Active X Exploitation
ActiveX is a framework created by Microsoft to extend the functionality of the Component Object Model (COM) and Object Linking Embedding (OLE) and apply it to content downloaded from networks.
It was first created in 1996 and is predominantly used in Windows Based Operating systems; ActiveX clients must run on x86 hardware as the ActiveX generally contains compiled code. ActiveX controls are small programs sometimes called add-ons that are used to extend the functionality of an application which in turn enhances the user experience as a whole. ActiveX controls are downloaded from websites that a user accesses and the downloads are stored in user’s hard drive. ActiveX provides greater access to user’s system than other similar technologies like Java applets. ActiveX also uses Authenticode technology, which relies on digital certificates. Authenticode is used to prevent distribution of malicious code, thereby creating accountability. By using Authenticode you can sign any file extensions such as .exe, .ocx, .vbd, .dll, etc.
ActiveX is predominantly a Windows technology, ActiveX clients must be running Microsoft Windows or a Windows emulator in order for it to work. ActiveX makes use of native code execution to greatly speed up execution speeds, this is useful for CPU intensive operations such as graphical rendering.
ActiveX technologies are mostly popular for creating add-ons for web browsers, particularly Internet Explorer. ActiveX provides native code execution, which has several benefits. Seeing this, other companies have tried to come up with similar technologies. Some of them are:
- Google Native Client
NPAPI: The Netscape Application Programming Interface is a cross platform architecture that is used for creating plugins for use in Web Browsers. NPAPI has been used extensively in Netscape based browsers such as Mozilla Firefox and also many others such as Google Chrome, Opera, etc. It is a competing technology with ActiveX. The major difference between the two is that NPAPI is designed to be used extensively for web browser plugins, whereas ActiveX is not limited to only that.
Google Native Client (NaCl): Is a sandboxing technology developed by Google to provide similar functionality as ActiveX. The major difference between the two is that NaCl is intended to be used only for improving web browser functionality, whereas ActiveX controls can be used in a host of Windows based applications.
Java Applets: A similar technology used to enhance the user experience, and as you know, Java is a platform independent programming language. Whenever a programmer creates a Java applet and runs through a compiler, the compiler will convert the source code to bytecode. Java virtual machine will convert the byte code to machine code that the processor can understand.
ActiveX Security Flaws
- ActiveX, though useful, has always been plagued by its fair share of security flaws. The ActiveX security policy is mostly based on trust. If you trust the author, then you can install the control without fear of exploitation. Similarly, if you trust Internet Explorer you can assume that it will keep your computer from being exploited.
- Unfortunately, you cannot take things on trust in the real world, it is just not viable. Another long standing issue with ActiveX is that the code that is executed is not sandboxed in any way. It allows the running of 100% native code on a client system. Once it has been installed, it can perform literally any action on the system. This is a huge security flaw.
- Vulnerability in ActiveX is another security flaw that needs to be highlighted. Buffer overflow and file overwriting are some vulnerabilities that are usually exploited. Some ActiveX vulnerabilities are available for download on the Internet for a small amount of money. Proper coding is necessary using ActiveX to avoid exploitation of vulnerabilities. ActiveX controls can be digitally signed, but that does not guarantee that they are safe to execute.
ActiveX flaws are not easy to detect, however many tools can be used to audit such controls. Some of these are given below:
Microsoft OLE/COM viewer: This is a tool that is shipped with Microsoft’s Visual Studio C/C++ compilers. They allow you to view OLE/COM objects their properties, methods, interfaces, etc.
Registry Monitor: Registry Monitor is part of the Sysinternals suite of system tools provided by Microsoft. It allows you to monitor registry changes, access, etc. It allows us to see if any registry value is being changed or if some action is being performed by that particular key.
File Monitor: File Monitor is another tool from Sysinternals that allows us to monitor file access on our computer. It allows us to check if a process is trying to modify any directory or file.
TCP View: TCP View is another tool from the Sysinternals suite. It allows you to monitor open TCP/UDP ports and also displays TCP connections made by processes. This can help to see if the ActiveX control is trying to open a port for communication.
WindDbg: Is a kernel level debugger provided by Microsoft that allows us to debug programs that run in kernel mode. It can be used to detect ActiveX based buffer overflows.
How ActiveX is Exploited
Attackers take advantage of vulnerabilities in ActiveX to compromise systems using Internet Explorer. A sample exploit is explained below.
- RUN>>REGEDIT>>HKCR>>CLSID used to display CLSID
- XXXX.XXXXX.1 is the format for Prog ID Ex ACCClientDocMgr.AccClientDOCMgr.1
- Open com raider is a fuzzing tool. Active fuzzing is a method to give invalid and random inputs to ActiveX objects to note their behavior. Another fuzzing tool used is Dranzer.
- Credit of this exploit goes to Michael Brooks.
There is no sure fire method to stop malicious ActiveX controls, however with the proper precautions the damage done by such controls can be significantly reduced. Some of the following methods can be used to mitigate the effects of malicious ActiveX controls.
One popular method of blocking malicious ActiveX controls is to employ a Killbit. A Killbit is a security feature that is used by ActiveX containers to block specific ActiveX controls. This is done using a Class identifier (CLSID). Once the ActiveX container has received a Killbit update, it will never execute ActiveX controls that have the specified Killbit.
Killbits are generally distributed to Windows systems through Windows updates. Killbits are applied by making changes to the registry keys. This can be done manually or through Windows updates.
The best way to prevent ActiveX exploits is through user awareness. Denying ActiveX controls by default is often a good solution to the problem. However this may not always be feasible. Not installing ActiveX controls from untrusted sources is generally the best solution.
Use ActiveX controls only if absolutely necessary.
ActiveX is used by web developers to enhance their websites with features that may not be possible with just pure HTML, this includes animations, multimedia, etc.
But allowing ActiveX code to run in a browser is not safe, thus IE 7 introduced a system called ActiveX Opt-in. This provides users with control over whether ActiveX controls should be run in the browser or not, and when the browser encounters an ActiveX control the following warning is displayed.
The user can then decide whether to run the control or not after verifying the author of the control. Before executing it the user is asked for permission again. The Opt-in feature has been included in all versions of Internet Explorer from 7 onwards.
We can further configure settings for running ActiveX controls from the security panel in Internet Explorer. From here we can disable the execution of ActiveX controls entirely.
The Site lock template is a technology devised by Microsoft to design safer ActiveX controls. This allows developers that are using the Windows platform to restrict the domains in which a control can be run. This prevents remote execution of controls.
It can also severely restrict the scripting capabilities of ActiveX controls to prevent them from being repurposed to carry out malicious tasks.