Stay in touch

Get our research, blog and event invitations before everybody else!

Your data will stay confidential Private and Confidential

Exposed Unsafe ActiveX Method [CWE-618]

This weakness describes exposure of dangerous ActiveX methods that perform actions outside the browser's security model.

Created: September 11, 2012
Latest Update: August 6, 2015

Table of Content

  1. Description
  2. Potential impact
  3. Attack patterns
  4. Affected software
  5. Severity and CVSS Scoring
  6. Mitigations
  7. References
  8. Latest Related Security Advisories

1. Description

This weakness occurs when an ActiveX control is marked as safe for initialization and safe for scripting and contains dangerous methods which could be used to perform unauthorized actions on user's system. ActiveX control is a COM object intended to bring additional functionality to Internet Explorer. As a result it might receive input from an untrusted source, e.g. a webpage, and incorrectly handle it. Buffer errors in methods are also considered unsafe exposure and are topic for discussion within scope of this weakness.

The following example demonstrates initialization of the NMSDVDX.DVDEngineX.1 (NMSDVDXU.dll) ActiveX control in browser which uses unsafe EnableLog() method to create a logfile in arbitrary location on the system:

  1. <html>
  2. <object classid="clsid:C2FBBB5F-6FF7-4F6B-93A3-7EDB509AA938" id="target"></object>
  3. <input language=VBScript onclick=Boom() type=button value="Exploit">
  4. <script language = "vbscript">
  5. Sub Boom()
  6. arg1="FilePath\File_name_to_corrupt_or_create"
  7. arg2=True
  8. target.EnableLog arg1 ,arg2
  9. End Sub
  10. </script>
  11. </html>

An attacker can use first argument of the vulnerable method to pass full path to the file and overwrite it with some content, and eventually corrupt it.

2. Potential impact

An ActiveX control can be equipped with different functionalities depending on the purpose of the control. The maximum potential impact is limited by its functionality. In worst case scenario an attacker might be able to execute arbitrary code on the target system with privileges of the current user.

3. Attack patterns

ActiveX control can be subject to different attack patterns which depend on the functionality of the control and its implementation.

4. Affected software

ActiveX controls that are marked as safe for initialization and safe for scripting are potentially vulnerable for this weakness. They can be introduced to the system by different software. In Internet Explorer use Tools->Manage Add-ons browser menu to see which ActiveX controls are available on the system and could be initialized in browser.

5. Severity and CVSS Scoring

This weakness should be scored depending on the maximum possible impact. Keep in mind that small user interaction is needed to exploit this vulnerability (e.g. a user must visit a specially crafted webpage), so the access complexity score should be medium: AC:M. If an attacker can create files on the target system with arbitrary content and in arbitrary locations, he may also create a file in a startup directory, which will be executed when user reboots his system. In this case, it is a remote code execution vulnerability and it should be scored as:
9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) - Critical severity.


We use CVSSv2 scoring system in our HTB Security Advisories to calculate the risk of the discovered vulnerabilities. Not all of the vulnerabilities are scored in strict accordance to FIRST recommendations. Our CVSSv2 scores are based on our long internal experience in software auditing and penetration testing, taking into consideration a lot of practical nuances and details. Therefore, sometimes they may differ from those ones that are recommended by FIRST.

6. Mitigations

For developers:
  • When possible avoid marking the control as safe for scripting.
  • Perform validation of input on all arguments and protect them against all possible vulnerabilities.
  • When possible whitelist domains that can initialize the control.

For end-users:

The only way for an end-user to protect his computer in case of existing vulnerability is to set a kill-bit on the control or disable it through the Manage Add-ons browser menu. In order to reduce the chances to be a victim of this type of attack do not trust unsigned activex controls.

7. References

  1. CWE-618: Exposed Unsafe ActiveX Method [cwe.mitre.org]
  2. Not safe = not dangerous? How to tell if ActiveX vulnerabilities are exploitable in Internet Explorer [blogs.technet.com]
  3. Safe Initialization and Scripting for ActiveX Controls [msdn.microsoft.com]

8. Latest HTB Security Advisories with CWE-618


Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to High-Tech Bridge is given.

↑ Back to Top
High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
Share