11.4 Malicious ActiveX Examples

Team-Fly

	Malicious Mobile Code: Virus Protection for Windows By Roger A. Grimes Slots : 1
	Table of Contents
	Chapter 11.  Malicious ActiveX Controls

Since an ActiveX control can do almost anything it wants, it's almost useless to classify types of exploits. If you allow a control to execute on your system, it has full access to your system. Known ActiveX vulnerabilities are spread nearly even between unsigned controls that should not be trusted and exploits of previously trusted controls.

11.4.1 Exploder

Fred McLain, currently a Java product development manager at Appworx Inc., is the infamous creator of malicious demonstration ActiveX controls, Exploder and Runner. His web page at http://www.halcyon.com/mclain/ActiveX/Exploder/FAQ.htm contains a Frequently Asked Questions document on his Exploder control, as well as links to download both examples.

Released in 1996, the Exploder control shuts down Windows 95 machines and powers them off (if you have the Advance Power Management feature in your BIOS). It is no different than if you chose Shutdown from your Start button on the taskbar. After making his malicious control, Fred contacted VeriSign, Microsoft's authenticated certificate authority, and purchased an Authenticode digital signature. At the time of release, Internet Explorer 3.x would run any signed control without prompting the user . So, if you were lucky enough to browse across Fred's web site or anyone else's who borrowed the control, you would have about 10 seconds before your system shut down, and losing any unsaved data.

Fred and his creation immediately made headlines around the world, and he was contacted by both Microsoft and VeriSign. VeriSign revoked his digital signature because Fred broke the Authenticode licensing agreement by intentionally designing his control to be malicious. Fred contacted a lawyer to represent his case, but eventually withdrew his signed control to ward off potential lawsuits. But by then, Fred had proven his point. A hacker with malicious intent could easily obtain a digital signature, sign the control, and release it into the wild. Although Microsoft correctly stated that ActiveX's security worked as designed, Exploder ended up strengthening both ActiveX's security model and VeriSign's digital certification process. Today, with default security enabled, Internet Explorer 4.x and 5.x will not download the malicious control. Even at the lowest security setting, Internet Explorer 5.x warns you that the control contains unsafe content.

11.4.2 Runner

Runner is another of Fred McLain's malicious ActiveX creations. It is an unsigned control that simply runs a copy of COMMAND.COM , and opens up a DOS window. Fred programmed this control to demonstrate again how an ActiveX control can do anything it wants. He could have just as easily made it format the user's hard drive or send files to his web site. Runner was never distributed with an Authenticode signature and will not be run by Internet Explorer with default security enabled.

11.4.3 InfoSpace Compromise

In September 1996, an Internet company, called Infospace, (http://www.infospace.com) posted an ActiveX control (labeled Quick Search) on the Lycos search engine site, which bypassed one of Authenticode's security checking mechanisms. The Lycos control was written to allow the seamless downloading of advertising to a user's browser while they were using the search engine, but it also did an unwarranted modification to bypass future warning messages.

Specifically, if the user allowed the signed control to download and run the first time, it would transparently modify the computer's Windows registry database so that it made Infospace a trusted publisher. Once this was done, Infospace could download any control to a user's system without further user notification. After the security exploit was published, Infospace's CEO stated that the misguided feature was simply a programming bug, and the control was fixed. Regardless of Infospace's original intentions, this control took the decision of who to permanently trust out of the hands of the user. Critics of ActiveX's security model consider this exploit to be an example of the greatest weakness in allowing trusted code to do anything it wants. They feel running all code in a protective sandbox is a better default option. That way, when code unintentionally messes up, there is a safety net in place.

11.4.4 Quicken Exploit

Germany's famous hacking group , Computer Chaos Club , demonstrated on live television in February 1997, an unsigned ActiveX control that would look for the presence of the popular personal finance program, Quicken . If found, the control would check to see if the electronic banking feature was used. It then manipulated Quicken data files so the feature would automatically transfer money into CCC's bank account the next time a user initiated a banking transaction. Although the demonstration program worked, it required that someone go around Microsoft's default security settings to accept the unsigned control. Intuit, the company that writes Quicken, recommended that users concerned about this type of exploit disable ActiveX. Later on, additional features were implemented in Quicken to make CCC's type of hack more difficult.

11.4.5 Microsoft's Not Safe for Scripting Controls

Internet Explorer allows the activation (scripting) of ActiveX controls marked Safe for Scripting . Over the years , Microsoft and other vendors have released ActiveX controls that should not have been marked Safe for Scripting. Part of the problem is Microsoft doesn't have a standardized process for determining whether or not a control is safe to script. Hackers have used that to their advantage and discovered many controls that could be used maliciously. Security watchdog, Richard Smith, has an interrogating web page (http://users.rcn.com/rms2000/acctroj/axcheck.htm) that will check your browser for the presence of many of these holes and tell you how to fix it.

11.4.5.1 Norton Utilities exploit

In April 1997, it was found that systems using Norton Utilities 2.0 for Windows 95 and Internet Explorer were vulnerable to a new type of attack. Symantec's Norton Utilities installed an ActiveX control called TUNEOCX.OCX and marked it as "Safe for Scripting". As part of Norton's System Genie toolset, TUNEOCX had the ability to start a second program to call any system command that might be necessary to troubleshoot the system, including FORMAT , FDISK , and FTP . A malicious web site could include a script language command that used TUNEOCX.OCX to run any external command. The hacker site, for example, could copy files off a user's hard drive and then format the drive, maybe adding a delaying component to avoid suspicion. Symantec released a fix soon after the bug's discovery, but it pointed out the potential security holes that could be found because of unintentional code interaction.

11.4.5.2 Help desk controls

Several leading personal computer vendors ship their PCs with potentially dangerous scriptable controls. Richard Smith discussed his findings about HP Pavilion and Compaq Presario computers with several newsgroups in July 1999. He discovered that Pavilion systems were shipped with two unsafe ActiveX controls as part of HP's system diagnostic package, SystemWizard . One of the controls, called Launch , would run any Windows or DOS command passed to it by a scripting language. Thus, if a user went over the wrong web site, files could be deleted, hard drives formatted, and files copied . Another control, RegObj , could modify the registry. Both of these tools were designed to allow HP Help Desk support to help customers troubleshoot and fix problems. Unfortunately , both controls were marked as Safe for Scripting, when obviously, they should not have been. Smith found a similar hole in Compaq Presario computers. In this instance, Compaq included controls and applets, and made itself a trusted publisher. The diagnostic applets, which could launch external programs, would run outside the security sandbox.

11.4.5.3 DHTML edit vulnerability

In April 1999, Microsoft released a patch (see Microsoft Knowledge Base Article Q226326 ) to close a hole created by a new control released in Internet Explorer 5 (and downloadable in version 4.x). Microsoft's DHTML Edit control was marked Safe for Scripting, and allowed users to edit HTML text to see how it would look in a browser. The file, DHTMLED.OCX is stored in the subdirectory C:\Program Files\Common Files\Microsoft Shared\Triedit . Unfortunately, malicious scripts could download virtually any file on a user's system as long as it knew its name and location. In addition, the control could be used to trick users into typing sensitive data that could then be copied. Microsoft's patch worked by modifying the control to only load data that was in the web site's own domain. No customers were reportedly affected before the hole was closed.

11.4.5.4 Taskpads

Microsoft found another of its own vulnerabilities in a scriptable control called Taskpads . Taskpads was shipped in the Windows 98 Resource Kit and BackOffice Resource Kit 4.0. It allowed users to view and run Windows management tools through an HTML page. Like all the other Safe for Scripting mistakes I've reviewed, this allowed a malicious web site to write an HTML page that could invoke the control and cause damage. Since the Taskpad's functionality was not commonly used, Microsoft decided to remove its functionality all together with a patch (see Microsoft Knowledge Base Article Q218619 ).

11.4.5.5 Scriptlet.typlib and Eyedog exploits

Two infamous Microsoft browser holes, Scriptlet.typlib and Eyedog , exploit built-in Microsoft controls. Although not related , both were discovered and patched at the same time. The Scriptlet.typlib control is supposed to be used by developers to generate type libraries for Windows script components . Type libraries can be used by software development tools, like Microsoft Visual InterDev, to provide additional functionality. Unfortunately, because the control was marked Safe for Scripting, it could be used to change or delete files on a user's system. This exploit has successfully been used by malicious worms, including BubbleBoy and Kak. Microsoft patched the ActiveX control to remove the Safe for Scripting setting. The Eyedog control ( EYEDOG.OCX ) is used by troubleshooting utilities to gather information on the user's computer, such as username, hardware settings, and registry settings. This queried information could be passed back to a malicious web site and then used against the user. Microsoft's patch disabled the ability for Eyedog to be called from within a browser.

11.4.5.6 Office 2000 UA control

In another Safe for Scripting blunder, Microsoft unfortunately allowed the UA control ( OUACTRL.OCX ) shipped with Office 2000 (and related 2000 Applications, such as PhotoDraw, FrontPage, and Project) to be used maliciously. Included to allow "Show Me" help tutorials, the control has the ability to interact with the system, type in keystrokes, choose software options, etc. As a trusted, signed control, it could be scripted to accomplish almost anything the malicious hacker wants. Microsoft posted a patch to eliminate this vulnerability in May 2000.

11.4.5.7 Active Setup control

The Active Setup control allows Microsoft-signed .CAB files to be automatically downloaded and installed on a user's computer without intervention. The slight flaw that it contains is the ability to use script files to direct the destination download directory. A malicious hacker could construct a web page that downloaded a legitimately signed Microsoft control, but force it to download over other system files. This could leave the user's computer unusable. Of course, Windows ME and 2000, and their file protection mechanisms, would prevent such an attack from being successful.

11.4.6 Windows 2000 Sysmon Buffer Overflow

Unpatched versions of Windows 2000 contain a control, SYSMON.OCX , which contains an unchecked exploitable buffer. Announced in November 2000, this hole, like any other buffer overflow, could allow a malicious web page complete access to a Windows 2000. Sysmon, or system monitor , is used to measure and record system performance. It can be accessed in Windows 2000 by Start Settings Administrative Tools Performance Logs and Alerts. Microsoft released a patch in December 2000 to close the hole. In their announcement (Microsoft Security Bulletin MS00-085 ), Microsoft postulated that buffer overflow conditions compromise two- thirds to three-fourths of all security vulnerabilities.