Overview
What is ActiveX?
Understanding ActiveX Attacks
Detecting and Preventing ActiveX Exploitation
Leveraging Regular Expressions
Cisco ACE Application Control Engine Application Layer Protocol Inspection
Conclusion
Acknowledgments
Additional Information
References
This whitepaper will provide administrators and engineers with an overview of ActiveX controls and information on understanding and preventing the malicious use of ActiveX controls with the Cisco ACE Application Control Engine Application Layer Protocol Inspection feature.
ActiveX is a technology developed by Microsoft. It was introduced in 1996 and is based on the Component Object Model (COM) and Object Linking and Embedding (OLE) technologies. Multiple applications, including the Microsoft Windows applications Internet Explorer, Microsoft Office, Microsoft Visual Studio, and Windows Media Player, enhance their feature sets and encapsulate their functionality as ActiveX controls to embed the functionality into other applications.
ActiveX controls, which are small building blocks of programs (active content), are used to create distributed applications that interoperate over the Internet through the use of web browsers (n.a. 1996, 1). The original intent of ActiveX, defined initially with the advent of COM and OLE, was to provide easily reusable portions of code. This reusability is achieved by creating objects that offer interfaces that can be called by other COM objects or programs (for example, Internet Explorer and its integration with COM). This integration provides the ability to seamlessly interface with Windows and third-party applications through the Internet Explorer browser. In addition, the functionality of Internet Explorer can easily be extended by software developers who create complex applications that interface with websites through the browser.
ActiveX controls are often compared to Java applets because both enable end users to download small programs into their web browsers, which results in more dynamic and interactive web pages (Felten 1997, 1). A major difference between ActiveX controls and Java applets is that ActiveX controls are granted higher levels of control over applications. These additional privileges makes them a more attractive target for those individuals looking to perform malicious activities.
Over the past few years, there has been a rapid increase in the use and subsequent exploitation of ActiveX controls. Many technologies and tools, such as social networking websites Facebook and Myspace, applications such as Yahoo’s Music Jukebox, Real Network’s RealPlayer, and Apple’s QuickTime, have succumbed to ActiveX exploitation. The wide use of ActiveX translates to its position as a security target for vulnerability research, which leads to the identification of security vulnerabilities and exploits.
Although ActiveX controls are built into the Microsoft operating system and Internet Explorer, it is important to note that applications may install their own ActiveX controls to provide unique functionality through Internet Explorer. In addition, websites install ActiveX controls. Adobe Shockwave is one example, where a pop-up window prompts users to install the Adobe Shockwave ActiveX control.
ActiveX controls are typically identified by their class identifier (CLSID). A CLSID is a unique value associated with each control to differentiate it from other controls. A CLSID key also exists. This key contains information used by the default COM handler to return details about a class when it is in the running state. In the CLSID key, there are thousands of class identifiers that each specify ActiveX controls. The unique string for each CLSID is referred to as the globally unique identifier (GUID). Programmers often use the Guidgen.exe utility to generate these GUIDs. Several public websites, such as Auto Hot Key, list CLSIDs and accompanying information.
For devices that run the Microsoft Windows operating system, a list of all installed CLSIDs is available at the following registry location:
HKEY_CLASSES_ROOT\CLSID HKEY_LOCAL_MACHINE\Software\Classes\CLSID
Only a specific subset of these class identifiers can be instantiated by a website because the CLSIDs must be marked as safe and categorized as such. An example is controls that are marked as safe for scripting. A list of CLSIDs that contain this ability is available at the following registry location:
HKEY_CLASSES_ROOT\CLSID\<control clsid>\Implemented Categories
ActiveX controls are also identified through a program identifier (ProgID), which names the control in a user-friendly manner. The ProgID and CLSID relationship is comparable to the interation between an IP address and DNS. Essentially, CLSIDs can be determined by researching the correlating ProgID. Because this interaction is seamless to Internet Explorer, it proceeds as if the CLSID had been initially provided (Warlord 2008, 4).
There are many forms of ActiveX attacks, many of which consist of a wide range of exploits. One attack involves a crafted web page that leverages a vulnerable ActiveX control in a user's browser to achieve remote code execution. This attack could result in complete control over an affected system.
