- CWE-22: Path Traversal
- CWE-78: OS Command Injection
- CWE-79: Cross-Site Scripting
- CWE-89: SQL Injection
- CWE-90: LDAP Injection
- CWE-91: XML Injection
- CWE-94: Code Injection
- CWE-98: PHP File Inclusion
- CWE-113: HTTP Response Splitting
- CWE-119: Buffer Errors
- CWE-130: Improper Handling of Length Parameter Inconsistency
- CWE-193: Off-by-one Error
- CWE-200: Information Exposure
- CWE-211: Information Exposure Through Externally-Generated Error Message
- CWE-236: Improper Handling of Undefined Parameters
- CWE-276: Incorrect Default Permissions
- CWE-284: Improper Access Control
- CWE-287: Improper Authentication
- CWE-345: Insufficient Verification of Data Authenticity
- CWE-352: Cross-Site Request Forgery
- CWE-384: Session Fixation
- CWE-427: Uncontrolled Search Path Element
- CWE-434: Unrestricted Upload of File with Dangerous Type
- CWE-476: NULL Pointer Dereference
- CWE-601: Open Redirect
- CWE-613: Insufficient Session Expiration
- CWE-618: Exposed Unsafe ActiveX Method
- CWE-671: Lack of Administrator Control over Security
- CWE-822: Untrusted Pointer Dereference
- CWE-835: Infinite Loop
CWE is a trademark of the MITRE Corporation.
Exposed Unsafe ActiveX Method [CWE-618]
This weakness describes exposure of dangerous ActiveX methods that perform actions outside the browser's security model.
Created: September 11, 2012
Latest Update: August 6, 2015
Table of Content
- Potential impact
- Attack patterns
- Affected software
- Severity and CVSS Scoring
- Latest Related Security Advisories
This weakness occurs when an ActiveX control is marked as safe for initialization and safe for scripting and contains dangerous methods which could be used to perform unauthorized actions on user's system. ActiveX control is a COM object intended to bring additional functionality to Internet Explorer. As a result it might receive input from an untrusted source, e.g. a webpage, and incorrectly handle it. Buffer errors in methods are also considered unsafe exposure and are topic for discussion within scope of this weakness.
The following example demonstrates initialization of the NMSDVDX.DVDEngineX.1 (NMSDVDXU.dll) ActiveX control in browser which uses unsafe
EnableLog() method to create a logfile in arbitrary location on the system:
- <object classid="clsid:C2FBBB5F-6FF7-4F6B-93A3-7EDB509AA938" id="target"></object>
- <input language=VBScript onclick=Boom() type=button value="Exploit">
- <script language = "vbscript">
- Sub Boom()
- target.EnableLog arg1 ,arg2
- End Sub
An attacker can use first argument of the vulnerable method to pass full path to the file and overwrite it with some content, and eventually corrupt it.
2. Potential impact
An ActiveX control can be equipped with different functionalities depending on the purpose of the control. The maximum potential impact is limited by its functionality. In worst case scenario an attacker might be able to execute arbitrary code on the target system with privileges of the current user.
3. Attack patterns
ActiveX control can be subject to different attack patterns which depend on the functionality of the control and its implementation.
4. Affected software
ActiveX controls that are marked as safe for initialization and safe for scripting are potentially vulnerable for this weakness. They can be introduced to the system by different software. In Internet Explorer use Tools->Manage Add-ons browser menu to see which ActiveX controls are available on the system and could be initialized in browser.
5. Severity and CVSS Scoring
This weakness should be scored depending on the maximum possible impact. Keep in mind that small user interaction is needed to exploit this vulnerability (e.g. a user must visit a specially crafted webpage), so the access complexity score should be medium: AC:M. If an attacker can create files on the target system with arbitrary content and in arbitrary locations, he may also create a file in a startup directory, which will be executed when user reboots his system. In this case, it is a remote code execution vulnerability and it should be scored as:
9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) - Critical severity.
We use CVSSv2 scoring system in our HTB Security Advisories to calculate the risk of the discovered vulnerabilities. Not all of the vulnerabilities are scored in strict accordance to FIRST recommendations. Our CVSSv2 scores are based on our long internal experience in software auditing and penetration testing, taking into consideration a lot of practical nuances and details. Therefore, sometimes they may differ from those ones that are recommended by FIRST.
- When possible avoid marking the control as safe for scripting.
- Perform validation of input on all arguments and protect them against all possible vulnerabilities.
- When possible whitelist domains that can initialize the control.
The only way for an end-user to protect his computer in case of existing vulnerability is to set a kill-bit on the control or disable it through the Manage Add-ons browser menu. In order to reduce the chances to be a victim of this type of attack do not trust unsigned activex controls.
- CWE-618: Exposed Unsafe ActiveX Method [cwe.mitre.org]
- Not safe = not dangerous? How to tell if ActiveX vulnerabilities are exploitable in Internet Explorer [blogs.technet.com]
- Safe Initialization and Scripting for ActiveX Controls [msdn.microsoft.com]
8. Latest HTB Security Advisories with CWE-618
- HTB23128: McAfee Virtual Technician ActiveX Control Insecure Method
- HTB23024: StudioLine Photo Basic 3 ActiveX control Insecure Method
- HTB23020: Multiple Vulnerabilities in ThreeDify Designer ActiveX Control
- HTB23026: Paltalk Messenger ActiveX Control Multiple Insecure Methods
- HTB23013: Insecure Method in aTube Catcher ActiveX Control
Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to High-Tech Bridge is given.↑ Back to Top