Home :: blogs :: secgeeks's blog

ActiveX Exploitation

GFI Languard Network Security Scanner

By secgeeks - Posted on July 18th, 2008
Tagged:  
186
vote

From last few months there is a rise in activex vulnerabilities.If we look at milw0rm than there are lots of POCs which exploits activex vulnerabilities.In this article i am going to show what is activex exploitation.

Introduction
ActiveX are com objects.Com is a technology used by microsoft,which allows using components written in one language to be used by another language.for example,suppose you have written one dll in VC++ then com allows you to use it in VB.
For that there is a concept of CLSID.Every Activex Control has a CLSID which is unique in the world.you can read more about it by searching on google.I will give some reference at the end of this article.

Problems
Internet Explorer support using such objects.They can be invoked by a webpage,So if you are visiting a webpage,it can easily initialze a ActiveX control on your system.If that control is vulnerable to Buffer Overflow then internet explorer will crash and than attacker can control your system.
To control the system attacker uses Heap Spraying technique.What this technique does is,simply fills the memory of internet explorer with nops and shell code then overwrite IE with some address like 0c0c0c0c0c or 0a0a0a0a . although 0c0c0c0c0c is most widely used address.
So when i crashes EIP has this address,control goes to that location and as we using heap spraying,the memory has been filled with nop and shell codes so shell codes get exectuted and some one can control your system.
Most of the exploit kit like mpack,neosploit,gpack etc uses this techniques in there exploitation stuff.

Why is it becoming so popular?
Reason is simple,its very easy.There are tools like ComRaider from iDefense and AXman fuzzer from metasploit.these tools make it easy to load any activex control and than fuzz it automatically to find the vulnerabilities.So even a kid can fuzz any activex and post the exploit on internet.

How to prevent from it?
Do not install uneccesary controls on your system.Its better to avoid activex control from unkown publishers.
use any antivirus software which allows scanning for such data.
I will keep this article updated with time,its written in hurry as always.
Feel free to post any comments on this article,you can always contact me personally.

Thanks,
SecGeek


Bookmark/Search this post with:
  • Newskicks
  • Delicious
  • Digg
  • StumbleUpon
  • Propeller
  • Reddit
  • Magnoliacom
  • Newsvine
  • Furl
  • Facebook
  • Google
  • Yahoo
  • Technorati
  • Icerocket

Trackback URL for this post:

http://secgeeks.com/trackback/2052