Guest

Preventing ActiveX Exploits with Cisco Application Control Engine Application Layer Protocol Inspection

Contents

Overview
What is ActiveX?
Understanding ActiveX Attacks
Detecting and Preventing ActiveX Exploitation 
      Leveraging Regular Expressions
      Cisco ACE Application Control Engine Application Layer Protocol Inspection
Conclusion
Acknowledgments
Additional Information
References

Overview

This whitepaper will provide administrators and engineers with an overview of ActiveX controls and information on understanding and preventing the malicious use of ActiveX controls with the Cisco ACE Application Control Engine Application Layer Protocol Inspection feature.

What is ActiveX?

ActiveX is a technology developed by Microsoft. It was introduced in 1996 and is based on the Component Object Model (COM) and Object Linking and Embedding (OLE) technologies. Multiple applications, including the Microsoft Windows applications Internet Explorer, Microsoft Office, Microsoft Visual Studio, and Windows Media Player, enhance their feature sets and encapsulate their functionality as ActiveX controls to embed the functionality into other applications.

ActiveX controls, which are small building blocks of programs (active content), are used to create distributed applications that interoperate over the Internet through the use of web browsers (n.a. 1996, 1). The original intent of ActiveX, defined initially with the advent of COM and OLE, was to provide easily reusable portions of code. This reusability is achieved by creating objects that offer interfaces that can be called by other COM objects or programs (for example, Internet Explorer and its integration with COM). This integration provides the ability to seamlessly interface with Windows and third-party applications through the Internet Explorer browser. In addition, the functionality of Internet Explorer can easily be extended by software developers who create complex applications that interface with websites through the browser.

ActiveX controls are often compared to Java applets because both enable end users to download small programs into their web browsers, which results in more dynamic and interactive web pages (Felten 1997, 1). A major difference between ActiveX controls and Java applets is that ActiveX controls are granted higher levels of control over applications. These additional privileges makes them a more attractive target for those individuals looking to perform malicious activities.

Understanding ActiveX Attacks

Over the past few years, there has been a rapid increase in the use and subsequent exploitation of ActiveX controls. Many technologies and tools, such as social networking websites Facebook and Myspace, applications such as Yahoo’s Music Jukebox, Real Network’s RealPlayer, and Apple’s QuickTime, have succumbed to ActiveX exploitation. The wide use of ActiveX translates to its position as a security target for vulnerability research, which leads to the identification of security vulnerabilities and exploits.

Although ActiveX controls are built into the Microsoft operating system and Internet Explorer, it is important to note that applications may install their own ActiveX controls to provide unique functionality through Internet Explorer. In addition, websites install ActiveX controls. Adobe Shockwave is one example, where a pop-up window prompts users to install the Adobe Shockwave ActiveX control.

ActiveX controls are typically identified by their class identifier (CLSID). A CLSID is a unique value associated with each control to differentiate it from other controls. A CLSID key also exists. This key contains information used by the default COM handler to return details about a class when it is in the running state. In the CLSID key, there are thousands of class identifiers that each specify ActiveX controls. The unique string for each CLSID is referred to as the globally unique identifier (GUID). Programmers often use the Guidgen.exe utility to generate these GUIDs. Several public websites list CLSIDs and accompanying information. Three popular websites appear in the following list:

  • Sysinfo (http://www.sysinfo.org/bholist.php)
  • Auto Hot Key (http://www.autohotkey.com/docs/misc/CLSID-List.htm)
  • GUID (http://www.myplugins.info/guids/)

For devices that run the Microsoft Windows operating system, a list of all installed CLSIDs is available at the following registry location:

HKEY_CLASSES_ROOT\CLSID HKEY_LOCAL_MACHINE\Software\Classes\CLSID

Only a specific subset of these class identifiers can be instantiated by a website because the CLSIDs must be marked as safe and categorized as such. An example is controls that are marked as safe for scripting. A list of CLSIDs that contain this ability is available at the following registry location:

HKEY_CLASSES_ROOT\CLSID\<control clsid>\Implemented Categories

ActiveX controls are also identified through a program identifier (ProgID), which names the control in a user-friendly manner. The ProgID and CLSID relationship is comparable to the interation between an IP address and DNS. Essentially, CLSIDs can be determined by researching the correlating ProgID. Because this interaction is seamless to Internet Explorer, it proceeds as if the CLSID had been initially provided (Warlord 2008, 4).

