Sunday, November 09, 2008


As far as I can tell, it is impossible to determine whether an ActiveX object created by classid actually works without just calling specific methods of that control and catching any exceptions. It doesn't seem to matter whether it was created with an <object> tag, or through javascript's document.createElement("object") or document.write("<object...>"). Internet Explorer turns anything with an id attribute into a property of document, and yet if you have

<object id="foo" classid="clsid:BD96C556-65A3-11D0-983A-00C04FC29E36" /> advertises no property or method that is not available from an object with no classid.

For those of you playing at home, yes this classid is one of the vulnerable ActiveX controls used in the MDAC / ie_createobject exploits. If the object actually got instantiated correctly and we can talk to it, typeof( returns "unknown" rather than the "undefined" returned for properties that don't exist. So if we know a specific method that the ActiveX implements, we can check to make sure it worked using that. It is unfortunate, then, that there does not seem to be a standard method or property that all ActiveX objects must implement. Unless I'm missing something, because of the lack of a universal method or property, we cannot generically determine whether an ActiveX control created in this way was successfully instantiated. Thus, my "solution" for now is to save a method to test along with the classid. If this doesn't work, I just might give up on browser_autopwn's fingerprinting altogether and simply throw every single exploit at the client. And also maybe shoot myself. I really hate IE.

No comments: