1 / 30

ActiveX Xploitation In 2009

ActiveX Xploitation In 2009. Who The Hell Am I ?. Hi, My Name Is Paul Craig. Principal Security Consultant . Security-Assessment.com “ I hack things.” Google Me (I have hacked lots of things). Agenda. What Is ActiveX & How Does it Work ActiveX Vulnerabilities

jody
Download Presentation

ActiveX Xploitation In 2009

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ActiveX Xploitation In 2009

  2. Who The Hell Am I ? • Hi, My Name Is Paul Craig. • Principal Security Consultant . Security-Assessment.com • “I hack things.” • Google Me (I have hacked lots of things)

  3. Agenda • What Is ActiveX & How Does it Work • ActiveX Vulnerabilities • Finding ActiveX Vulnerabilities • Why Everything Is Different With IE 8 • Shell Poppin’

  4. What Is ActiveX? • ActiveX Is part of COM • Component Object Model • Includes: OLE, OLE Automation, ActiveX, COM+, DCOM • COM is a language neutral method of implementing objects. • Objects can be easily reused by other applications. • 1996 Microsoft renamed Internet OLE controls to ‘ActiveX’. • ActiveX was designed as the internet component of COM. • Widely used throughout the Windows environment. • Become the most popular component of COM.

  5. COM objects are referenced by a ClassIDor ProgID • “CLSID is a 128 bit unique-id for a software application” Eg: CLSID = {AE7AB96B-FF5E-4dce-801E-14DF2C4CD681} • Programmatic Identifier is a human readable name: • WMP11.AssocFile • Control’s must be registered before use (Regsvr32.exe control.dll). • ActiveX controls can be loaded by IE • <object classid="clsid:22D6F312-B0F6-11D0-94AB-0080C74C7E95"> • IE uses the CoCreateInstance() method of COM. • Creates a single uninitialized object of the class associated with a specified CLSID.

  6. Interfaces and Methods • COM is based on Object Oriented Programming • COM Objects expose interfaces. • Interfaces expose methods. • Methods = Functions of procedural programming. • Object.Interface.Method() MSNETOBJ.IRMGetLicense.GetLicenseFromURL(‘http://www...’)

  7. COM Objects Are Not Typical DLL Libraries • Standard DLL ‘Exported Functions’ Not Present in COM. • Available Methods are exposed through DllRegisterServer • Abstracted from native operations.

  8. All CLSIDs on Windows can be found at • HKEY_CLASSES_ROOT\CLSID • Which is an alias to HKEY_LOCAL_MACHINE\Software\Classes\CLSID • ActiveX Controls Have Opt-In Security Categories For IE. • Safe For Initialisation. • Safe For Scripting. • Category Membership Found At: • HKEY_CLASSES_ROOT\CLSID\{CLSID}\Implemented Categories • 7DD95801-9882-11CF-9FA9-00AA06C42C4 = SFI • 7DD95802-9882-11CF-9FA9-00AA06C42C4 = SFS • Not supported under Windows CE.

  9. ActiveX Security Measures • Safe For Initialization • Allows a control to be initialised with persistent data. • Persistent data is supplied when the control is initialised. • Input supplied using an IPersist interface. • <object ...><param name=play value=test.wmv></object> • Safe For Scripting • Allows a control to be initialised and scripted with dynamic data. • Scripted using JavaScript/VBScript • Control can be accessed, methods called freely at run time. • Input supplied using an IDispatch interface.

  10. IObjectSaftey Interface. • Control identifies its own security level • “I am not safe to script!” • COM subsystem validates the IObjectSaftey interface prior to loading the control. • Object.IObjectSaftey.GetInterfaceSafteyOption • INTERFACESAFE_FOR_UNTRUSTED_DATA = SFS • INTERFACESAFE_FOR_UNTRUSTED_CALLER = SFI • SetInterfaceSafteyOption also supported. • Only security method supported by Windows CE.

  11. Internet Explorer v6 Backward Compatibility Supported • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CLS-ID}\Compatibility Flags • COMPAT_SAFEFOR_LOADING = 0x00800000 • “This compatibility flag can be used to disable the Internet Explorer 7 IObjectSaftey check and revert back to Microsoft Internet Explorer 6 behaviour” • ActiveX Kill Bit • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CLS-ID}\Compatibility Flags • 0x00000400 = EVIL_BIT (Kill bit) • Kill’d CLS-ID’s cannot be loaded by IE. • Updated Kill Bit lists distributed through Windows Update.

  12. Querying An ActiveX Control • Using OLEView we can query an ActiveX through its TypeLib • Type libraries describe the contents of a COM component. • Exposed interfaces, methods, properties and constants. • Method type definition • TypeLib’sare either embedded with an ActiveX control. • An additional .TLB file. • Or not present at all. 

  13. OleView Example

  14. ActiveX exploitation has grown with popularity • 50 remote command execution bugs in ActiveX in 2006. • 1 in 2001 • Over 110 ActiveX exploits on MilW0rm.com • Popular attack path for browser exploitation. • ActiveX controls run in same context as Internet Explorer. • Hacking clients is the new ‘in-thing’.

