Control and functionality enumeration

Any given Windows installation is likely to have a significant number of registered COM objects. For the purpose of this paper, however, we are only interested in controls which may be instantiated from a website. Quite a number of the following details are taken out of the excellent The Art of Software Security Assessment[3], a book I strongly recommend to anyone interested in application security.

ActiveX controls are usually, but not always, instantiated by passing their CLSID to CoCreateInstance. The respective class identifier (CLSID) is used as a unique value which is associated with each control in order to distinguish it from its peers. A list of all the existing CLSIDs on a given Windows installation can be found in the registry in HKEY_CLASSES_ROOT\CLSID, which actually is nothing but an alias to HKEY_LOCAL_MACHINE\Software\Classes\CLSID.

Within the CLSID key there are thousands of different class identifiers, all of them specifying ActiveX controls. However, only a subset of those can be instantiated by a website. Controls marked as safe for scripting are granted this ability. To determine whether a certain control has this ability, it has to be part of the respective category. Specifically, the category can be found in the registry in the form: HKEY_CLASSES_ROOT\CLSID\. If a control is safe for scripting it may indicate this by having a subkey with the GUID 7DD95801-9882-11CF-9FA9-00AA006C42C4. Similarly, the 'safe for initialization' category is listed in the same location, but with a slightly different GUID. Its value is 7DD95802-9882-11CF-9FA9-00AA006C42C4.

In the end though, not being part of these categories doesn't necessarily mean that a control cannot be called from IE. The component may dynamically report itself as being safe for scripting when it is instantiated through IE. The only surefire way is to try and instantiate a control and see if it can be used. Axman[5] is an ActiveX fuzzer written by HD Moore which can automate this check for all of the different CLSIDs on a system. Another tool to enumerate the controls in question is iDefense's ComRaider[4], another ActiveX fuzzer, which has the ability to build a database of controls that IE should be able to instantiate.