To detect attempts to exploit vulnerable ActiveX controls, administrators can use the following tools:
See the Additional Information section for links and details about these tools. In addition, the OleView tool can determine if an ActiveX control is marked as safe.
Administrators can also use "fuzzers " to test potential vulnerabilities. Fuzzers are test tools or programs that provide a technique to send or inject invalid, malformed, unexpected, or random data to the inputs of a program. The results from fuzzer testing can be recorded and used to implement mitigations for malicious or unexpected behaviors. For more information regarding fuzzers and fuzzing techniques, see the Additional Information section. H.D. Moore's Axman and iDefense's ComRaider are two fuzzers that have the ability to provide a database of controls that Internet Explorer can recognize (Warlord 2008, 4).
To reduce the likelihood that vulnerable ActiveX controls will be exploited, proper safeguards must be implemented. The following Cisco products can perform mitigation techniques to prevent exploitation of vulnerable ActiveX controls:
A regular expression (regex) matches text strings either literally (as an exact string) or by using metacharacters. Using metacharacters with a regular expression allows a single regex to match multiple variants of a text string. Administrators can use a regular expression to match the content of certain application traffic (for example, matching a URL string inside an HTTP packet).
Use Ctrl+V to escape characters that have special meaning to the command-line interface (CLI), such as a question mark (?) or a tab. For example, type d[Ctrl+V]?g to enter d?g in the configuration. The following table describes metacharacters often used with application layer protocol inspection.
Table 1. Common Application Protocol Inspection Regex Metacharacters
| Metacharacter | Description | Example | Explanation |
|---|---|---|---|
| .* | Zero or more characters | .*7 | Matches the digit 7 |
| . | Matches a single character | ....4 | Matches any four characters followed by the number 4 |
| \ | Escape character | \. | Escapes the period character so that it matches a period and does not act as a wildcard |
| [ ] | Character range class | [a-z0-9] | Matches a single lower case letter (a-z) or a single digit |
| () | Expression grouping | (Cisco-Secure) | Matches the expression "Cisco-Secure" |
| {min} or {min,} | Quantifier, minimum repeat | A{3,} | Matches a string comprised of three or more instances of the letter A |
Many regex options that aid in preventing ActiveX controls exist. The following examples display basic regular expressions to several more advanced options:
Regex example 1: "My favorite color is (green|blue)"
Example 1 shows an exact match (including case and spaces) for the words "My favorite color is ". The "( )" metacharacter indicates a subexpression that segregates characters and phrases so specific actions can be taken on these characters or phrases in isolation. In this case it isolates the words green and blue. The "|" metacharacter is an alternation that indicates the regex will match either expression that is separates. In this example, the regex will match either of the following statements:
Regex example 2: "[Mm]y favorite color is ([a-zA-Z]+)\."
In example 2, the word "my" can be upper or lowercase, as the "[Mm]" indicates a match on either "M" or "m". Example 2 reflects an exact match (including case and spaces) for the phrase " favorite color is ". The "( )" isolate a subexpression. The "[a-zA-Z]" metacharacter represents a character range class, which indicates a match on any character in the range in the brackets (in this example, any uppercase characters "A-Z" or lowercase characters "a-z"). The "+" metacharacter indicates that there is at least one of the previous expression (in this example, at least one of the expression "[a-zA-Z]"). The "\" represents an escape character. In this example, it escapes the period (.), indicating that the text to be matched must end with a period. Regex example 2 will match a statement that specifies any color in upper or lowercase and uses an upper or lowercase "my" as follows:
It is important to note the possibility of unintended matches, which is demonstrated in the final statement above.
Regex example 3: "[Mm][Yy](\x20|\x2b)[Ff][Aa][Vv][Oo][Rr][Ii][Tt][Ee](\x20|\x2b)[Cc][Oo][Ll\x7c][Oo][Rr](\x20|\x2b)[Ii][Ss](\x20|\x2b)([^\s]+?)[.!]"
In example 3, the "[Mm][Yy]" allows the use of the word "my" in upper and lowercase. The string "(\x20|\x2b)" matches the ASCII hexadecimal integer "20" or "2b" because the "\xNN" metacharacter represents an escaped two-digit hexadecimal number. The "|" is the alternation metacharacter, which indicates a match of either option.
