Full Report
Earlier this week we had an internal presentation on Attacking ActiveX Controls. The main reason we had it is because of the ridiculously high hit rate we have whenever we look at controls with a slight security bent.. When building the presentation i dug up an old advisory we never publicly released (obviously we reported it to the vendor who (kinda) promptly fixed the bug (without giving us any credit at all, but hey.. )) While the IEBlog promises updates to IE8 that will minimize the damage caused by owned controls in the future, the fundamental problems with ActiveX today are an attackers dream.
Analysis Summary
As a vulnerability research specialist, here is the summary of the disclosed security flaw, focusing on actionable information.
# Vulnerability: ActiveX Control Repurposing Leading to Arbitrary Command Execution
## CVE Details
- **CVE ID:** Not explicitly provided in the text (The author noted they reported it to the vendor who fixed it without public disclosure/credit at the time of writing).
- **CVSS Score:** Not provided.
- **CWE:** Implicitly related to Improper Input Validation/Authorization, leading to OS Command Injection.
## Affected Systems
- **Products:** Juniper SSL-VPN products utilizing a specific affected ActiveX Control.
- **Versions:** Not specified, but subsequent to a previously patched stack smash issue. The article implies the affected control was present in active deployments at the time of discovery (May 2008).
- **Configurations:** Requires the ActiveX control to be enabled and loaded in Internet Explorer on the client machine.
## Vulnerability Description
The vulnerability resides in an **ActiveX Control used by Juniper SSL-VPN products**. The control was found to be susceptible to a two-stage attack leveraging poorly secured self-update and configuration file handling mechanisms:
1. **Arbitrary File Download (Initial Stage):** An attacker could trigger the control to download an unsigned file from a specified URL (high build number mechanism) to a predictable local path ($\text{C:\textbackslash predictable\_location}$). Although the downloaded file was not executed by default, its storage location was known.
2. **Arbitrary Command Execution via Configuration File (Exploitation Stage):** The control accepted a parameter specifying the path to its configuration (INI) file. An attacker could force the control to load the malicious file downloaded in step 1 if it was placed in the predictable location. This malicious configuration file contained a command injection via the `UninstallString` parameter (e.g., `UninstallString=”calc.exe &&”`).
3. When the control's method to manage its configuration or installation was invoked (specifically the uninstall method), the specified arbitrary commands were executed with user privileges.
## Exploitation
- **Status:** Proof-of-Concept (PoC) demonstrated (described in detail as a successful exploit chain).
- **Complexity:** Moderate to High (Requires sequencing the download and configuration loading steps, although the core injection is straightforward).
- **Attack Vector:** Network (via a malicious webpage designed to load and interact with the control).
## Impact
- **Confidentiality:** High (Potential for data exfiltration if commands are used for file reading).
- **Integrity:** High (Arbitrary code execution allows modification of system files/settings).
- **Availability:** High (Ability to delete files or crash services).
*Overall Impact*: Arbitrary Code Execution (ACE) with user privileges.
## Remediation
### Patches
- **Status:** A patch was issued by the vendor following responsible disclosure, though specific patch versions or advisory numbers are not mentioned in this article (only an old Juniper advisory regarding a *different* bug is referenced).
- **Action Required:** Users must consult Juniper advisories subsequent to May 2008 to obtain the fixed version of the relevant SSL-VPN client software/ActiveX control.
### Workarounds
- The article does not detail official workarounds but implies that the fundamental issue is poorly secured ActiveX logic. General workarounds for ActiveX risks apply:
* Disable or restrict the loading/initialization of unknown or untrusted ActiveX controls (e.g., via IE Security Zone settings).
## Detection
- **Indicators of Compromise (IOCs):**
* Unexpected file creation in $\text{C:\textbackslash predictable\_location}$.
* Execution of processes via the ActiveX control's internal methods that normally relate to installation/uninstallation (e.g., attempts to run `UninstallString`).
* Network connections initiated by the ActiveX component attempting to download files based on internal version-checking logic.
- **Detection Methods and Tools:**
* Static analysis tools are explicitly noted as *ineffective* for finding this type of logic flaw ("repurposing bugs").
* Dynamic analysis/debugging of the ActiveX control's methods related to file handling and configuration loading is likely required for discovery.
## References
- Juniper Security Advisory for a previous fix (different bug): `http://www.juniper.net/support/security/alerts/PSN-2006-03-013.txt` (Defanged: `hxxp://www.juniper.net/support/security/alerts/PSN-2006-03-013.txt`)
- IEBlog promise regarding IE8 security improvements: `http://blogs.msdn.com/ie/archive/2008/05/07/ie8-security-part-ii-activex-improvements.aspx` (Defanged: `hxxp://blogs.msdn.com/ie/archive/2008/05/07/ie8-security-part-ii-activex-improvements.aspx`)