  15. Why Is ActiveX So Insecure? • Compiler security disabled: SafeSEH turned off, /GS Disabled • (most) ActiveX controls use the default Windows heap allocator. • Controls not sandboxed, can manipulate COM/IE functionality. • ActiveX security controls are purely opt-in • Developers mark controls SFS & SFI when not required. • Many controls were never designed to be scripted by IE. • “There were only 7 days Internet Explorer was safe to use in the entire year of 2004.” • ActiveX Controls are shipped with commercial software. • Users are not informed about control installation.

  16. ActiveX Bugs Can be Classified into Three Groups: • Insecure Method Functionality • Insecure Object Instantiation • Insecure Scripting • #1 - Insecure Method Functionality. • Legitimately using the method of a control, to do something malicious. • SFI or SFS exploitable. • Friendly Technologies Dialler – Execute Arbitrary Commands

  17. PBEmail Arbitrary File Overwrite (SFS + SFI) • WebLaunchArbitrary Command Execution (SFS + SFI) • Synactis All In The Box – Null Byte File Overwrite (SFS + SFI)

  18. #2 - Insecure Object Instantiation • An ActiveX instantiated with malicious persistent input. • Control only marked Safe For Initialization. • User Supplied Persistent Values used as Control Parameters. • Common application development vulnerabilities. • Stack/Heap overflows. • Integer overflows • Format String vulnerabilities • Malformed input causing an application exception. • Long string supplied to a method. • Long string assigned to a control property. • Large numeric passed to a method.

  19. #3 – Insecure Scripting • Control marked Safe For Scripting. • An ActiveX method scripted with malicious input. • JavaScript/VBScript used to interact with the control. • Vulnerable to common application development vulnerabilities.

  20. Finding ActiveX Vulnerabilities. • Query ActiveX’s installed on the system • Lookup the UUID (GUID) value in the co-class. • Search the registry for the GUID, is it SFS? • It may still be SFS without an Implemented Security Category. • Axenum (Part of AXFuzz) to enumerate IObjectSafteySettings

  21. Fuzz the fuck out of it! • I Use COMBust, simple, effective, no false-positives. • combust -c {GUID} • Overwritten function pointer.

  22. Easy Exploitation: Heap Spraying. • Method pioneered by Skylined, ZenParse, Alex Sotoriv • Used since 2004, still works. • Use JavaScript to allocate (lots) of memory on the heap. • Control the structure of the heap from JavaScript • Overwrite a function pointer/SEH/Return address • Jump to the JavaScript allocated heap, execute shell-code. • Develop stack and heap overflows fast!

  23. Empty Heap • Windows Address Space Layout Randomization • Heap is somewhere • We don’t know where, 32 possible locations. • If you can point EIP Somewhere • Where would you point?

  24. JavaScript allocates lots of (NOP slide + Shellcode) • Under certain circumstances Jscript.dll uses the common Windows heap allocator. • Use JavaScript to allocate ‘heaps of heaps.’ • 0x0C0C0C0C will be one of those heaps • Get EIP here • You win.

  25. “Heap Fung Shui” – HeapLib.js • Automated JavaScript Heap Manipulation : HeapLib.js • Supports IE 5-7, Object oriented JavaScript API • Supports: • Heap logging and debugging • Allocation and freeing of blocks with arbitrary sizes • High level heap manipulation (very easy) • Control the heap. • Takes only minutes to create an ActiveX exploit, and pop shell. • Very easy, allows for lazy exploitation. • Heap spraying lacks hacker finesse. • “Allocate Spray 0x0c0c0c0c everywhere, until somthing goes there”

  26. Why Does Heap Spraying Work? • The heap (data pages) are executable in the IE 7 process. • DEP is *NOT* enabled for IE 5-7 • Certain JavaScript strings are stored on the shared Windows heap. • var test = “aaa” ; is not on the OS heap. • var test = test.substring(0, test.length); is on the OS heap. • (Most) ActiveX controls use the generic Windows heap allocator. • ActiveX heap overflow will overflow into the IE/COM heap. • COM is written in Visual C++ • Makes use of (thousands) of function pointers. • Heap overflows often lead to function pointer overwrites.

  27. COM makes use of (LOTS) of function pointers • Function pointers are kept on the heap. • You blindly overflow these function pointers with the location of your heap spray. • 0xc0c0c0c0 • 0xC0 = ADD al, 90 (NOP like instruction) • Instruction can be executed, read, jumped to! • JavaScript allocates (lots) of memory so that 0xC0.... exists. • Many COM function pointers are overflowed with c0c0c0c0. • Overwritten function pointer is called by COM. • 0xc0c0c0c0 is executed.. You pop shell.

  28. It All Changes With IE 8 • Internet Explorer 7 Opt-Out of DEP Due to Plug-in Compatibility • Flash, Java do not support DEP. • Internet Explorer 8 is DEP opt-in by default. • Flash, Java now support DEP! • DEP disables code execution from the heap. • New jscript.dll which has a “Not Executable” marked heap. • “Ahem, that will not work in IE 8” • Anyone Can Install ActiveX’s in IE8 (Not just administrators!) • Unsafe methods will still exploitable. • “Click this control to active it” removed.

  29. SiteLock Interface • New method in IObjectSaftey to protect controls from being loaded from arbitrary websites. • Controls implement their own per-site control with SiteLock. • Users can allow the control for a specific Web site, all Web sites or disallow the control.

  30. Shell Poppin’ All Hail The Demo God • Demo: • Find an ActiveX vulnerability • Exploit it through Heap Spraying • Pop shell • Easy.

More Related