[TOOL] AxMan - Web-Based ActiveX Fuzzing Engine

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



AxMan - Web-Based ActiveX Fuzzing Engine
------------------------------------------------------------------------


SUMMARY



DETAILS

AxMan is a web-based ActiveX fuzzing engine. The goal of AxMan is to
discover vulnerabilities in COM objects exposed through Internet Explorer.
Since AxMan is web-based, any security changes in the browser will also
affect the results of the fuzzing process. This allows for a much more
realistic test than other COM-based assessment tools. AxMan is designed to
be used with Internet Explorer 6 only.

Demonstartion:
An online demonstration is
<http://metasploit.com/users/hdm/tools/axman/demo/> available. Running
AxMan on a local web server will be much faster. This demonstration uses
typelib info obtained from a Windows XP SP2 system with Office 2003 and
Visual Studio 2005 installed.

How to:
AxMan works by first enumerating all registered COM objects and their
associated typelib information, then using that information to test each
object's properties and methods. To enumerate the COM information, copy
bin\axman.exe to the target system, and execute it as an administrative
user:
C:\> axman.exe myoutput

The axman.exe executable will take anywhere from 10 minutes to 2 hours to
complete, depending on the number of COM objects registered on your
system. While it runs, a number of new processes will be spawned and
random popup windows will open. You can safely close any popup windows as
they open, or just wait for the entire process to complete. Once axman.exe
completes, the resulting directory should contain one javascript source
file for every registered COM object.

At this point, you should reboot the system in order to kill the spawned
COM processes and free system resources.

The next step is to prepare a web server to host the AxMan user interface.
A web server running on the local system is the most efficient way to do
this, but you can use any server capable of serving plain HTML and
Javascript files. Copy the HTML subdirectory of the AxMan archive to the
web root and then copy the output directory created by axman.exe to a
subdirectory named 'conf'. This should result in a directory structure
like the following:

/BASE/index.html
/BASE/conf/objects.js
/BASE/conf/{.....}.js

On the target system, open Internet Explorer and browse the index.html
page of the AxMan user interface. If everything has been installed
successfully, a status message will be shown indicating how many COM
object definitions were loaded.

Click the start button to begin the fuzzing process.

Debug:
AxMan will trigger hundreds of crashes on a typical system. Trying to
determine what crashed and during what test is a challenge for a
browser-based fuzzing engine. My personal approach to install WinDbg
(available for free from Microsoft, search for 'Debugging Tools for
Windows') and attach to the iexplore.exe process prior to starting the
fuzzing process. After attaching the debugger, I hit F5 to continue the
process and switch back to Internet Explorer. AxMan will report the
current CLSID and tested property or method in the status bar of the
browser. This status bar is updated in real-time during the testing
process. I combine this with a 'tail' process on the log files of the
hosting web server to quickly identify which component crashed and add the
property or method to the blacklist. Keep in mind that the Internet
Explorer UI will not update while the method fuzzing stage runs, which
means that switching applications or doing basically anything on the
testing system will prevent you from seeing which method triggered a
specific crash.

Blacklist:
The blacklist.js script contains a list of all objects, properties, and
methods to skip during the fuzzing process. This doubles as a list of
discovered bugs. As you find new vulnerabilities, update the blacklist to
exclude them in future runs. Please see the examples in blacklist.js for
more information.

In order to buy Microsoft some time, I have not included my AxMan
blacklist file with the current release. This blacklist took about 20
hours in total to create.

Tracer:
AxMan uses a unique string as part of both the property and method fuzzing
operations. This allows you to run tools like filemon and regmon to
determine what system-level operations happen when a specific property is
set or method is called. The default magic string is set to 'AXM4N', but
this can be changed in axman.js. Some sample findings include:

Setting the PrinterName property for 2337A8C-E11D-11D0-BE48-00C04FC30DF6
results in spoolsv.exe access the following registry key:
HKCU\Printers\Connections\[VALUE]

Calling the parseURL method of 079aa557-4a18-424a-8eee-e39f0a8d41b9
results in the entire system path being scanned for a file matching the
argument name.

Future:
Server-side integration and asynchronous method testing are the two big
features that will be added to future versions. The current implementation
is very slow for methods with three arguments and may cause the "Do you
want to stop this script?" prompt to appear in certain cases. Progress
reporting needs an overhaul, possibly using XMLHTTP and some form of
server-side integration.


ADDITIONAL INFORMATION

The information has been provided by <mailto:hdm@xxxxxxxxxxxxxx> H D
Moore.
To keep updated with the tool visit the project's homepage at:
<http://metasploit.com/users/hdm/tools/axman/>
http://metasploit.com/users/hdm/tools/axman/



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.