The"[Ff][Aa][Vv][Oo][Rr][Ii][Tt][Ee]" string specifies a match on the word "favorite" in upper or lowercase. The "(\x20|\x2b)" string again matches either ASCII hexadecimal integer "20" or "2b". The "[Cc][Oo][Ll][Oo][Rr]" string matches the upper or lowercase syntax of the word "color". Again, either "20" or "2b" is matched. The "[Ii][Ss]" string indicates a match of the word "is" in upper or lowercase followed by a match on either "20" or "2b". In the "([^\s]+?)" string, the "[^\s]" expression indicates a match on a negated character class, or a match on a character that is not contained in the brackets.
In this example, the "[^\s]" matches any character other than whitespace, such as a space or tab. The "+" is a quantifier indicating that there is at least one of the previous expression. The "+" indicates that there is at least one iteration of the expression "[^\s]". In this context, the "?" indicates that the previous quantifier should match as few characters as possible, which is called nongreedy matching. Lastly, the "[.!]" expression simply indicates a match on any single character in the "[ ]" (either a "." or "!"). The use of a "." in a character class is a special case; when used in this manner, the "." does not act as a metacharacter and will only match a period. The regex for example 3 matches any of the following options:
A regular expression must consider any possible permutation of the data to be matched.
Caution: Enabling any additional feature, such as application protocol inspection, may result in a decrease in Cisco ACE Application Control Engine performance. Performance impact should be tested in a lab environment before deployment in production environments.
The invocation of ActiveX controls can also be filtered using application layer protocol inspection and regular expressions on Cisco ACE platforms. When vulnerabilities are discovered in ActiveX controls, vendors typically disclose the specific vulnerable ActiveX CLSID and ProgID values. If these details are provided, regular expressions can be employed in the application layer protocol inspection engine to identify specific strings in a packet and perform specific actions on this traffic as defined by the inspection policy. Regular expressions within application protocol inspection are supported on the Cisco ACE 4710 Application Control Engine Appliance beginning with software version A1(7) and on the Cisco ACE Application Control Engine Module with software version A1(2) and later.
Application protocol inspection is utilized for services that embed IP addressing information in the data packet, open secondary channels on dynamically assigned ports, and require a deep packet inspection. The Cisco ACE Application Control Engine analyzes each session of the protocol to properly identify the dynamic ports and permit the data exchange. Numerous protocols use the application layer protocol inspection engine, including HTTP .
For a list of applications supported by application protocol inspection and supporting details, refer to "Application Inspection Support" under the Performing Application Protocol Inspection section of the Cisco ACE 4700 Series Appliance Security Configuration Guide.
Utilizing the HTTP deep packet inspection engine on the Cisco ACE Application Control Engine platforms, administrators can configure regular expressions for pattern matching and apply them to the Cisco ACE application inspection policy to inspect the data stream and drop packets that contain specific ActiveX control CLSIDs and ProgIDs. The following example shows HTTP inspection using regular expressions for pattern matching, class maps, and policy maps to create an inspection policy for traffic on TCP ports 80, 3128, 8000, 8010, 8080, 8888, and 24326, which are the default ports for the Cisco Intrusion Prevention System (IPS) #WEBPORTS variable. The inspection policy will leverage two regular expressions to identify packets that contain the CLSID or ProgID of the CA BrightStor ActiveX control. The HTTP application protocol inspection will drop connections where the HTTP response body contains either the CLSID or ProgID of the Brightstor ActiveX control.
Caution: The configured regular expressions could match any text strings in the body of an HTTP response. Care should be taken to ensure that legitimate business applications that use matching text strings without calling the ActiveX control are not impacted.
