|Informative Information for the Uninformed|
In this section the previously provided information will be demonstrated with the help of a recent public ActiveX vulnerability and exploit. The vulnerable control is from a company called WM6 and comes with their ``QRCode ActiveX'' version 3.0. When I downloaded the software in January 2008, several months after the exploit was posted on Milw0rm in September, the vulnerable control was still part of the package.
The control itself has a CLSID of 3BB56637-651D-4D1D-AFA4-C0506F57EAF8. After the installation of the software, it can be found in the registry in:
The DLL that implements this control can be found on the harddrive in the file that is specified in the "InprocServer32" key. In this example it is:
A screenshot of what the entire registry entry for this control looks like:
There are two interesting things to note here. For one, the ProgID key has
a default value of MW6QRCode.QRCode.1. At the ProgID's corresponding location
in the registry, namely
<body> <object classid='clsid:3BB56637-651D-4D1D-AFA4-C0506F57EAF8' id='test'> </object> </body>
The result of this snippet of code is the appearance of a little picture in IE. As this works just fine without Internet Explorer complaining about being unable to load the control, the next examination step is in order.