Computer Security and Penetration

Testing

Chapter 13
Programming Exploits
 Objectives
• Describe the evolution of programming exploits
• Recognize vulnerabilities in ActiveX controls
• Identify steps to counter vulnerabilities in ActiveX
controls
• Recognize vulnerabilities in VBScript
• Identify steps to counter vulnerabilities in VBScript

Computer Security and Penetration Testing 2

 Objectives (continued)
• Recognize vulnerabilities in HTML
• Identify steps to counter vulnerabilities in HTML
• Recognize vulnerabilities in Java and JavaScript
• Identify steps to counter vulnerabilities in Java and
JavaScript

Computer Security and Penetration Testing 3

 Programming Exploits

• Programming exploits
– Defects in various programming languages
• Used to develop server-side and client-side
applications
• Difference between a script and a programming
language
– For an application to be used, it needs to be compiled
for the environment in which it is running
– Script runs uncompiled

Computer Security and Penetration Testing 4

 Programming Exploits (continued)

• Java is preferred for Web applications

– Java applications are platform independent
• C++ or Python applications need to be compiled to
run within specific operating systems

Computer Security and Penetration Testing 5

 ActiveX Controls

• ActiveX controls
– Component Object Model (COM) objects that can be
embedded in a variety of applications
– Stand-alone compiled applications
– Designed to make it possible to link and allow
interactions between variously developed applications
• Controls can be obtained on the Internet that
perform almost any functionality
– Wide range of functionality makes ActiveX controls
interesting to attackers
Computer Security and Penetration Testing 6
 ActiveX Controls (continued)

• Developers must use only authenticated controls

• Still many ways that a hacked ActiveX control can
get onto a user’s machine
• As a safety measure
– Microsoft issued in 2006 the patch that disables
autoplay of ActiveX controls

Computer Security and Penetration Testing 7

 Vulnerabilities in ActiveX Controls

• Design flaw in ActiveX is that ActiveX can do

anything the user can do
• ActiveX does not, by default, operate in a “sandbox”
environment as Java does
• Security threats from ActiveX controls occur
whenever a user accesses a Web site
– With an ActiveX control that is registered on the user’s
computer
• Prior to the patching of Internet Explorer
– ActiveX controls were downloading silently
Computer Security and Penetration Testing 8
 Vulnerabilities in ActiveX Controls
(continued)
• Attackers can use ActiveX to modify resources on
an implementation of Windows in three ways
– Direct commands
– Indirect attacks
– Deceiving the browser security checks to indicate that
an ActiveX control is secure

Computer Security and Penetration Testing 9

 Security Measures

• Many security methods available

– To be effective, the methods must be embraced by
both the developers and end users of technologies
• Developers must write tight, terse code so the more
obvious vulnerabilities are absent
• Developers must guarantee that the tool enables the
user’s browser to properly identify it as safe to use
and download
– Developers need to sign the tool and obtain a security
certificate
Computer Security and Penetration Testing 10
 Security Measures (continued)
• As an end user, you should assume that the
developers have ignored all security standards
• Users must check that their Internet Explorer
browser is the most recent and stable version
• People still using Windows 98 are encouraged to
upgrade hardware and operating system as well
• If you are running Windows 2000
– Make sure you are running Internet Explorer 6.0 and
have the newest security patches in place
– Set Internet Options security setting to High

Computer Security and Penetration Testing 11

 Security Measures (continued)

• If you are running Windows XP

– Make sure you are running IE6 or possibly IE7
– Set Internet security level to at least Medium
• The quickest solution for end users is to use a
different browser, such as Firefox or Opera

Computer Security and Penetration Testing 12

 Security Measures (continued)

Computer Security and Penetration Testing 13

 VBScript

• VBScript
– Microsoft’s answer to Netscape’s JavaScript language
– Loosely based on the Visual Basic programming
language, but is much simpler
• Supported by Internet Explorer
– Enables Web authors to add interactive controls such
as buttons and scrollbars to their Web pages

