This whitepaper will provide administrators and engineers with an overview of ActiveX controls and information on understanding and preventing the malicious use of ActiveX controls with the Cisco ACE Application Control Engine Application Layer Protocol Inspection feature.
What is ActiveX?
ActiveX is a technology developed by Microsoft. It was introduced in 1996 and is based on the Component Object Model (COM) and Object Linking and Embedding (OLE) technologies. Multiple applications, including the Microsoft Windows applications Internet Explorer, Microsoft Office, Microsoft Visual Studio, and Windows Media Player, enhance their feature sets and encapsulate their functionality as ActiveX controls to embed the functionality into other applications.
ActiveX controls, which are small building blocks of programs (active content), are used to create distributed applications that interoperate over the Internet through the use of web browsers (n.a. 1996, 1). The original intent of ActiveX, defined initially with the advent of COM and OLE, was to provide easily reusable portions of code. This reusability is achieved by creating objects that offer interfaces that can be called by other COM objects or programs (for example, Internet Explorer and its integration with COM). This integration provides the ability to seamlessly interface with Windows and third-party applications through the Internet Explorer browser. In addition, the functionality of Internet Explorer can easily be extended by software developers who create complex applications that interface with websites through the browser.
ActiveX controls are often compared to Java applets because both enable end users to download small programs into their web browsers, which results in more dynamic and interactive web pages (Felten 1997, 1). A major difference between ActiveX controls and Java applets is that ActiveX controls are granted higher levels of control over applications. These additional privileges makes them a more attractive target for those individuals looking to perform malicious activities.
Understanding ActiveX Attacks
Over the past few years, there has been a rapid increase in the use and subsequent exploitation of ActiveX controls. Many technologies and tools, such as social networking websites Facebook and Myspace, applications such as Yahoo’s Music Jukebox, Real Network’s RealPlayer, and Apple’s QuickTime, have succumbed to ActiveX exploitation. The wide use of ActiveX translates to its position as a security target for vulnerability research, which leads to the identification of security vulnerabilities and exploits.
Although ActiveX controls are built into the Microsoft operating system and Internet Explorer, it is important to note that applications may install their own ActiveX controls to provide unique functionality through Internet Explorer. In addition, websites install ActiveX controls. Adobe Shockwave is one example, where a pop-up window prompts users to install the Adobe Shockwave ActiveX control.
ActiveX controls are typically identified by their class identifier (CLSID). A CLSID is a unique value associated with each control to differentiate it from other controls. A CLSID key also exists. This key contains information used by the default COM handler to return details about a class when it is in the running state. In the CLSID key, there are thousands of class identifiers that each specify ActiveX controls. The unique string for each CLSID is referred to as the globally unique identifier (GUID). Programmers often use the Guidgen.exe utility to generate these GUIDs. Several public websites list CLSIDs and accompanying information. Three popular websites appear in the following list:
For devices that run the Microsoft Windows operating system, a list of all installed CLSIDs is available at the following registry location:
Only a specific subset of these class identifiers can be instantiated by a website because the CLSIDs must be marked as safe and categorized as such. An example is controls that are marked as safe for scripting. A list of CLSIDs that contain this ability is available at the following registry location:
HKEY_CLASSES_ROOT\CLSID\<control clsid>\Implemented Categories
ActiveX controls are also identified through a program identifier (ProgID), which names the control in a user-friendly manner. The ProgID and CLSID relationship is comparable to the interation between an IP address and DNS. Essentially, CLSIDs can be determined by researching the correlating ProgID. Because this interaction is seamless to Internet Explorer, it proceeds as if the CLSID had been initially provided (Warlord 2008, 4).
There are many forms of ActiveX attacks, many of which consist of a wide range of exploits. One attack involves a crafted web page that leverages a vulnerable ActiveX control in a user's browser to achieve remote code execution. This attack could result in complete control over an affected system.
Detecting and Preventing ActiveX Exploitation
To detect attempts to exploit vulnerable ActiveX controls, administrators can use the following tools:
See the Additional Information section for links and details about these tools. In addition, the OleView tool can determine if an ActiveX control is marked as safe.
Administrators can also use "fuzzers " to test potential vulnerabilities. Fuzzers are test tools or programs that provide a technique to send or inject invalid, malformed, unexpected, or random data to the inputs of a program. The results from fuzzer testing can be recorded and used to implement mitigations for malicious or unexpected behaviors. For more information regarding fuzzers and fuzzing techniques, see the Additional Information section. H.D. Moore's Axman and iDefense's ComRaider are two fuzzers that have the ability to provide a database of controls that Internet Explorer can recognize (Warlord 2008, 4).
To reduce the likelihood that vulnerable ActiveX controls will be exploited, proper safeguards must be implemented. The following Cisco products can perform mitigation techniques to prevent exploitation of vulnerable ActiveX controls:
Leveraging Regular Expressions
A regular expression (regex) matches text strings either literally (as an exact string) or by using metacharacters. Using metacharacters with a regular expression allows a single regex to match multiple variants of a text string. Administrators can use a regular expression to match the content of certain application traffic (for example, matching a URL string inside an HTTP packet).