There are many forms of ActiveX attacks, many of which consist of a wide range of exploits. One attack involves a crafted web page that leverages a vulnerable ActiveX control in a user's browser to achieve remote code execution. This attack could result in complete control over an affected system.

Detecting and Preventing ActiveX Exploitation

To detect attempts to exploit vulnerable ActiveX controls, administrators can use the following tools:

  • Microsoft OLE/COM object viewer to gather object information, methods, interface data, and other host properties
  • Registry Monitor to monitor the registry for changes by applications and ActiveX functions
  • TCPView to analyze opened TCP and UDP ports and correlate with known exploits
  • Microsoft Windows Debugger to detect ActiveX execution and buffer overflows
  • Host-based intrusion prevention systems (HIPS) such as Cisco Security Agent

See the Additional Information section for links and details about these tools. In addition, the OleView tool can determine if an ActiveX control is marked as safe.

Administrators can also use "fuzzers " to test potential vulnerabilities. Fuzzers are test tools or programs that provide a technique to send or inject invalid, malformed, unexpected, or random data to the inputs of a program. The results from fuzzer testing can be recorded and used to implement mitigations for malicious or unexpected behaviors. For more information regarding fuzzers and fuzzing techniques, see the Additional Information section. H.D. Moore's Axman and iDefense's ComRaider are two fuzzers that have the ability to provide a database of controls that Internet Explorer can recognize (Warlord 2008, 4).

To reduce the likelihood that vulnerable ActiveX controls will be exploited, proper safeguards must be implemented. The following Cisco products can perform mitigation techniques to prevent exploitation of vulnerable ActiveX controls:

  • Cisco ACE 4710 Application Control Engine Appliance
  • Cisco ACE Application Control Engine Module

Leveraging Regular Expressions

A regular expression (regex) matches text strings either literally (as an exact string) or by using metacharacters. Using metacharacters with a regular expression allows a single regex to match multiple variants of a text string. Administrators can use a regular expression to match the content of certain application traffic (for example, matching a URL string inside an HTTP packet).

Use Ctrl+V to escape characters that have special meaning to the command-line interface (CLI), such as a question mark (?) or a tab. For example, type d[Ctrl+V]?g to enter d?g in the configuration. The following table describes metacharacters often used with application layer protocol inspection. 

Table 1. Common Application Protocol Inspection Regex Metacharacters

Metacharacter Description Example Explanation
.* Zero or more characters .*7 Matches the digit 7
. Matches a single character ....4 Matches any four characters followed by the number 4
\ Escape character \. Escapes the period character so that it matches a period and does not act as a wildcard
[ ] Character range class [a-z0-9] Matches a single lower case letter (a-z) or a single digit
() Expression grouping (Cisco-Secure) Matches the expression "Cisco-Secure"
{min} or {min,} Quantifier, minimum repeat A{3,} Matches a string comprised of three or more instances of the letter A

Many regex options that aid in preventing ActiveX controls exist. The following examples display basic regular expressions to several more advanced options:

Regex example 1: "My favorite color is (green|blue)"

Example 1 shows an exact match (including case and spaces) for the words "My favorite color is ". The "( )" metacharacter indicates a subexpression that segregates characters and phrases so specific actions can be taken on these characters or phrases in isolation. In this case it isolates the words green and blue. The "|" metacharacter is an alternation that indicates the regex will match either expression that is separates. In this example, the regex will match either of the following statements:

  • "My favorite color is green"
  • "My favorite color is blue"

Regex example 2: "[Mm]y favorite color is ([a-zA-Z]+)\."

In example 2, the word "my" can be upper or lowercase, as the "[Mm]" indicates a match on either "M" or "m". Example 2 reflects an exact match (including case and spaces) for the phrase " favorite color is ". The "( )" isolate a subexpression. The "[a-zA-Z]" metacharacter represents a character range class, which indicates a match on any character in the range in the brackets (in this example, any uppercase characters "A-Z" or lowercase characters "a-z"). The "+" metacharacter indicates that there is at least one of the previous expression (in this example, at least one of the expression "[a-zA-Z]"). The "\" represents an escape character. In this example, it escapes the period (.), indicating that the text to be matched must end with a period. Regex example 2 will match a statement that specifies any color in upper or lowercase and uses an upper or lowercase "my" as follows:

  • "My favorite color is brown."
  • "my favorite color is brown."
  • "My favorite color is Orange."
  • "my favorite color is router."

It is important to note the possibility of unintended matches, which is demonstrated in the final statement above.

