A Flash Developer Resource Site

Results 1 to 2 of 2

Thread: Dangerous Flash and activex Cobmination!!?

  1. #1
    Junior Member
    Join Date
    Jun 2001
    I know what I am about to relate to you is sort of moot; but here goes:

    I have created an ActiveX control that allows a Flash .swf movie
    embedded in a web page, to do anything from a web page or outlook express
    stationary that can be done from a users local PC keyboard.

    It is sort of moot; because in order for the ActiveX control to work
    the page visitor has to lower there security to low; and accept the ActiveX
    control (because I don't have an Authenticode to sign it with there security
    must be set to low the first time the control is accepted and installed, if
    however I could afford to purchase an Authenticode signature from Microsoft
    it would run at any security setting just like *can you say comet
    cursor?*)the point is moot about the embedded flash .swf movie; because if
    they accept an unsafe ActiveX control the control itself, can do practically
    anything from a web page that can be done from the local keyboard without
    resorting to using flash .swf.

    However the point is using this ActiveX control after it is installed
    when and if the page visitor returns what the page does via the .swf flash
    movie and ActiveX combination can be changed without having to rewrite or
    install a new ActiveX control, all that is required to change what the page
    does , is to change the flash .swf movie and not changing the control or
    what it does.

    To be more specific. The ActiveX control allows the passing of FS
    commands from the flash .swf movie embedded in a web page through the
    ActiveX control to the windows command interpreter . In other words, If
    the flash movie sends the FS command of "Shell" with the argument of
    "C:\windows\command.com /K ECHO Y|format a:" the page visitors computer will
    format the a:\ drive, WITHOUT asking the web surfer if it is ok to do so, or
    if the flash movie sends the FS command of "Shell" with the argument of
    "C:\windows\system\msconfig.exe" the page visitors computer would start and
    run msconfig.exe without first asking "do you wish to run this program from
    it's present location or save it to disk"

    The part of this system that could be dangerous is that once someone
    has allowed the ActiveX to be installed and lulled into thinking it is
    harmless by the flash movie just showing a cartoon,game or greeting card, on
    subsequent visits without the page having to install a new control or look
    any different, the same web page could do anything malicious it wanted to.
    Also after the control is allowed the first time by lowering the security to
    low (any type of social engineering like saying the flash .swf and ActiveX
    control are required for the page menu to operate) on a later visit to the
    same page the default security setting that Internet explorer uses of
    medium will allow the control to function as described. It will still pop
    up and state "This page provides potentially unsafe information to an
    ActiveX control Your current security settings prohibit running controls in
    this manner. As a result, this page may not display correctly" it then only
    has the ok button and after you click the ok, the page goes ahead and runs
    as described

    Using this combination ActiveX and embedded .swf flash movie as
    stationary in Outlook Express could be quite deadly to a computer system.
    Especially if they have been to a web page and had the ActiveX control
    installed via the web page; because then it would be able to run from
    stationary without having OE say there security settings prevent proper
    viewing of the email. The email could also employ some cleverly worded text
    that says something along the lines about the email not being able to
    display correctly at there current security settings and that they would
    have to lower it in order to receive there free prize or that the menu
    system would not work at there current security settings, well you probably
    get the general idea. This would only be required from within email if the
    ActiveX control had not be previously installed from a web page or some
    other means (I am currently working on a way to install the ActiveX control
    using one of George geruniski type of exploit like the .chm and help file
    temp file hole and a few original ideas of my own)

    I have a harmless POC (Proof of Concept) up on line at,
    http://www.zoomnet.net/~quick/1dino.html which you have to enter the page
    the first time with your security set to low and accept the instillation of
    the ActiveX control (if you don't lower your security and install the
    ActiveX control the page says "The menu system on this web page is in Flash
    Format If you wish to view this page you must accept the ActiveX control" a
    bit of Social Engineering). If you do allow and install the ActiveX it then
    shows a small embedded flash .swf movie and 3 red buttons. Clicking on the
    top left hand red button under the words "Click Me" will run the Microsoft
    Windows98 configuration utility "msconfig.exe" the page assumes a default
    install of windows and expects to find msconfig.exe at
    C:\windows\system\msconfig.exe if it is not a default install or if the file
    is not in the location it expects to find it at it will give a "file not
    found". Of course the problems of files not being in the locations that are
    expected can easily be over come with a few well known programming

    Like I said in the beginning it is sort of moot; because the ActiveX
    control could do anything it wanted without the subterfuge of a flash .swf
    movie (here is the url to a POC of an ActiveX that formats the a:\ drive
    when the ActiveX control is accepted without using flash
    http://www.zoomnet.net/~quick/activex/formata/; but using this combination
    tenique I believe it could be quite deadly for not only the novice but the
    seasoned web surfer alike.

    here is the url to my latest test of it which allows me to change the name
    of the .swf sort of on the fly and that way I can use several different
    named .swf without having to rewrite the control to put in the name of the
    http://home.adelphia.net/~dinosoft/activex/anyswf.html it is harmless but
    like the above you must have security set to low the first time through and
    allow the ActiveX after that you can come back with default and even say no
    and it will still run. This opens up the possibility of a flash greeting
    card or joke that can do literally anything from the webpage that can be
    done from the keyboard

    For educational reasons only <vbg>

    I do NOT lurk here and if you wish to reply you will have to do so via
    email. I know a lot of people will think this rude to not come back to read
    replies; but I just wished to make the flash community aware of what I had
    created; because I am sure there are others out there that can and most
    probably will create something just like it or similar and NOT tell anyone
    and then it will hit the flash community full force; especially if they have
    an Authenticode and or create one that will run at any security setting.

    @###{ ]:::::ino-Soft Software::::::>

  2. #2
    War is futile: just drink beer phooka's Avatar
    Join Date
    Aug 2000
    Freedom for Catalonia
    Welcome to FlashKit!

    This is a forum dedicated to discuss Design related issues. You will get much more feedback by posting in one of the help boards, like

    General Help
    Flash 5 General Help
    Flash 4 ActionScript
    Flash 5 ActionScript


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Click Here to Expand Forum to Full Width

HTML5 Development Center