Use Ctrl+V to escape characters that have special meaning to the command-line interface (CLI), such as a question mark (?) or a tab. For example, type d[Ctrl+V]?g to enter d?g in the configuration. The following table describes metacharacters often used with application layer protocol inspection. For a more extensive table, refer to the characters supported in regular expressions table in the Cisco ACE 4700 Series Appliance Command Reference.
Table 1. Common Application Protocol Inspection Regex Metacharacters
Many regex options that aid in preventing ActiveX controls exist. The following examples display basic regular expressions to several more advanced options:
Regex example 1: "My favorite color is (green|blue)"
Example 1 shows an exact match (including case and spaces) for the words "My favorite color is ". The "( )" metacharacter indicates a subexpression that segregates characters and phrases so specific actions can be taken on these characters or phrases in isolation. In this case it isolates the words green and blue. The "|" metacharacter is an alternation that indicates the regex will match either expression that is separates. In this example, the regex will match either of the following statements:
Regex example 2: "[Mm]y favorite color is ([a-zA-Z]+)\."
In example 2, the word "my" can be upper or lowercase, as the "[Mm]" indicates a match on either "M" or "m". Example 2 reflects an exact match (including case and spaces) for the phrase " favorite color is ". The "( )" isolate a subexpression. The "[a-zA-Z]" metacharacter represents a character range class, which indicates a match on any character in the range in the brackets (in this example, any uppercase characters "A-Z" or lowercase characters "a-z"). The "+" metacharacter indicates that there is at least one of the previous expression (in this example, at least one of the expression "[a-zA-Z]"). The "\" represents an escape character. In this example, it escapes the period (.), indicating that the text to be matched must end with a period. Regex example 2 will match a statement that specifies any color in upper or lowercase and uses an upper or lowercase "my" as follows:
It is important to note the possibility of unintended matches, which is demonstrated in the final statement above.
Regex example 3: "[Mm][Yy](\x20|\x2b)[Ff][Aa][Vv][Oo][Rr][Ii][Tt][Ee](\x20|\x2b)[Cc][Oo][Ll\x7c][Oo][Rr](\x20|\x2b)[Ii][Ss](\x20|\x2b)([^\s]+?)[.!]"
In example 3, the "[Mm][Yy]" allows the use of the word "my" in upper and lowercase. The string "(\x20|\x2b)" matches the ASCII hexadecimal integer "20" or "2b" because the "\xNN" metacharacter represents an escaped two-digit hexadecimal number. The "|" is the alternation metacharacter, which indicates a match of either option.
The"[Ff][Aa][Vv][Oo][Rr][Ii][Tt][Ee]" string specifies a match on the word "favorite" in upper or lowercase. The "(\x20|\x2b)" string again matches either ASCII hexadecimal integer "20" or "2b". The "[Cc][Oo][Ll][Oo][Rr]" string matches the upper or lowercase syntax of the word "color". Again, either "20" or "2b" is matched. The "[Ii][Ss]" string indicates a match of the word "is" in upper or lowercase followed by a match on either "20" or "2b". In the "([^\s]+?)" string, the "[^\s]" expression indicates a match on a negated character class, or a match on a character that is not contained in the brackets.
In this example, the "[^\s]" matches any character other than whitespace, such as a space or tab. The "+" is a quantifier indicating that there is at least one of the previous expression. The "+" indicates that there is at least one iteration of the expression "[^\s]". In this context, the "?" indicates that the previous quantifier should match as few characters as possible, which is called nongreedy matching. Lastly, the "[.!]" expression simply indicates a match on any single character in the "[ ]" (either a "." or "!"). The use of a "." in a character class is a special case; when used in this manner, the "." does not act as a metacharacter and will only match a period. The regex for example 3 matches any of the following options:
A regular expression must consider any possible permutation of the data to be matched.
Cisco ACE Application Control Engine Application Layer Protocol Inspection
Caution: Enabling any additional feature, such as application protocol inspection, may result in a decrease in Cisco ACE Application Control Engine performance. Performance impact should be tested in a lab environment before deployment in production environments.
The invocation of ActiveX controls can also be filtered using application layer protocol inspection and regular expressions on Cisco ACE platforms. When vulnerabilities are discovered in ActiveX controls, vendors typically disclose the specific vulnerable ActiveX CLSID and ProgID values. If these details are provided, regular expressions can be employed in the application layer protocol inspection engine to identify specific strings in a packet and perform specific actions on this traffic as defined by the inspection policy. Regular expressions within application protocol inspection are supported on the Cisco ACE 4710 Application Control Engine Appliance beginning with software version A1(7) and on the Cisco ACE Application Control Engine Module with software version A1(2) and later.
Application protocol inspection is utilized for services that embed IP addressing information in the data packet, open secondary channels on dynamically assigned ports, and require a deep packet inspection. The Cisco ACE Application Control Engine analyzes each session of the protocol to properly identify the dynamic ports and permit the data exchange. Numerous protocols use the application layer protocol inspection engine, including HTTP .