Regex example 3: "[Mm][Yy](\x20|\x2b)[Ff][Aa][Vv][Oo][Rr][Ii][Tt][Ee](\x20|\x2b)[Cc][Oo][Ll\x7c][Oo][Rr](\x20|\x2b)[Ii][Ss](\x20|\x2b)([^\s]+?)[.!]"

In example 3, the "[Mm][Yy]" allows the use of the word "my" in upper and lowercase. The string "(\x20|\x2b)" matches the ASCII hexadecimal integer "20" or "2b" because the "\xNN" metacharacter represents an escaped two-digit hexadecimal number. The "|" is the alternation metacharacter, which indicates a match of either option.

The"[Ff][Aa][Vv][Oo][Rr][Ii][Tt][Ee]" string specifies a match on the word "favorite" in upper or lowercase. The "(\x20|\x2b)" string again matches either ASCII hexadecimal integer "20" or "2b". The "[Cc][Oo][Ll][Oo][Rr]" string matches the upper or lowercase syntax of the word "color". Again, either "20" or "2b" is matched. The "[Ii][Ss]" string indicates a match of the word "is" in upper or lowercase followed by a match on either "20" or "2b". In the "([^\s]+?)" string, the "[^\s]" expression indicates a match on a negated character class, or a match on a character that is not contained in the brackets.

In this example, the "[^\s]" matches any character other than whitespace, such as a space or tab. The "+" is a quantifier indicating that there is at least one of the previous expression. The "+" indicates that there is at least one iteration of the expression "[^\s]". In this context, the "?" indicates that the previous quantifier should match as few characters as possible, which is called nongreedy matching. Lastly, the "[.!]" expression simply indicates a match on any single character in the "[ ]" (either a "." or "!"). The use of a "." in a character class is a special case; when used in this manner, the "." does not act as a metacharacter and will only match a period. The regex for example 3 matches any of the following options:

  • "My favorite color IS red!"
  • "MY FAVORITE COLOR IS RED."
  • "my favorite color is red."
  • "My favorite color is BLUE!"
  • "mY+favORITE cOLOr+iS layer-3-switch!"

A regular expression must consider any possible permutation of the data to be matched.

Cisco ACE Application Control Engine Application Layer Protocol Inspection

Caution: Enabling any additional feature, such as application protocol inspection, may result in a decrease in Cisco ACE Application Control Engine performance. Performance impact should be tested in a lab environment before deployment in production environments.

The invocation of ActiveX controls can also be filtered using application layer protocol inspection and regular expressions on Cisco ACE platforms. When vulnerabilities are discovered in ActiveX controls, vendors typically disclose the specific vulnerable ActiveX CLSID and ProgID values. If these details are provided, regular expressions can be employed in the application layer protocol inspection engine to identify specific strings in a packet and perform specific actions on this traffic as defined by the inspection policy. Regular expressions within application protocol inspection are supported on the Cisco ACE 4710 Application Control Engine Appliance beginning with software version A1(7) and on the Cisco ACE Application Control Engine Module with software version A1(2) and later.

Application protocol inspection is utilized for services that embed IP addressing information in the data packet, open secondary channels on dynamically assigned ports, and require a deep packet inspection. The Cisco ACE Application Control Engine analyzes each session of the protocol to properly identify the dynamic ports and permit the data exchange. Numerous protocols use the application layer protocol inspection engine, including HTTP . 
For a list of applications supported by application protocol inspection and supporting details, refer to "Application Inspection Support" under the Performing Application Protocol Inspection section of the Cisco ACE 4700 Series Appliance Security Configuration Guide.

Utilizing the HTTP deep packet inspection engine on the Cisco ACE Application Control Engine platforms, administrators can configure regular expressions for pattern matching and apply them to the Cisco ACE application inspection policy to inspect the data stream and drop packets that contain specific ActiveX control CLSIDs and ProgIDs. The following example shows HTTP inspection using regular expressions for pattern matching, class maps, and policy maps to create an inspection policy for traffic on TCP ports 80, 3128, 8000, 8010, 8080, 8888, and 24326, which are the default ports for the Cisco Intrusion Prevention System (IPS) #WEBPORTS variable. The inspection policy will leverage two regular expressions to identify packets that contain the CLSID or ProgID of the CA BrightStor ActiveX control. The HTTP application protocol inspection will drop connections where the HTTP response body contains either the CLSID or ProgID of the Brightstor ActiveX control.

