Re: POS#1 Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part III

["Kurt Seifried" <bt () seifried org>]

> > > In our never-ending quest for entertainment, we commece from
> > > this date forward to end-2004 our POS series of findings. That
> > > is the 'perfect operating system'. Today we debut and regurgitate
> > > new and not so new for fun as follows. A warm up for the New Year if
> > > you will !:
> >
> > This is easy to avoid. Just set the kill bit for the affected Active
> > component, Adodb.Stream for which the CLSID is
> > 4B106874-DD36-11D0-8B44-00A024DD9EFF.
>
> {4B106874-DD36-11D0-8B44-00A024DD9EFF} is the Local Troubleshooter
control.
> The ADODB.Stream control, an important part of several current IE
exploits,
> is {00000566-0000-0010-8000-00AA006D2EA4}.
>
> MS KB article about the kill bit:
>
>   <http://support.microsoft.com/support/kb/articles/q240/7/97.asp>
>
> Disable Active scripting for untrusted sites.

Ack, my bad, I cut and paste the wrong one (to many bits to kill, and after
a while CLSID's all look the same). It should also be noted that exploit
code for this problem has been around since early (i.e. first week) of
September, and it at least one major virus has used it.

The good news is that MS is setting kill bits with some service packs, the
bad news is that they aren't publicizing what CLSID's need to be killed.
Listing MS IE installed components is relatively simple:

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components

The bad news is this does not cover "built-in" components. As well it isn't
always the most helpful:

CLSID: 3bf42070-b3b1-11d1-b5c5-0000f8051515
version: 1.0161.1890.3
uniscribe
USP10

No link in the registry to any files, or what it does. Google indicates it
most likely is Japanese language support.

If anyone knows a tool for finding out the CLSID of an ActiveX object I
would love to know it. Essentially something that would pop up the CLSID of
a program when it runs so when you visit a web page and an activex
components runs or is installed you can get ahold of the CLSID of it.

The MS OLE viewer:

http://www.microsoft.com/com/resources/oleview.asp

Only works for installed ones, one site covering the kill bit says:

"Determine the CLSID for the ActiveX control that you want to disable. If
you are not sure of the CLSID for the control, contact the manufacturer."

Which isn't overly helpful in most cases. Symantec goes with:

"To determine which CLSID corresponds with the ActiveX control that you want
to disable, first remove all of the ActiveX controls that are currently
installed. Then install the control that you want to disable and add the
Kill Bit to its CLSID. "

In other words no good methods for enumerating CLSID's seem to exist.

>   - Art



Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/