New ActiveX security problems in Windows 98 PCs

[dmurray () JSBSYSTEMS COM (David N. Murray)]

I saw this come across comp.risks and thought it was appropriate for
Bugtraq.  I haven't seen anything about it on Bugtraq before.
-dave

Date: Thu, 22 Jul 1999 22:12:27 -0400
From: "Richard M. Smith" <smiths () tiac net>
Subject: New ActiveX security problems in Windows 98 PCs

At work, I recently started using a new HP Pavilion computer that is
running
Windows 98.  As part of ongoing research into Internet security issues,
I
discovered that this computer was shipped with 2 ActiveX controls, which
are
extremely dangerous.  These controls can be easily misused on a Web page
to
gain access to the computer and run programs. More worrisome however
script
code can be embedded in an HTML Email messages and the controls accessed
in
Outlook, Outlook Express, and Eudora.  The controls are marked "safe"
for
scripting even though they can do things like launch programs and read
and
write the Windows registry.

Using these controls, some of the malicious things that can be done
include:

   - Automatically install a computer virus or other malicious software
     on a system.

   - Turn off all Windows security checking, making a system wide-open
     for future attacks.

   - Read personal files for the local hard disk and silently upload
     them to a remote Web site.

   - Delete document files from the local hard drive.

   - Remove Windows system files so that a system can no longer be
booted.

With less than 30 minutes of effort, I was able to construct a test
Email
message that downloads a Windows executable file from a remote FTP site
and
installs it on the local hard drive using one of these ActiveX controls.
After the file is successful installed, it then is executed.  For my
test
message, I download and run the Windows calculator.  However, the Email
message can download any Windows program such as the ExplorerZip virus
or
Back Orifice 2000 install program.  In Outlook Express, this all happens
automatically when the Email message is read.  There are no attachments
that
have to be clicked on and no warnings with default security settings.

My test Email message contains only about 10 lines of JavaScript code to
direct one of the HP ActiveX controls to do the download and run the
program.  Anyone with experience in JavaScript programming could easily
duplicate the code that I wrote.  For obvious reasons, I will not be
publically releasing this test Email message.

Microsoft's Authenticode security system built into Internet Explorer is
of
no use here because the ActiveX controls are pre-installed on the
computer
and not downloaded from the Internet.  Authenticode only allows users to
prevent downloading of questionable ActiveX controls, not their
execution
once they are installed on a system.

The ActiveX controls are shipped on the HP system for use in system
diagnostic package called SystemWizard.  This package is a product of
SystemSoft (<http://www.systemsoft.com>).  The intention is these
controls
would only be used in SystemWizard and no where else.  However, because
the
controls are marked safe for scripting, any Web page or Email message
can
use the controls in any manner they like.  The controls either never
should
have marked safe in the first place or the controls need to do their own
security checking.  Unfortunately neither precaution was taken.

The two SystemSoft controls are just thin wrappers around a number of
Win32
system calls.  The Launch ActiveX control allows a JavaScript program to
run
a DOS or Windows program and pass in command line parameters.  The
RegObj
ActiveX control allows a JavaScript program to read, set, and scan
registry
keys.  The controls are accessed on a Web page simply by including an
HTML
<OBJECT> tag with appropriate parameters.  Pretty obviously, it is not a
good idea to allow JavaScript programs to make direct Win32 system calls
with such ease!

To give an idea how easy the Launch control is to misuse, the following
JavaScript call will remove the contents of someone's entire "My
documents"
directory using the old DOS deltree command:

    Launch('c:\\command.com', '/c deltree /y "c:\\My documents\\*.*"');

Both of the SystemWizard ActiveX controls were created last year and my
understanding have been shipped on most HP desktop systems in the US
retail
channel for at least the last 6 months.  The number of computers, which
are
vulnerable, is therefore quite substantial.  The same controls may also
being shipped on other brands of computers.

After being alerted to the problems of these two controls, SystemSoft is
providing a patch file to fix the security holes.  This patch file can
be
downloaded from their Web site at this URL:

   <http://www.systemsoft.com/support/syswiz/index.htm>

In addition to the two SystemSoft ActiveX controls, I also found an
another
ActiveX control pre-installed on the HP system with a privacy leak in
it.
The control can give out Windows 98 registration information such as
name,
address, and phone number to a Web site.  This control was supplied by
Encompass Corporation (now part of Yahoo) and is used in an ISP sign-up
program.  The control is marked safe for scripting on a new computer,
but is
marked unsafe for scripting the first time dial-up networking (DUN) is
used
on the system.  This issue is specific to this machine/build of the
software.  Unfortunately on my HP system, I use a LAN connection to
access
the Internet and therefore the Encompass control stays marked safe for
scripting forever and could give out registration information (limited
to
name, address, phone number) to a malicious person.  Since I didn't use
the
dial-up portion of the ISP sign up, I just removed the registration
application by going to the add/remove program files and choosing the
"Easy
Internet Access" application.  The control also remains safe for
scripting
if one uses AOL as an ISP because AOL does not use DUN support in
Windows
98.

