Informative Information for the Uninformed | ||||||||||||||
|
||||||||||||||
Control and functionality enumerationAny given Windows installation is likely to have a significant number of registered COM objects. For the purpose of this paper, however, we are only interested in controls which may be instantiated from a website. Quite a number of the following details are taken out of the excellent The Art of Software Security Assessment[3], a book I strongly recommend to anyone interested in application security.
ActiveX controls are usually, but not always, instantiated by passing their
CLSID to CoCreateInstance. The respective class identifier (CLSID) is used as
a unique value which is associated with each control in order to distinguish it
from its peers. A list of all the existing CLSIDs on a given Windows
installation can be found in the registry in
Within the CLSID key there are thousands of different class identifiers, all
of them specifying ActiveX controls. However, only a subset of those can be
instantiated by a website. Controls marked as safe for scripting
are granted this ability. To determine whether a certain control has this
ability, it has to be part of the respective category. Specifically, the
category can be found in the registry in the form:
In the end though, not being part of these categories doesn't necessarily mean
that a control cannot be called from IE. The component may dynamically report
itself as being safe for scripting when it is instantiated through IE. The
only surefire way is to try and instantiate a control and see if it can be
used. Axman[5] is an ActiveX fuzzer written by HD Moore which can
automate this check for all of the different CLSIDs on a system. Another
tool to enumerate the controls in question is iDefense's
ComRaider[4], another ActiveX fuzzer, which has the ability to
build a database of controls that IE should be able to instantiate.
|