In a blog article from last year, I discussed the rise in popularity of exploits using ActiveX overwrite/delete vulnerabilities due to their ease of use. Since that time, we have seen over 100 such vulnerabilities.
Microsoft requires developers of ActiveX controls to mark their controls “not safe for scripting” if they can arbitrarily write or delete files. However, developers not realizing the security implications or the full capabilities of their ActiveX control often fail to do so, allowing unauthorized remote users to arbitrarily write files to disk. In some cases, the ActiveX control does not even need to be installed by the user—as was the case with the Access Snapshot Viewer ActiveX Vulnerability.
Recently we’ve seen a sharp rise in these types...
A new type of vulnerability isbecoming more popular these days. It is an arbitrary file overwrite/deletevulnerability that can be exploited by attackers to overwrite or deletearbitrary files on an affected computer. These vulnerabilities existparticularly because of a registered ActiveX control failing torestrict which domains may load the control for execution. An attackexploiting this vuln can lead to arbitrary code execution by a remoteattacker.
Successful exploitation of this vulnerability allows attackers tocreate, or append to, arbitrary files. An attacker can write to a startupfolder to execute arbitrary code during the next reboot or logonsession. A user will not be required to authorize the objectinstantiation since the object is within a signed ActiveX control. Atypical exploitation scenario would require an attacker to convince atargeted user to visit a malicious website.
In our previous analysiswe discussed ‘What is Mpack and how it works’. We had reviewed MPackversion 0.84 in our previous blog. This time we will compare it with anupdated version, MPack v 0.91.
1. The exploits include the existing ones present in v0.84. The list of exploits is present at the end of this blog.
2. There have been some changes to the management and reportinginterface. A new file admin.php is introduced and stats.php has beenremoved.
The developers of the tool kit have provided admin.php for securecontrol and configuration of the Mpack installation. The Mpack ownercan set username and password protection through settings.php.
There have been changes in the user interface, cosmetic changes likebetter styles used to view, and copyrighted logo: (c) 2007 DreamCoders– Logo.