Computer Security and Penetration Testing 14

 Vulnerabilities in VBScript

• VBScript is used for client-side scripting

– The code can help hackers get unauthorized access
to the target computer quickly and efficiently
• One of the most common exploits used on the
Internet is a buffer overflow
• Can be used to insert harmful code on the client
– Example: Love Letter worm

Computer Security and Penetration Testing 15

 Countering VBScript Vulnerabilities

• Use a browser in which VBScript does not run

– Turn off scripts in Internet Explorer and disable auto-
run features in Outlook
• No way to check before you open the page to make
sure the VBScript is safe
• Make sure to show file extensions in Windows
Explorer

Computer Security and Penetration Testing 16

 Countering VBScript Vulnerabilities
(continued)
• If you are administering a network:
– Do not allow users to use IE or Outlook
– Have standardized bookmark files of approved sites
and an updated ACL of approved and unapproved
domains on the gateway router
– Run a centrally administered antivirus application
across all of the Windows machines in the network
– Run an intrusion-detection system that closes down
the network access of any machine that starts mass-
mailing anything

Computer Security and Penetration Testing 17

 Countering VBScript Vulnerabilities
(continued)
• If you are the administrator of a Web site:
– Run an antivirus application on your Web server to
search for known bad ActiveX controls
• If you are a Web programmer:
– Test forms and other application code for possible
buffer overflow vulnerabilities
– Make sure pages have not been hacked and modified

Computer Security and Penetration Testing 18

 HTML
• Hypertext Markup Language (HTML)
– Most basic script used to develop Web pages
– Uses a set of markup tags to define the structure of
Web pages
• Browsers represent pages by interpreting these tags
• HTML is not a dynamic language
– Cannot be executed successfully except within a Web
browser

Computer Security and Penetration Testing 19

 HTML (continued)
• HTML is essentially bulletproof and benign as long
as it is used to display static text
• Arbitrary requirements for more finished and
sophisticated pages
– Have required the development of many more tags
and formatting conventions
• With increased complexity came increased
opportunities for hackers to discover vulnerabilities

Computer Security and Penetration Testing 20

 Vulnerabilities in HTML

• Buffer Overflow
– Exploits an unchecked buffer in Internet Explorer
processing HTML elements
• Such as FRAME and IFRAME elements
– Used by Internet Explorer, Outlook Express, and
Windows Explorer
– Performed using the res:// local resource protocol
– Allows the attacker to run arbitrary code at the level of
privilege enjoyed by the user on the victim machine

Computer Security and Penetration Testing 21

 Vulnerabilities in HTML (continued)

• HTML E-Mail
– In 2001 scripts within the pretty HTML e-mails were
run silently and automatically
– Attackers can craft HTML e-mails to take advantage
• Remote Access
– In 2005, a vulnerability was found within Microsoft’s
HTML Help system
– The window.showHelp() function in Internet
Explorer 5.x does not restrict HTML Help files (.chm)
• From being executed from the local host

Computer Security and Penetration Testing 22

 Countering HTML Vulnerabilities
• Make sure patches are up to date
– Pay attention when new exploits are reported
• Activate the automated patch management software
• Turn off services and features that you
– Know to be vulnerable to attack
– Do not understand
– Do not use
• Avoid known dangerous sites by installing and
updating security software

Computer Security and Penetration Testing 23

 Countering HTML Vulnerabilities
(continued)
• Secure transfer of data has been made available by
protocols such as Secure Sockets Layer (SSL)
– The way Internet Explorer handled SSL was
discovered to be susceptible to a man-in-the-middle
exploit
• Generating random encryption keys of 40 or 128
bits in length has solved this problem

Computer Security and Penetration Testing 24

 Java and JavaScript

• Java is a programming language that is compiled

into applications or applets
• Java applications are stand-alone applications
– Run on the server or are downloaded to the client
• JavaScript is a scripting language that runs between
<script> tags in a Web page
• A JavaScript cannot operate on its own, and is not
compiled to run

