Microsoft ATL/MFC ActiveX Security Bypass Vulnerability
1 Sep. 2009
Summary
Microsoft's Component Object Model (COM) was designed to allow interoperability between disjointed software components. Remote exploitation of a logic flaw vulnerability in Microsoft Corp.'s ATL/MFC ActiveX code, as included in various vendors' ActiveX controls, could allow attackers to bypass ActiveX security mechanisms.
Vulnerable Systems:
* Microsoft ATL
* Microsoft MFC
One aspect of COM is a process called initialization. This process allows a program to load and store a COM object within various containers, such as OLE compound storage files and raw streams.
Depending upon certain characteristics of an OLE component designed with the Microsoft ATL, it is possible to cause one component to initialize an arbitrary secondary component. Ordinarily this behavior would not be a cause for alarm, however, certain applications employ various methods to verify that a control is Safe for Initialization. One such application is Internet Explorer.
Standard operating procedure is to have the loading application perform the various security checks. However, a control marked "Safe for Initialization" that contains this vulnerability will not perform the same checks. By loading a vulnerable ActiveX control and passing in specially crafted persistent storage data, an attacker can bypass all of the typical security checks and load any ActiveX control without a warning.
Exploitation of this vulnerability allows an attacker to bypass security checks (such as kill-bits in Internet Explorer). Successful exploitation would require the attacker to convince his or her victim into visiting a specially crafted Web page leveraging the vulnerability. While there is no way to forcibly make a victim visit a website, exploitation may occur through normal Web browsing. This vulnerability greatly increases the attack surface accessible via Internet Explorer by decreasing the amount of user interaction necessary to access other initialization vulnerabilities.
Disclosure Timeline:
12/05/2008 Initial Contact
01/05/2009 Microsoft requested PoC
07/29/2009 Material presented at BlackHat USA
08/11/2009 Microsoft publishes MS09-037
--------------------------------------------------------------------------------------------------------------------------------
Vulnerabilities like this exist in many sites. Find out more about SQL injection and eliminate it.
-
