Presentation is loading. Please wait.

Presentation is loading. Please wait.

ActiveX Xploitation In 2009. Who The Hell Am I ?  Hi, My Name Is Paul Craig.  Principal Security Consultant.  “I hack things.”

Similar presentations

Presentation on theme: "ActiveX Xploitation In 2009. Who The Hell Am I ?  Hi, My Name Is Paul Craig.  Principal Security Consultant.  “I hack things.”"— Presentation transcript:

1 ActiveX Xploitation In 2009

2 Who The Hell Am I ?  Hi, My Name Is Paul Craig.  Principal Security Consultant.  “I hack things.”  Google Me (I have hacked lots of things)

3 Agenda  What Is ActiveX & How Does it Work  ActiveX Vulnerabilities  Finding ActiveX Vulnerabilities  Why Everything Is Different With IE 8  Shell Poppin’

4  What Is ActiveX?  ActiveX Is part of COM  Component Object Model  Includes: OLE, OLE Automation, ActiveX, COM+, DCOM  COM is a language neutral method of implementing objects.  Objects can be easily reused by other applications.  1996 Microsoft renamed Internet OLE controls to ‘ActiveX’.  ActiveX was designed as the internet component of COM.  Widely used throughout the Windows environment.  Become the most popular component of COM.

5  COM objects are referenced by a ClassID or ProgID  “CLSID is a 128 bit unique-id for a software application” Eg:CLSID = {AE7AB96B-FF5E-4dce-801E-14DF2C4CD681}  Programmatic Identifier is a human readable name:  WMP11.AssocFile  Control’s must be registered before use (Regsvr32.exe control.dll).  ActiveX controls can be loaded by IE   IE uses the CoCreateInstance() method of COM.  Creates a single uninitialized object of the class associated with a specified CLSID.

6  Interfaces and Methods  COM is based on Object Oriented Programming  COM Objects expose interfaces.  Interfaces expose methods.  Methods = Functions of procedural programming.  Object.Interface.Method() MSNETOBJ.IRMGetLicense.GetLicenseFromURL(‘http://www...’)

7  COM Objects Are Not Typical DLL Libraries  Standard DLL ‘Exported Functions’ Not Present in COM.  Available Methods are exposed through DllRegisterServer  Abstracted from native operations.

8  All CLSIDs on Windows can be found at  HKEY_CLASSES_ROOT\CLSID  Which is an alias to HKEY_LOCAL_MACHINE\Software\Classes\CLSID  ActiveX Controls Have Opt-In Security Categories For IE.  Safe For Initialisation.  Safe For Scripting.  Category Membership Found At:  HKEY_CLASSES_ROOT\CLSID\{CLSID}\Implemented Categories  7DD95801-9882-11CF-9FA9-00AA06C42C4 = SFI  7DD95802-9882-11CF-9FA9-00AA06C42C4 = SFS  Not supported under Windows CE.

9 ActiveX Security Measures  Safe For Initialization  Allows a control to be initialised with persistent data.  Persistent data is supplied when the control is initialised.  Input supplied using an IPersist interface.   Safe For Scripting  Allows a control to be initialised and scripted with dynamic data.  Scripted using JavaScript/VBScript  Control can be accessed, methods called freely at run time.  Input supplied using an IDispatch interface.

10  IObjectSaftey Interface.  Control identifies its own security level  “I am not safe to script!”  COM subsystem validates the IObjectSaftey interface prior to loading the control.  Object.IObjectSaftey.GetInterfaceSafteyOption  INTERFACESAFE_FOR_UNTRUSTED_DATA = SFS  INTERFACESAFE_FOR_UNTRUSTED_CALLER = SFI  SetInterfaceSafteyOption also supported.  Only security method supported by Windows CE.

11  Internet Explorer v6 Backward Compatibility Supported  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CLS-ID}\Compatibility Flags  COMPAT_SAFEFOR_LOADING = 0x00800000  “This compatibility flag can be used to disable the Internet Explorer 7 IObjectSaftey check and revert back to Microsoft Internet Explorer 6 behaviour”  ActiveX Kill Bit  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CLS-ID}\Compatibility Flags  0x00000400 = EVIL_BIT (Kill bit)  Kill’d CLS-ID’s cannot be loaded by IE.  Updated Kill Bit lists distributed through Windows Update.

12  Querying An ActiveX Control  Using OLEView we can query an ActiveX through its TypeLib  Type libraries describe the contents of a COM component.  Exposed interfaces, methods, properties and constants.  Method type definition  TypeLib’s are either embedded with an ActiveX control.  An additional.TLB file.  Or not present at all. 

13  OleView Example

14  ActiveX exploitation has grown with popularity  50 remote command execution bugs in ActiveX in 2006.  1 in 2001  Over 110 ActiveX exploits on  Popular attack path for browser exploitation.  ActiveX controls run in same context as Internet Explorer.  Hacking clients is the new ‘in-thing’.

15  Why Is ActiveX So Insecure?  Compiler security disabled: SafeSEH turned off, /GS Disabled  (most) ActiveX controls use the default Windows heap allocator.  Controls not sandboxed, can manipulate COM/IE functionality.  ActiveX security controls are purely opt-in  Developers mark controls SFS & SFI when not required.  Many controls were never designed to be scripted by IE.  “There were only 7 days Internet Explorer was safe to use in the entire year of 2004.”  ActiveX Controls are shipped with commercial software.  Users are not informed about control installation.

