The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

We described in Chapter 5 how applications can use various thick-client tech-

nologies to distribute some of the application’s processing to the client side.

ActiveX controls are of particular interest to an attacker who is targeting other

users. When an application installs a control in order to invoke it from its own

pages, the control must be registered as “safe for scripting.” Once this has

occurred, any other web site accessed by the user can make use of that control. 

Browsers do not accept just any ActiveX control that a web site requests

them to install. By default, when a web site seeks to install a control, the

browser presents a security warning and asks the user for permission. The

user can decide whether or not they trust the web site issuing the control, and

allow it to be installed accordingly. However, if they do so, and the control con-

tains any vulnerabilities, these can be exploited by any malicious web site vis-

ited by the user.

There are two main categories of vulnerability commonly found within

ActiveX controls that are of interest to an attacker:

■■

Because ActiveX controls are typically written in native languages such

buffer overflows, integer bugs, and format string flaws (see Chapter 15

for more details). In recent years, a huge number of these vulnerabilities

have been identified within the ActiveX controls issued by popular web

applications, such as online gaming sites. These vulnerabilities can nor-

mally be exploited to cause arbitrary code execution on the computer of

the victim user.

■■

Many ActiveX controls contain methods that are inherently dangerous

■■

LaunchExe(BSTR ExeName)

SaveFile(BSTR FileName, BSTR Url)

70779c12.qxd:WileyRed  9/14/07  3:14 PM  Page 454

■■

LoadLibrary(BSTR LibraryPath)

■■

ExecuteCommand(BSTR Command)

Methods like these are usually implemented by developers in order to build

some flexibility into their control, enabling them to extend its functionality in

future without needing to deploy a fresh control altogether. However, once the

control is installed, it can of course be “extended” in the same way by any

malicious web site in order to carry out undesirable actions against the user.

Download 5,76 Mb.

Do'stlaringiz bilan baham: