmv></object>
Safe For Scripting Allows a control to be initialised and scripted with dynamic data. Scripted using JavaScript/VBScript Control can be accessed, methods called freely at run time.
Input supplied using an IDispatch interface.
IObjectSaftey Interface. Control identifies its own security level “I am not safe to script!” COM subsystem validates the IObjectSaftey interface prior to
loading the control.
Object.IObjectSaftey.GetInterfaceSafteyOption INTERFACESAFE_FOR_UNTRUSTED_DATA = SFS INTERFACESAFE_FOR_UNTRUSTED_CALLER = SFI
SetInterfaceSafteyOption also supported. Only security method supported by Windows CE.
Internet Explorer v6 Backward Compatibility Supported HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\ActiveX Compatibility\{CLS-ID}\Compatibility Flags COMPAT_SAFEFOR_LOADING = 0x00800000 “This compatibility flag can be used to disable the Internet
Explorer 7 IObjectSaftey check and revert back to Microsoft Internet Explorer 6 behaviour”
ActiveX Kill Bit HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\ActiveX Compatibility\{CLS-ID}\Compatibility Flags 0x00000400 = EVIL_BIT (Kill bit) Kill’d CLS-ID’s cannot be loaded by IE. Updated Kill Bit lists distributed through Windows Update.
Querying An ActiveX Control Using OLEView we can query an ActiveX through its TypeLib
Type libraries describe the contents of a COM component. Exposed interfaces, methods, properties and constants. Method type definition
TypeLib’s are either embedded with an ActiveX control. An additional .TLB file. Or not present at all.
OleView Example
ActiveX exploitation has grown with popularity 50 remote command execution bugs in ActiveX in 2006. 1 in 2001
Over 110 ActiveX exploits on MilW0rm.com Popular attack path for browser exploitation. ActiveX controls run in same context as Internet Explorer. Hacking clients is the new ‘in-thing’.
Why Is ActiveX So Insecure? Compiler security disabled: SafeSEH turned off, /GS Disabled (most) ActiveX controls use the default Windows heap allocator. Controls not sandboxed, can manipulate COM/IE functionality.
ActiveX security controls are purely opt-in Developers mark controls SFS & SFI when not required. Many controls were never designed to be scripted by IE. “There were only 7 days Internet Explorer was safe to use in the
entire year of 2004.”
ActiveX Controls are shipped with commercial software. Users are not informed about control installation.
ActiveX Bugs Can be Classified into Three Groups: Insecure Method Functionality Insecure Object Instantiation Insecure Scripting
#1 - Insecure Method Functionality. Legitimately using the method of a control, to do something
malicious. SFI or SFS exploitable. Friendly Technologies Dialler – Execute Arbitrary Commands
PBEmail Arbitrary File Overwrite (SFS + SFI)
WebLaunch Arbitrary Command Execution (SFS + SFI)
Synactis All In The Box – Null Byte File Overwrite (SFS + SFI)
#2 - Insecure Object Instantiation An ActiveX instantiated with malicious persistent input. Control only marked Safe For Initialization. User Supplied Persistent Values used as Control Parameters.
Common application development vulnerabilities. Stack/Heap overflows. Integer overflows Format String vulnerabilities
Malformed input causing an application exception. Long string supplied to a method. Long string assigned to a control property. Large numeric passed to a method.
#3 – Insecure Scripting Control marked Safe For Scripting. An ActiveX method scripted with malicious input. JavaScript/VBScript used to interact with the control. Vulnerable to common application development vulnerabilities.
Finding ActiveX Vulnerabilities. Query ActiveX’s installed on the system Lookup the UUID (GUID) value in the co-class.
Search the registry for the GUID, is it SFS? It may still be SFS without an Implemented Security Category. Axenum (Part of AXFuzz) to enumerate IObjectSaftey Settings
Fuzz the fuck out of it! I Use COMBust, simple, effective, no false-positives. combust -c {GUID}
Overwritten function pointer.
Easy Exploitation: Heap Spraying. Method pioneered by Skylined, ZenParse, Alex Sotoriv Used since 2004, still works. Use JavaScript to allocate (lots) of memory on the heap. Control the structure of the heap from JavaScript
Overwrite a function pointer/SEH/Return address Jump to the JavaScript allocated heap, execute shell-code. Develop stack and heap overflows fast!
Empty Heap Windows Address Space Layout Randomization
Heap is somewhere We don’t know where, 32 possible locations.
If you can point EIP Somewhere Where would you point?
JavaScript allocates lots of (NOP slide + Shellcode)
Under certain circumstances Jscript.dll uses the common Windows heap allocator.
Use JavaScript to allocate ‘heaps of heaps.’
0x0C0C0C0C will be one of those heaps
Get EIP here
You win.
“Heap Fung Shui” – HeapLib.js Automated JavaScript Heap Manipulation : HeapLib.js Supports IE 5-7, Object oriented JavaScript API
Supports: Heap logging and debugging Allocation and freeing of blocks with arbitrary sizes High level heap manipulation (very easy) Control the heap.
Takes only minutes to create an ActiveX exploit, and pop shell. Very easy, allows for lazy exploitation. Heap spraying lacks hacker finesse. “Allocate Spray 0x0c0c0c0c everywhere, until somthing goes
there”
Why Does Heap Spraying Work? The heap (data pages) are executable in the IE 7 process. DEP is *NOT* enabled for IE 5-7 Certain JavaScript strings are stored on the shared Windows
heap. var test = “aaa” ; is not on the OS heap. var test = test.substring(0, test.length); is on the OS heap.
(Most) ActiveX controls use the generic Windows heap allocator. ActiveX heap overflow will overflow into the IE/COM heap. COM is written in Visual C++ Makes use of (thousands) of function pointers. Heap overflows often lead to function pointer overwrites.
COM makes use of (LOTS) of function pointers Function pointers are kept on the heap. You blindly overflow these function pointers with the location of
your heap spray. 0xc0c0c0c0 0xC0 = ADD al, 90 (NOP like instruction) Instruction can be executed, read, jumped to!
JavaScript allocates (lots) of memory so that 0xC0.... exists. Many COM function pointers are overflowed with c0c0c0c0. Overwritten function pointer is called by COM. 0xc0c0c0c0 is executed.. You pop shell.
It All Changes With IE 8 Internet Explorer 7 Opt-Out of DEP Due to Plug-in Compatibility Flash, Java do not support DEP.
Internet Explorer 8 is DEP opt-in by default. Flash, Java now support DEP! DEP disables code execution from the heap.
New jscript.dll which has a “Not Executable” marked heap. “Ahem, that will not work in IE 8” Anyone Can Install ActiveX’s in IE8 (Not just administrators!) Unsafe methods will still exploitable. “Click this control to active it” removed.
SiteLock Interface New method in IObjectSaftey to protect controls from being
loaded from arbitrary websites. Controls implement their own per-site control with SiteLock. Users can allow the control for a specific Web site, all Web sites
or disallow the control.
Shell Poppin’
Demo:
Find an ActiveX vulnerability Exploit it through Heap Spraying Pop shell
Easy.
All Hail The Demo God
Top Related