Computer Security and Penetration Testing 25

 Java

• Object-oriented programming language (OOP)

developed by Sun Microsystems
• Designed to run in a platform-independent manner
using Java Runtime Environment (JRE)
– Installed on the client computer as its sandbox
• In Java, each function is modularized
• With this low-level modularization
– There is less of a chance that updating one piece of
the application will break other parts

Computer Security and Penetration Testing 26

 Java (continued)

• Java was intended to be developed quickly with

pretested parts
• Java applets provide functionality on the Internet
– Require Java-enabled browsers
• Java is machine-safe
– Can only act upon other objects within the JRE
• Java has no access to write, modify, or delete files
on the hard drive or to modify the operating system

Computer Security and Penetration Testing 27

 JavaScript

• Scripting language developed by Netscape

Communications Corporation
• Similar to VBScript in terms of implementation
• Almost every browser on almost every platform is
JavaScript-enabled
• Like Java, requires a runtime environment
• As a script, the network bandwidth and client-side
memory resource use is less than that required for
the larger and more robust Java

Computer Security and Penetration Testing 28

 Security Vulnerabilities in Java

• Vulnerabilities of Java:
– Client-side malevolent applets
– Server-side cross-scripting
– Server-side address spoofing
• A substantial percentage of vulnerabilities are
related to vulnerabilities in the JRE
– Which can result in applets arbitrarily giving
themselves elevated privileges

Computer Security and Penetration Testing 29

 Security Vulnerabilities in Java
(continued)

Computer Security and Penetration Testing 30

 Security Vulnerabilities in Java
(continued)
• Because Java is a platform-independent technology
– Issues such as malevolent applets can be used against
any platform that has the JRE installed
• Client-side attacks include:
– Attacks on file integrity
– Buffer overflow
– Storm attacks
– Denial-of-service attacks
– Disclosure attacks
– Annoyance attacks
Computer Security and Penetration Testing 31
 Vulnerabilities in JavaScript

• Vulnerabilities are similar to those in VBScript

• JavaScript vulnerabilities allow:
– Sending e-mail messages with information about the
target computer to a client
– Opening and closing applications on the target
computer
– Modifying files on the victim’s computer
• Main threat posed by JavaScript
– May be used to download components on a user’s
computer without his or her knowledge
Computer Security and Penetration Testing 32
 Countering Java and JavaScript
Vulnerabilities
• Best preventative measure for an end user
– Perform all updates as soon as they are available
– Keep virus definitions in their antivirus or security
program updated
• Set the Internet Options Control Panel
– To ask for permission before running JavaScripts or
downloading Java applets
• Check the authenticity of the validation signatures
attached to applets and scripts

Computer Security and Penetration Testing 33

 Countering Java and JavaScript
Vulnerabilities (continued)
• Check for security of links available on the signed
scripts
• Programmers should develop and adhere to secure
programming guidelines
– And sign their scripts

Computer Security and Penetration Testing 34

 Summary
• Programming exploits are the defects in various
programming languages that are used to develop
server-side and client-side applications
• ActiveX controls are stand-alone compiled
applications that make it possible to link and allow
interactions between various applications
• The design flaw in ActiveX is that it can do anything
the user can do
• Attackers can use ActiveX to modify resources on an
implementation of Windows

Computer Security and Penetration Testing 35

 Summary (continued)
• To safeguard against attacks, end users should install
the most recent and stable version of Internet
Explorer available
• VBScript can be used within HTML tags to produce a
dynamic HTML page
• One of the most common exploits used on the
Internet is a buffer overflow
• If you are administering a network, do not allow use of
IE or Outlook

Computer Security and Penetration Testing 36

 Summary (continued)
• If you are the administrator of a Web site, run an
antivirus application on your Web server to search for
known bad ActiveX controls
• Hypertext Markup Language (HTML) is the most
basic script used to develop Web pages
• The most effective way to counter HTML-related
exploits is to keep up with the latest patches
• Java and JavaScript languages
• The best preventive measure for end users is to
perform all updates as soon as they are available

Computer Security and Penetration Testing 37