Utilizing the HTTP deep packet inspection engine on the Cisco ACE Application Control Engine platforms, administrators can configure regular expressions for pattern matching and apply them to the Cisco ACE application inspection policy to inspect the data stream and drop packets that contain specific ActiveX control CLSIDs and ProgIDs. The following example shows HTTP inspection using regular expressions for pattern matching, class maps, and policy maps to create an inspection policy for traffic on TCP ports 80, 3128, 8000, 8010, 8080, 8888, and 24326, which are the default ports for the Cisco Intrusion Prevention System (IPS) #WEBPORTS variable. The inspection policy will leverage two regular expressions to identify packets that contain the CLSID or ProgID of the CA BrightStor ActiveX control. The HTTP application protocol inspection will drop connections where the HTTP response body contains either the CLSID or ProgID of the Brightstor ActiveX control.
Caution: The configured regular expressions could match any text strings in the body of an HTTP response. Care should be taken to ensure that legitimate business applications that use matching text strings without calling the ActiveX control are not impacted.
The following configuration example may be applied to the Cisco ACE appliance or module:
! !--- Configure an HTTP application inspection class for the !--- ActiveX Class ID BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3 !--- and ActiveX Program ID LISTCTRL.ListCtrlCtrl.1 that is !--- associated with the CA Brightstor ActiveX control. !--- the defined regex. The use of ".*" is very common and !--- indicates that zero or more characters are to be !--- identified, which is typically the case in any regex. ! class-map type http inspect match-any vulnerable-activeX-http-class match content ".*[bB][fF]6[eE][fF][fF][fF]3[-]4558[-]4[cC]4[cC][-][aA][dD][aA][fF][-][aA]87891[cC]5[fF]3[aA]3.*" match content ".*[lL][iI][sS][tT][cC][tT][rR][lL]\x2e[lL][iI][sS][tT][cC][tT][rR][lL][cC][tT][rR][lL]\x2e1.*" ! !--- Configure an HTTP application inspection policy that matches !--- and resets connections that contain the regexes configured !--- above. Note the "match-any" vs "match-all" in the class map !--- that is configured above. !--- The "match-any" string identifies a packet as matching !--- if the regular expressions match. Match-all !--- requires that all stated expressions be matched for a packet !--- to be placed in the class. ! class-map type http inspect match-any vulnerable-activeX-http-class match content ".*[bB][fF]6[eE][fF][fF][fF]3[-]4558[-]4[cC]4[cC][-][aA][dD][aA][fF][-][aA]87891[cC]5[fF]3[aA]3.*" match content ".*[lL][iI][sS][tT][cC][tT][rR][lL]\x2e[lL][iI][sS][tT][cC][tT][rR][lL][cC][tT][rR][lL]\x2e1.*"
Note: If either the CLSID or ProgID is unknown or if either change, the use of "match-any" is critical because it will allow the match on either parameter. Also note the "reset" action, which denies the specified HTTP traffic by sending a TCP reset message to the client or server to close the connection. For more details, refer to the Cisco ACE 4700 Series Appliance Command Reference.
policy-map type inspect http all-match vulnerable-activeX-http-policy class vulnerable-activeX-http-class reset ! !--- Configure an access list that will be used to match !--- packets that are destined to TCP ports 80 (www), 3128, 8000, !--- 8010,8080, 8888, and 24326, which define the default ports !--- that are used by the Cisco IPS #WEBPORTS variable. ! access-list WEBPORTS extended permit tcp any any eq www
Note: The key differentiator in applying the policy to an interface versus applying it globally is the configuration mode in which the command is entered. Entering the service-policy input L4-http-inspect-policy command under global configuration mode applies the policy globally, whereas applying the same command under an interface applies it only to that interface.
! !--- To verify the statistics of the application protocol !--- inspection, use the show service-policy command, which !--- displays all policy maps applied globally or to an interface !--- and their policy statistics. ! switch/Admin# show service-policy
For further information regarding the system log message 415007, refer to the log message in the Cisco ACE 4700 Series Appliance System Message Guide documentation.
The ability to understand protocols is essential to properly detecting and preventing attacks. As applications have increased their reliance on protocols and technological concepts and tools such as ActiveX, it is imperative that administrators and engineers understand the numerous aspects and implications of ActiveX controls, as well as the technology, including the configuration solutions that are required to prevent such attacks.
The ability to leverage the network as an integral mitigation solution is no longer a possibility, but is rather a necessity. Cisco products, such as the Cisco ACE Application Control Engine Module , offer a powerful feature set that fills this void, increases data security, and filters attacks and miscreant behaviors before they impact network resources.
Andrae Middleton (email@example.com)
Andrae Middleton is a member of the Security Intelligence Operations organization at Cisco. Additional content produced by Security Intelligence Engineering is located in the Security Intelligence Best Practices section of the Cisco Security Intelligence Operations portal.
Microsoft OLE/COM Object Viewer
Microsoft Windows Debugger
Security Tradeoffs: Java vs. ActiveX
Microsoft Announces ActiveX Technologies
ActiveX Active Exploitation
This document is part of Cisco Security Intelligence Operations.
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.