Recently, I discovered a vulnerability in a ActiveX control. Before starting with the discovery, I had absolutely no clue as to how to discover and exploit vulnerabilities in ActiveX. I learned the hard way, so finally I decided to make a small tutorial that could make life easier for guys like me :) ! In this 3 part series, I will be covering how to use ActiveX fuzzers to find vulnerabilities in COM Objects. I won't be covering all the basics in details, but I will show you how to discover vulnerability using a Fuzzer and then how to code a PoC or exploit for it. This tutorial assumes that you have a basic understanding of how debuggers work and know how to use them.
Ok, let's start with a quick round of basics for those who don't have a clue as to what I have spoken so far. So, what's fuzzing ?
Ok, let's start with a quick round of basics for those who don't have a clue as to what I have spoken so far. So, what's fuzzing ?
"Fuzz testing or fuzzing is a software testing technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted." -- Wikipedia
When you apply that terminology to ActiveX or COM Objects it's called ActiveX fuzzing. So, what's the big deal you may ask. Well, these COM objects in some cases are exposed through Internet Explorer. That makes them vulnerable and easy targets for exploitation on the internet. By using a specially crafted web page, an attacker may exploit the vulnerability in a ActiveX control and execute arbitrary code on the victims machine, as you will see by the end of this tutorial :) !
Basically, I will show you how I discovered the vulnerability, what steps I took to debug it and finally come up with the exploit. Unfortunately, I can't disclose too much details about the vulnerability itself as the vendor is still working on a fix. Never the less, you can definitely use the same technique and apply it on other ActiveX objects to discover new bugs as well ! In this part, I will cover the basic introduction. In the second part I will show you how to use the tools to discover a vulnerability in a ActiveX control and in the third part I will show you how to code a exploit for the vulnerability that we have discovered.
For the tutorial, we will be using tools such as Ollydbg, Dranzer, COMRaider and your favorite text editor (mine is Notepad++). So, go get these installed on your system and get yourself familiarized with these tools. I will not spend time on that here otherwise this tutorial will become thrice its size :P ! There are lot of ActiveX Fuzzing tools out there but my personal favorite is Dranzer and COMRaider. Again, you could use the debugger of your choice, it's just that I happen to know Olly better. I would also recommend a clean and fresh Windows environment to start with. Fuzzing often tends to use up a lot of resources, so I would suggest using a clean windows setup with minimum software installed on it. Avoid using Antivirus when fuzzing as it will futher slow it down.
Allrighty, to begin with the fuzzing, we first need to know the class identifier for the COM object we are trying to fuzz. Every ActiveX object has a "Classid" or "clsid" which is a unique registry-identifying component that is used to identify an ActiveX control. The "Classid" is embedded in the webpage code using "object" tags. Internet explorer processes the "object" tag in the HTML code and then checks to see if the COM object is installed on the system. If present, it will invoke it and start using the methods in the class as per the code.
Typically it's the methods inside a particular class, that can have some vulnerability due to improper coding. So, to see the methods supported by the ActiveX control we will use COMRaider. There are multiple ways of doing this - if you know the classid of the software you are trying to Fuzz, you can use it directly in COMRaider or you could search for the .ocx/.dll file directly from the location where the control was installed (like Program files). Once you have entered the required information you can view the different methods supported by that ActiveX control. COMRaider has a excellent GUI and is great tool to find out information about ActiveX control you are trying to use or fuzz.
Basically, I will show you how I discovered the vulnerability, what steps I took to debug it and finally come up with the exploit. Unfortunately, I can't disclose too much details about the vulnerability itself as the vendor is still working on a fix. Never the less, you can definitely use the same technique and apply it on other ActiveX objects to discover new bugs as well ! In this part, I will cover the basic introduction. In the second part I will show you how to use the tools to discover a vulnerability in a ActiveX control and in the third part I will show you how to code a exploit for the vulnerability that we have discovered.
For the tutorial, we will be using tools such as Ollydbg, Dranzer, COMRaider and your favorite text editor (mine is Notepad++). So, go get these installed on your system and get yourself familiarized with these tools. I will not spend time on that here otherwise this tutorial will become thrice its size :P ! There are lot of ActiveX Fuzzing tools out there but my personal favorite is Dranzer and COMRaider. Again, you could use the debugger of your choice, it's just that I happen to know Olly better. I would also recommend a clean and fresh Windows environment to start with. Fuzzing often tends to use up a lot of resources, so I would suggest using a clean windows setup with minimum software installed on it. Avoid using Antivirus when fuzzing as it will futher slow it down.
Allrighty, to begin with the fuzzing, we first need to know the class identifier for the COM object we are trying to fuzz. Every ActiveX object has a "Classid" or "clsid" which is a unique registry-identifying component that is used to identify an ActiveX control. The "Classid" is embedded in the webpage code using "object" tags. Internet explorer processes the "object" tag in the HTML code and then checks to see if the COM object is installed on the system. If present, it will invoke it and start using the methods in the class as per the code.
Typically it's the methods inside a particular class, that can have some vulnerability due to improper coding. So, to see the methods supported by the ActiveX control we will use COMRaider. There are multiple ways of doing this - if you know the classid of the software you are trying to Fuzz, you can use it directly in COMRaider or you could search for the .ocx/.dll file directly from the location where the control was installed (like Program files). Once you have entered the required information you can view the different methods supported by that ActiveX control. COMRaider has a excellent GUI and is great tool to find out information about ActiveX control you are trying to use or fuzz.
Fig 1: Example showing ActiveX info in COMRaider
Next, you can right-click any of the methods or fuctions and choose to fuzz the library or the interface, and start fuzzing - but we will not use COMRaider for this. This is where Dranzer comes into the picture. It's much much faster than COMRaider when it comes down to fuzzing but its a command line tool. Note that Dranzer can also give you information about the COM object you are trying to fuzz but that information is limited. So, I often use combination of these two tools for fuzzing.
So, that's it folks for now, I will see you again in the Part 2 where I will cover Dranzer in details as well as using Olly to debug IE crashes.
References:
ActiveX -- Introduction to using ActiveX on the web
OllyDbg -- The Olly debugger for debugging and disassembly.
Dranzer -- The Dranzer ActiveX Fuzzer
COMRaider -- COMRaider ActiveX Fuzzer
thanks
ReplyDeleteYour artices are good to me.