Caution: The configured regular expressions could match any text strings in the body of an HTTP response. Care should be taken to ensure that legitimate business applications that use matching text strings without calling the ActiveX control are not impacted.

The following configuration example may be applied to the Cisco ACE appliance or module:

 !
    !--- Configure an HTTP application inspection class for the
    !--- ActiveX Class ID BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3 
    !--- and ActiveX Program ID LISTCTRL.ListCtrlCtrl.1 that is
    !--- associated with the CA Brightstor ActiveX control.
    !--- the defined regex. The use of ".*" is very common and
    !--- indicates that zero or more characters are to be
    !--- identified, which is typically the case in any regex.
    !
class-map type http inspect match-any vulnerable-activeX-http-class
 match content ".*[bB][fF]6[eE][fF][fF][fF]3[-]4558[-]4[cC]4[cC][-][aA][dD][aA][fF][-][aA]87891[cC]5[fF]3[aA]3.*"
 match content ".*[lL][iI][sS][tT][cC][tT][rR][lL]\x2e[lL][iI][sS][tT][cC][tT][rR][lL][cC][tT][rR][lL]\x2e1.*"      
           !
    !--- Configure an HTTP application inspection policy that matches 
    !--- and resets connections that contain the regexes configured 
    !--- above. Note the "match-any" vs "match-all" in the class map
    !--- that is configured above.
    !--- The "match-any" string identifies a packet as matching
    !--- if the regular expressions match. Match-all 
    !--- requires that all stated expressions be matched for a packet
    !--- to be placed in the class.
!
class-map type http inspect match-any vulnerable-activeX-http-class
 match content ".*[bB][fF]6[eE][fF][fF][fF]3[-]4558[-]4[cC]4[cC][-][aA][dD][aA][fF][-][aA]87891[cC]5[fF]3[aA]3.*"
 match content ".*[lL][iI][sS][tT][cC][tT][rR][lL]\x2e[lL][iI][sS][tT][cC][tT][rR][lL][cC][tT][rR][lL]\x2e1.*"
 

Note: If either the CLSID or ProgID is unknown or if either change, the use of "match-any" is critical because it will allow the match on either parameter. Also note the "reset" action, which denies the specified HTTP traffic by sending a TCP reset message to the client or server to close the connection


 policy-map type inspect http all-match vulnerable-activeX-http-policy
  class vulnerable-activeX-http-class
   reset
    !
    !--- Configure an access list that will be used to match  
    !--- packets that are destined to TCP ports 80 (www), 3128, 8000, 
    !--- 8010,8080, 8888, and 24326, which define the default ports
    !--- that are used by the Cisco IPS #WEBPORTS variable.
    !

access-list WEBPORTS extended permit tcp any any eq www
access-list WEBPORTS extended permit tcp any any eq 3128
access-list WEBPORTS extended permit tcp any any eq 8000
access-list WEBPORTS extended permit tcp any any eq 8010
access-list WEBPORTS extended permit tcp any any eq 8080
access-list WEBPORTS extended permit tcp any any eq 8888
access-list WEBPORTS extended permit tcp any any eq 24326 ! !--- Configure a Layer 4 class map that uses the above-configured !--- access-list to match TCP traffic that is destined to the !--- ports used by the Cisco IPS #WEBPORTS variable. class-map match-all L4-http-class match access-list WEBPORTS ! !--- Configure a Layer 4 policy that applies the HTTP application !--- inspection policy to the defined class map to drop !--- connections that contain the regular expression for the !--- affected ActiveX Class ID or Program ID that is configured above. policy-map multi-match L4-http-inspect-policy class L4-http-class inspect http policy vulnerable-activeX-http-policy ! !--- The configuration can be applied to a specific interface as !--- defined in the following example. Applying the policy to a specific !--- interface results in the inspection of traffic that enters the !--- Cisco ACE Application Control Engine from this specific interface only. interface vlan 500 service-policy input L4-http-inspect-policy ! !--- Alternatively, the configuration can be applied globally as !--- follows, which results in the inspection of traffic from all !--- interfaces. service-policy input L4-http-inspect-policy

Note: The key differentiator in applying the policy to an interface versus applying it globally is the configuration mode in which the command is entered. Entering the service-policy input L4-http-inspect-policy command under global configuration mode applies the policy globally, whereas applying the same command under an interface applies it only to that interface.

