HackingExposedChapter12

Internet Client Vulnerabilities

* Of the numerous techniques to exploit internet end users

• Software exploits are the most the despicable
• This is because software usually permits hackers to do their bidding with little of no visibility on the part of the victim.

ActiveX

* Microsoft ActiveX

• Microsoft answer to Java
• First real attempt a a model for portable, remotely consumable software applications
• ActiveX applications or controls
• Can be written to perform specific functions
• Such as displaying a movie or sound file
• Can be embedded in a web page to provide this functionality
  • Example
  • Like Microsoft’s Object Linking and Embedding (OLE) supports embedding of Excel spreadsheets within Word docs
  • Usually the .ocx file extension
• When Internet Explorer encounters a web page with an embedded ActiveX control (or Multiple Controls)
• First checks user’s local system Registry to find to find out whether that component is available on the user’s machine
• If it is, IE displays the webpage, loads the control into the browser’s memory address space, and executes it’s code.

• If the control is not already installed on the user’s computer, IE downloads and installs the control using the location specified within the <OBECT> tag.

• Optionally, it verifies the origin of the code using Authenticode and then executes that code
  • Controls are downloaded to the location specified by the Registry string value

• (REG_SZ)HKLM\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion\Internet Settings\ActiveXCache

• Default in XP is %systemroot%\Downloaded Program Files

ActiveX Security Model

* Acting within the model described in the previous section malicious programmers could write ActiveX controls to do just about anything they want to a user’s machine. * The thing that stands in the way is the Microsoft’s Authentication paradigm. * Authenticode allows developers to “sign” their code using cryptographic mechanism that can be authenticated by IE and a third party before the code is executed. (VeriSign Corporation is typically the third party)

• Example of how ActiveX could be used to for malicious activity
• 1996 Fred Mclain wrote an ActiveX control that shutdown the user’s system cleanly (if it was running Windows 95 with advanced power management).
• Called Internet Exploder
• Safe for Scripting
• Was the next significant security challenge
• The way people could get a malicious program on your computer by simply visiting their website is manipulating the Scriptlet ActiveX control
• Scriptlet.typelib can create, edit, and overwrite files on the hard disk.
• Eyedog has the ability to query the Registry and gather machine characteristics

ActiveX Abuse Countermeasures

* From a developers perspective, don’t write safe-for-scripting controls that could perform privileged actions on a user’s system. * Restrict or disable ActiveX through the use of Microsoft Internet Explorer security zones.

Java

* Created by Sun Micro Systems * Was created primarily to enable portable, remotely consumable software applications. * Differed from ActiveX in that it included a security ”sandbox” that restrains the programmers from making many of the mistakes that lead to security problems, such as buffer overflows.

• Vulnerabilities Found
• November 2004, Jouko Pynnonene published an advisory on a devastating vulnerability in Sun’s Java Plug-in, which permits browsers to run java applets
• The vulnerability essentially allowed malicious web pages to disable Java’s security restrictions and break out of the Java sandbox, effectively neutering the security of the platform.

Java Countermeasures

* Restrict Java trough the use of Microsoft Internet Explorer security zones. * Non-IE consult documentation on how to restrict.

JavaScript and Active Scripting

* Originally “LiveScript” and is still associated with Sun’s Java, but is actually a separate scripting language created by Netscape. * Blend of Perl- like ease-of-use with c/c++ like power

• Made it popular
• Also makes it attractive to hackers
• Makes it easy to fool the user into entering sensitive information

• Microsoft platforms execute JavaScript and other client-side scripting languages using Component Object Model (COM) – Based technology called Active Scripting

• Security issues not caused by technology, but by the abuse of power and accessibility they give you.

JavaScript Countermeasures

*Restrict JavaScript and Active Scripting trough the use of Microsoft Internet Explorer security zones.

Back to Cptr427Winter2010