ActiveX Vulnerability Impact
DHTML Editing
Microsoft DDS Library Shape Control
JView Profiler
ADODB . Stream
Shell Application
Shell . Explorer
HTML Help
ActiveX Attacks
Attack requirement : ActiveX or browser extension has a high privilege . ActiveX is vulnerable or built as malicious component with attack purpose . Attack process victim access a site with vulnerable or malicious Activex or install a vulnerable or malicious browser extension . Victim accept to run Activex or browser extension . The component is available to provide a back door or to send information to attacker .
ActiveX Vulnerability Impact
DHTML Editing
Microsoft DDS Library Shape Control
JView Profiler
ADODB . Stream
Shell Application
Shell . Explorer
HTML Help
LoadURL method can violate same origin policy
Heap memory corruption
Heap memory corruption
None — used to write data after exploiting LMZ
Use CLSID to disguise malicious file being loaded
Rich folder view drag-n-drop timing attack
Stack-based buffer overflow from overlong “ Contents file ” field in . hhp file
Read and write data
Arbitrary code execution as caller
Arbitrary code execution as caller
Files with arbitrary content placed in known locations
Files with arbitrary content placed in known locations
Files with arbitrary content placed in known locations
Arbitrary code execution as caller
WebBrowser |
Potentially all exploits that affect IE |
Arbitrary code execution as caller |
|
Old : LMZ access |
|
2017-05-10 |
New : none , used to read /
XMLHTTP download files from / to LMZ
Web Application Security Fast Guide ( book slides )
|
Read / write arbitrary content from / to known locations
By Dr . Sami Khiami
Slide 10
|