The following configuration example may be applied to the Cisco ACE appliance or module:
! !--- Configure an HTTP application inspection class for the !--- ActiveX Class ID BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3 !--- and ActiveX Program ID LISTCTRL.ListCtrlCtrl.1 that is !--- associated with the CA Brightstor ActiveX control. !--- the defined regex. The use of ".*" is very common and !--- indicates that zero or more characters are to be !--- identified, which is typically the case in any regex. ! class-map type http inspect match-any vulnerable-activeX-http-class match content ".*[bB][fF]6[eE][fF][fF][fF]3[-]4558[-]4[cC]4[cC][-][aA][dD][aA][fF][-][aA]87891[cC]5[fF]3[aA]3.*" match content ".*[lL][iI][sS][tT][cC][tT][rR][lL]\x2e[lL][iI][sS][tT][cC][tT][rR][lL][cC][tT][rR][lL]\x2e1.*" ! !--- Configure an HTTP application inspection policy that matches !--- and resets connections that contain the regexes configured !--- above. Note the "match-any" vs "match-all" in the class map !--- that is configured above. !--- The "match-any" string identifies a packet as matching !--- if the regular expressions match. Match-all !--- requires that all stated expressions be matched for a packet !--- to be placed in the class. ! class-map type http inspect match-any vulnerable-activeX-http-class match content ".*[bB][fF]6[eE][fF][fF][fF]3[-]4558[-]4[cC]4[cC][-][aA][dD][aA][fF][-][aA]87891[cC]5[fF]3[aA]3.*" match content ".*[lL][iI][sS][tT][cC][tT][rR][lL]\x2e[lL][iI][sS][tT][cC][tT][rR][lL][cC][tT][rR][lL]\x2e1.*"
Note: If either the CLSID or ProgID is unknown or if either change, the use of "match-any" is critical because it will allow the match on either parameter. Also note the "reset" action, which denies the specified HTTP traffic by sending a TCP reset message to the client or server to close the connection
policy-map type inspect http all-match vulnerable-activeX-http-policy class vulnerable-activeX-http-class reset ! !--- Configure an access list that will be used to match !--- packets that are destined to TCP ports 80 (www), 3128, 8000, !--- 8010,8080, 8888, and 24326, which define the default ports !--- that are used by the Cisco IPS #WEBPORTS variable. ! access-list WEBPORTS extended permit tcp any any eq www access-list WEBPORTS extended permit tcp any any eq 3128 access-list WEBPORTS extended permit tcp any any eq 8000 access-list WEBPORTS extended permit tcp any any eq 8010 access-list WEBPORTS extended permit tcp any any eq 8080
access-list WEBPORTS extended permit tcp any any eq 8888 access-list WEBPORTS extended permit tcp any any eq 24326 ! !--- Configure a Layer 4 class map that uses the above-configured !--- access-list to match TCP traffic that is destined to the !--- ports used by the Cisco IPS #WEBPORTS variable. class-map match-all L4-http-class match access-list WEBPORTS ! !--- Configure a Layer 4 policy that applies the HTTP application !--- inspection policy to the defined class map to drop !--- connections that contain the regular expression for the !--- affected ActiveX Class ID or Program ID that is configured above. policy-map multi-match L4-http-inspect-policy class L4-http-class inspect http policy vulnerable-activeX-http-policy ! !--- The configuration can be applied to a specific interface as !--- defined in the following example. Applying the policy to a specific !--- interface results in the inspection of traffic that enters the !--- Cisco ACE Application Control Engine from this specific interface only. interface vlan 500 service-policy input L4-http-inspect-policy ! !--- Alternatively, the configuration can be applied globally as !--- follows, which results in the inspection of traffic from all !--- interfaces. service-policy input L4-http-inspect-policy
Note: The key differentiator in applying the policy to an interface versus applying it globally is the configuration mode in which the command is entered. Entering the service-policy input L4-http-inspect-policy command under global configuration mode applies the policy globally, whereas applying the same command under an interface applies it only to that interface.