!
    !--- To verify the statistics of the application protocol 
    !--- inspection, use the show service-policy command, which  
    !--- displays all policy maps applied globally or to an interface
    !--- and their policy statistics.
    !
switch/Admin# show service-policy  
Policy-map : L4-http-inspect-policy
Status : ACTIVE
-----------------------------------------
Context Global Policy:
service-policy: L4-http-inspect-policy
class: L4-http-class
inspect http:
L7 inspect policy : vulnerable-activeX-http-policy
Url Logging: DISABLED
curr conns : 127 , hit count : 6
dropped conns : 6
client pkt count : 54 , client byte count: 1253
server pkt count : 29 , server byte count: 1191
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L4 policy stats:
Total Req/Resp: 435 , Total Allowed: 421
Total Dropped : 14 , Total Logged : 0

switch/Admin# ! !--- For more granularity, specify the specific inspection !--- (HTTP) policy using the detail command: switch/Admin# show service-policy L4-http-inspect-policy detail
Policy-map : L4-http-inspect-policy
Status : ACTIVE
Description: -----------------------------------------
Context Global Policy:
service-policy: L4-http-inspect-policy
class: L4-http-class
inspect http:
L7 inspect policy : vulnerable-activeX-http-policy
Url Logging: DISABLED
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L4 policy stats:
Total Req/Resp: 435 , Total Allowed: 421
Total Dropped : 14 , Total Logged : 0
L7 Inspect policy : vulnerable-activeX-http-policy
class/match : vulnerable-activeX-http-class
Inspect action :
reset
Total Inspected : 435 , Total Matched: 14
Total Dropped OnError: 0
! !--- System log (Syslog) messages can also be used to verify the ActiveX !--- control is matched and discarded. Syslog message 415007 is !--- generated when the message body matches the regular !--- expression that has been configured. ! switch/Admin# show logging | include 415007
Oct 1 2009 15:26:43: %ACE-5-415007: HTTP - matched vulnerable-
activeX-http-class in policy-map vulnerable-activeX-http-
policy, Body matched - Dropping connection from
192.168.240.97/6618 to 192.168.60.65/80 Connection 343
Oct 1 2009 15:30:33: %ACE-5-415007: HTTP - matched vulnerable-
activeX-http-class in policy-map vulnerable-activeX-http-
policy, Body matched - Dropping connection from
192.168.240.97/6618 to 192.168.60.65/8080 Connection 401

For further information regarding the system log message 415007, refer to the log message in the Cisco ACE 4700 Series Appliance System Message Guide documentation.

Conclusion

The ability to understand protocols is essential to properly detecting and preventing attacks. As applications have increased their reliance on protocols and technological concepts and tools such as ActiveX, it is imperative that administrators and engineers understand the numerous aspects and implications of ActiveX controls, as well as the technology, including the configuration solutions that are required to prevent such attacks.

The ability to leverage the network as an integral mitigation solution is no longer a possibility, but is rather a necessity. Cisco products, such as the Cisco ACE Application Control Engine Module , offer a powerful feature set that fills this void, increases data security, and filters attacks and miscreant behaviors before they impact network resources.

Acknowledgments

Andrae Middleton (amiddlet@cisco.com)                           
Security Intelligence Engineer

Andrae Middleton is a member of the Security Intelligence Operations organization at Cisco. Additional content produced by Security Intelligence Engineering is located in the Security Intelligence Best Practices section of the Cisco Security Intelligence Operations portal.

Additional Information

Microsoft OLE/COM Object Viewer               
http://msdn.microsoft.com/en-us/library/d0kh9f4c(VS.80).aspx

Microsoft RegMon                       
http://technet.microsoft.com/en-us/sysinternals/bb896652.aspx

Sysinternals          
http://www.pctools.com/guides/software/detail/26/

Shareware 
http://www.freedownloadscenter.com/Utilities/System_Analysis_Utilities/Active_Registry_Monitor.html

TCPView                                 
http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

Microsoft Windows Debugger  
http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx

Fuzzing 
http://www.fuzzing.org/
http://pages.cs.wisc.edu/~bart/fuzz/
http://www.owasp.org/index.php/Fuzzing
http://www.krakowlabs.com/1of.html
http://peachfuzzer.com/
http://code.google.com/p/sulley/

References

Security Tradeoffs: Java vs. ActiveX
http://www.cs.princeton.edu/sip/java-vs-activex.html

Microsoft Announces ActiveX Technologies
http://www.microsoft.com/presspass/press/1996/mar96/activxpr.mspx

ActiveX Active Exploitation
http://nologin.org/main.pl?action=papersList&


This document is part of Cisco Security Research & Operations.

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top