16  ActiveX Bugs Can be Classified into Three Groups:  Insecure Method Functionality  Insecure Object Instantiation  Insecure Scripting  #1 - Insecure Method Functionality.  Legitimately using the method of a control, to do something malicious.  SFI or SFS exploitable.  Friendly Technologies Dialler – Execute Arbitrary Commands

17  PBEmail Arbitrary File Overwrite (SFS + SFI)  WebLaunch Arbitrary Command Execution (SFS + SFI)  Synactis All In The Box – Null Byte File Overwrite (SFS + SFI)

18  #2 - Insecure Object Instantiation  An ActiveX instantiated with malicious persistent input.  Control only marked Safe For Initialization.  User Supplied Persistent Values used as Control Parameters.  Common application development vulnerabilities.  Stack/Heap overflows.  Integer overflows  Format String vulnerabilities  Malformed input causing an application exception.  Long string supplied to a method.  Long string assigned to a control property.  Large numeric passed to a method.

19  #3 – Insecure Scripting  Control marked Safe For Scripting.  An ActiveX method scripted with malicious input.  JavaScript/VBScript used to interact with the control.  Vulnerable to common application development vulnerabilities.

20  Finding ActiveX Vulnerabilities.  Query ActiveX’s installed on the system  Lookup the UUID (GUID) value in the co-class.  Search the registry for the GUID, is it SFS?  It may still be SFS without an Implemented Security Category.  Axenum (Part of AXFuzz) to enumerate IObjectSaftey Settings

21  Fuzz the fuck out of it!  I Use COMBust, simple, effective, no false-positives.  combust -c {GUID}  Overwritten function pointer.

22  Easy Exploitation: Heap Spraying.  Method pioneered by Skylined, ZenParse, Alex Sotoriv  Used since 2004, still works.  Use JavaScript to allocate (lots) of memory on the heap.  Control the structure of the heap from JavaScript  Overwrite a function pointer/SEH/Return address  Jump to the JavaScript allocated heap, execute shell-code.  Develop stack and heap overflows fast!

23  Empty Heap  Windows Address Space Layout Randomization  Heap is somewhere  We don’t know where, 32 possible locations.  If you can point EIP Somewhere  Where would you point?

24  JavaScript allocates lots of (NOP slide + Shellcode)  Under certain circumstances Jscript.dll uses the common Windows heap allocator.  Use JavaScript to allocate ‘heaps of heaps.’  0x0C0C0C0C will be one of those heaps  Get EIP here  You win.

25  “Heap Fung Shui” – HeapLib.js  Automated JavaScript Heap Manipulation : HeapLib.js  Supports IE 5-7, Object oriented JavaScript API  Supports:  Heap logging and debugging  Allocation and freeing of blocks with arbitrary sizes  High level heap manipulation (very easy)  Control the heap.  Takes only minutes to create an ActiveX exploit, and pop shell.  Very easy, allows for lazy exploitation.  Heap spraying lacks hacker finesse.  “Allocate Spray 0x0c0c0c0c everywhere, until somthing goes there”

26  Why Does Heap Spraying Work?  The heap (data pages) are executable in the IE 7 process.  DEP is *NOT* enabled for IE 5-7  Certain JavaScript strings are stored on the shared Windows heap.  var test = “aaa” ; is not on the OS heap.  var test = test.substring(0, test.length); is on the OS heap.  (Most) ActiveX controls use the generic Windows heap allocator.  ActiveX heap overflow will overflow into the IE/COM heap.  COM is written in Visual C++  Makes use of (thousands) of function pointers.  Heap overflows often lead to function pointer overwrites.

27  COM makes use of (LOTS) of function pointers  Function pointers are kept on the heap.  You blindly overflow these function pointers with the location of your heap spray.  0xc0c0c0c0  0xC0 = ADD al, 90 (NOP like instruction)  Instruction can be executed, read, jumped to!  JavaScript allocates (lots) of memory so that 0xC0.... exists.  Many COM function pointers are overflowed with c0c0c0c0.  Overwritten function pointer is called by COM.  0xc0c0c0c0 is executed.. You pop shell.

28  It All Changes With IE 8  Internet Explorer 7 Opt-Out of DEP Due to Plug-in Compatibility  Flash, Java do not support DEP.  Internet Explorer 8 is DEP opt-in by default.  Flash, Java now support DEP!  DEP disables code execution from the heap.  New jscript.dll which has a “Not Executable” marked heap.  “Ahem, that will not work in IE 8”  Anyone Can Install ActiveX’s in IE8 (Not just administrators!)  Unsafe methods will still exploitable.  “Click this control to active it” removed.

29  SiteLock Interface  New method in IObjectSaftey to protect controls from being loaded from arbitrary websites.  Controls implement their own per-site control with SiteLock.  Users can allow the control for a specific Web site, all Web sites or disallow the control.

30 Shell Poppin’  Demo:  Find an ActiveX vulnerability  Exploit it through Heap Spraying  Pop shell  Easy. All Hail The Demo God

Download ppt "ActiveX Xploitation In 2009. Who The Hell Am I ?  Hi, My Name Is Paul Craig.  Principal Security Consultant.  “I hack things.”"

Similar presentations

Ads by Google