Since Encompass has distributed versions of the software on a different
machines, I've put together a demo page that will test a system to see
if
the system has a version of the control that could release registration
information to a malicious person.  The test page can be found at:

   <http://www.tiac.net/users/smiths/acctroj/reginfo.htm>

I also upgrade from version 4 of Internet Explorer to version 5 on the
HP
system.  Unfortunately this upgrade installed yet another dangerous
ActiveX
control on the system.  This control is the DHTML editing control, which
can
be easily misused to read files from the local hard drive and upload
them to
a Web server.  This bug was discovered in March 1999 and has been fixed
by
Microsoft but the majority of IE5 users still are vulnerable because not
many people know about the problem.  A security bulletin and patch for
this
ActiveX control can be found on the Microsoft Web site:

   <http://www.microsoft.com/security/bulletins/ms99-011.asp>

How did so many of these insecure ActiveX controls get installed on my
computer in the first place?  Because Internet Explorer (IE4 or IE5)
comes
bundled with Windows 98, it is becoming an increasing popular for
computer
manufacturers to build specialized utilities for their PCs using IE4
just
like HP has done.  These utilities include registration software, ISP
sign-up programs, and shells for running common applications.  With
Internet
Explorer 4 it is very easy to develop user-interfaces for these types of
utilities using standard HTML pages.  ActiveX controls are then
typically
used in these applications to provide low-level access to the Windows
operating system to do things like run applications, access the
registry, or
read and write files.  These controls are only suppose to be used inside
the
applications they are designed for.  However, IE4 has no built-in
mechanism
for restricting use of a particular ActiveX control to be used with
particular Web pages.  Therefore it is up to application developer to
provide a security mechanism in their ActiveX controls.

After looking at the problems of the HP system, I decided to check out
other
new Windows 98 systems from other computer manufacturers for similar
unsafe
ActiveX controls.  The first thing I discovered that is very common for
manufacturers to ship utilities built as Web pages on their computers.
Most
of these applications included ActiveX controls for doing things like
running programs and accessing the registry.  The controls had names
like
"SpawnApp", "SafeLanuch", "RegRead", and "Run".  However, because I
didn't
have direct access to these systems, I have no method to test to see if
these controls can be misused or not.  Because their is no built-in
security
system in place for pre-installed ActiveX controls it is up to the
person
who writes the control to make sure they are safe.  I have inquired to a
number of computer manufacturers about the controls I saw, but so far
have
not received back any responses.  Given the subtle nature of ActiveX
security issues, I wouldn't be surprised that other computer models have
serious security problems also.

A typical Windows 98 system today ships with about 50 pre-installed
ActiveX
controls that are marked safe for scripting.  Because ActiveX controls
are
Win32 programs it's not possible to really know if a control is really
safe
or not.  The developer's claims about safety cannot necessarily be
trusted.
Without systematic and detailed testing it is not possible to know if
given
control is really safe.  I don't believe full testing is really being
done
today.  For example, here is information about another Microsoft ActiveX
control that is still being distributed with the Windows 98 Resource Kit
today:

   <http://support.microsoft.com/support/kb/articles/Q218/6/19.ASP>

This Resource Kit ActiveX control allows Windows programs to be
executed from a Web page or HTML Email message.

What can users do about all of these different ActiveX security holes?
One
approach is download patches to fix security holes as they are found.
Unfortunately for most user's it is not possible to know what ActiveX
controls are even installed on their system, never mind knowing which
ones
are really safe.  It might require going to 4 or 5 different Web sites
just
sees what security patches are available.  A pretty impossible task for
almost anyone.

One easy thing users can do is completely turn off ActiveX controls in
Internet Explorer.  This is done on the security tab of the "Internet
Options..." command in Internet Explorer.  This option however is only
available if the Web site that one goes to don't use ActiveX controls.

What can computer manufacturers and software companies do about the
problem
of security holes in pre-installed ActiveX controls?  As it turns out,
Internet Explorer 5 already offers a great solution.  IE5 supports a new
feature called HTML applications (or .HTA files).  An HTML Application
is
built like a Web page but can only be loaded and execute from the hard
drive.  Because an .HTA file comes from the local drive and not the
Internet, scripts on the page are a completely trusted and are allowed
to
use all ActiveX controls installed on a system whether the controls are
marked safe or not.  For an HTML application, none of its private
ActiveX
controls have to marked safe for scripting and therefore the controls
cannot
be misused on Web pages.

For current systems, my recommendation is that computer manufacturers
need
to review carefully all the ActiveX controls which are pre-installed on
computers that are going out the door.  In the review, each control
needs to
be checked for potential security problems.  It is particularly
important to
look at controls, which make Win32 system calls to load and execute
other
programs, read and write files, and access the registry.

I've created a Web page on my personal Web site that will check to see
what
potentially unsafe ActiveX controls are installed on a system.  The URL
for
the test page is:

   <http://www.tiac.net/users/smiths/acctroj/axcheck.htm>

Security problems with ActiveX controls have been a concern for a long
time,
because these controls are binary programs that are allow to make any
kind
of Windows system call.  The industry has mostly been worried about
ActiveX
controls that were intentionally created with malicious code.  Microsoft
addresses these concerns with the Authenticode security system which
allows
users to decide if they trust a particular author enough to run controls
that the author has written.  Authenticode is based on adding digital
signatures to controls.

However, the pattern I see here is a much different issue.  Instead we
have
computer and software vendors installing ActiveX controls on systems
without
any notification and these controls for whatever reasons contain
security
holes in them.  As I've pointed out here, I found 4 different ActiveX
controls on my HP system for 3 different vendors which compromised the
safety on my system.  Not exactly a great track record!  Going forward I
hope that PC makers take a closer look at that the ActiveX controls that
they are shipping on their systems.  You never know who might be using
that
hidden-away ActiveX to create problems for us computer users.