! !--- To verify the statistics of the application protocol !--- inspection, use the show service-policy command, which !--- displays all policy maps applied globally or to an interface !--- and their policy statistics. ! switch/Admin# show service-policy Policy-map : L4-http-inspect-policy Status : ACTIVE ----------------------------------------- Context Global Policy: service-policy: L4-http-inspect-policy class: L4-http-class inspect http: L7 inspect policy : vulnerable-activeX-http-policy Url Logging: DISABLED curr conns : 127 , hit count : 6 dropped conns : 6 client pkt count : 54 , client byte count: 1253 server pkt count : 29 , server byte count: 1191 conn-rate-limit : 0 , drop-count : 0 bandwidth-rate-limit : 0 , drop-count : 0 L4 policy stats: Total Req/Resp: 435 , Total Allowed: 421 Total Dropped : 14 , Total Logged : 0 switch/Admin# ! !--- For more granularity, specify the specific inspection !--- (HTTP) policy using the detail command: switch/Admin# show service-policy L4-http-inspect-policy detail Policy-map : L4-http-inspect-policy Status : ACTIVE Description: ----------------------------------------- Context Global Policy: service-policy: L4-http-inspect-policy class: L4-http-class inspect http: L7 inspect policy : vulnerable-activeX-http-policy Url Logging: DISABLED curr conns : 0 , hit count : 0 dropped conns : 0 client pkt count : 0 , client byte count: 0 server pkt count : 0 , server byte count: 0 conn-rate-limit : 0 , drop-count : 0 bandwidth-rate-limit : 0 , drop-count : 0 L4 policy stats: Total Req/Resp: 435 , Total Allowed: 421 Total Dropped : 14 , Total Logged : 0 L7 Inspect policy : vulnerable-activeX-http-policy class/match : vulnerable-activeX-http-class Inspect action : reset Total Inspected : 435 , Total Matched: 14 Total Dropped OnError: 0 ! !--- System log (Syslog) messages can also be used to verify the ActiveX !--- control is matched and discarded. Syslog message 415007 is !--- generated when the message body matches the regular !--- expression that has been configured. ! switch/Admin# show logging | include 415007
Oct 1 2009 15:26:43: %ACE-5-415007: HTTP - matched vulnerable-
activeX-http-class in policy-map vulnerable-activeX-http-
policy, Body matched - Dropping connection from
192.168.240.97/6618 to 192.168.60.65/80 Connection 343
Oct 1 2009 15:30:33: %ACE-5-415007: HTTP - matched vulnerable-
activeX-http-class in policy-map vulnerable-activeX-http-
policy, Body matched - Dropping connection from
192.168.240.97/6618 to 192.168.60.65/8080 Connection 401
For further information regarding the system log message 415007, refer to the log message in the Cisco ACE 4700 Series Appliance System Message Guide documentation.
The ability to understand protocols is essential to properly detecting and preventing attacks. As applications have increased their reliance on protocols and technological concepts and tools such as ActiveX, it is imperative that administrators and engineers understand the numerous aspects and implications of ActiveX controls, as well as the technology, including the configuration solutions that are required to prevent such attacks.
The ability to leverage the network as an integral mitigation solution is no longer a possibility, but is rather a necessity. Cisco products, such as the Cisco ACE Application Control Engine Module , offer a powerful feature set that fills this void, increases data security, and filters attacks and miscreant behaviors before they impact network resources.
Andrae Middleton (amiddlet@cisco.com)
Security Intelligence Engineer
Andrae Middleton is a member of the Security Intelligence Operations organization at Cisco. Additional content produced by Security Intelligence Engineering is located in the Cisco Security Intelligence Operations portal.
Microsoft OLE/COM Object Viewer
https://docs.microsoft.com/en-us/windows/win32/com/ole-com-object-viewer
Microsoft RegMon
http://technet.microsoft.com/en-us/sysinternals/bb896652.aspx
Sysinternals
https://docs.microsoft.com/en-us/sysinternals/
Shareware
http://www.freedownloadscenter.com/Utilities/System_Analysis_Utilities/Active_Registry_Monitor.html
TCPView
http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
Microsoft Windows Debugging Tools
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windows-debugging
Fuzzing
http://www.fuzzing.org/
http://pages.cs.wisc.edu/~bart/fuzz/
http://www.owasp.org/index.php/Fuzzing
http://peachfuzzer.com/
http://code.google.com/p/sulley/
Security Tradeoffs: Java vs. ActiveX
http://www.cs.princeton.edu/sip/java-vs-activex.html
Microsoft Announces ActiveX Technologies
https://news.microsoft.com/1996/03/12/microsoft-announces-activex-technologies/
This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.