I know what I am about to relate to you is sort of moot; but here goes:
I have created an ActiveX control that allows a Flash .swf movie
embedded in a web page, to do anything from a web page or outlook express
stationary that can be done from a users local PC keyboard.
It is sort of moot; because in order for the ActiveX control to work
the page visitor has to lower there security to low; and accept the ActiveX
control (because I don't have an Authenticode to sign it with there security
must be set to low the first time the control is accepted and installed, if
however I could afford to purchase an Authenticode signature from Microsoft
it would run at any security setting just like *can you say comet
cursor?*)the point is moot about the embedded flash .swf movie; because if
they accept an unsafe ActiveX control the control itself, can do practically
anything from a web page that can be done from the local keyboard without
resorting to using flash .swf.
However the point is using this ActiveX control after it is installed
when and if the page visitor returns what the page does via the .swf flash
movie and ActiveX combination can be changed without having to rewrite or
install a new ActiveX control, all that is required to change what the page
does , is to change the flash .swf movie and not changing the control or
what it does.
To be more specific. The ActiveX control allows the passing of FS
commands from the flash .swf movie embedded in a web page through the
ActiveX control to the windows command interpreter . In other words, If
the flash movie sends the FS command of "Shell" with the argument of
"C:\windows\command.com /K ECHO Y|format a:" the page visitors computer will
format the a:\ drive, WITHOUT asking the web surfer if it is ok to do so, or
if the flash movie sends the FS command of "Shell" with the argument of
"C:\windows\system\msconfig.exe" the page visitors computer would start and
run msconfig.exe without first asking "do you wish to run this program from
it's present location or save it to disk"
The part of this system that could be dangerous is that once someone
has allowed the ActiveX to be installed and lulled into thinking it is
harmless by the flash movie just showing a cartoon,game or greeting card, on
subsequent visits without the page having to install a new control or look
any different, the same web page could do anything malicious it wanted to.
Also after the control is allowed the first time by lowering the security to
low (any type of social engineering like saying the flash .swf and ActiveX
control are required for the page menu to operate) on a later visit to the
same page the default security setting that Internet explorer uses of
medium will allow the control to function as described. It will still pop
up and state "This page provides potentially unsafe information to an
ActiveX control Your current security settings prohibit running controls in
this manner. As a result, this page may not display correctly" it then only
has the ok button and after you click the ok, the page goes ahead and runs
as described
Using this combination ActiveX and embedded .swf flash movie as
stationary in Outlook Express could be quite deadly to a computer system.
Especially if they have been to a web page and had the ActiveX control
installed via the web page; because then it would be able to run from
stationary without having OE say there security settings prevent proper
viewing of the email. The email could also employ some cleverly worded text
that says something along the lines about the email not being able to
display correctly at there current security settings and that they would
have to lower it in order to receive there free prize or that the menu
system would not work at there current security settings, well you probably
get the general idea. This would only be required from within email if the
ActiveX control had not be previously installed from a web page or some
other means (I am currently working on a way to install the ActiveX control
using one of George geruniski type of exploit like the .chm and help file
temp file hole and a few original ideas of my own)
I have a harmless POC (Proof of Concept) up on line at,
http://www.zoomnet.net/~quick/1dino.html which you have to enter the page
the first time with your security set to low and accept the instillation of
the ActiveX control (if you don't lower your security and install the
ActiveX control the page says "The menu system on this web page is in Flash
Format If you wish to view this page you must accept the ActiveX control" a
bit of Social Engineering). If you do allow and install the ActiveX it then
shows a small embedded flash .swf movie and 3 red buttons. Clicking on the
top left hand red button under the words "Click Me" will run the Microsoft
Windows98 configuration utility "msconfig.exe" the page assumes a default
install of windows and expects to find msconfig.exe at
C:\windows\system\msconfig.exe if it is not a default install or if the file
is not in the location it expects to find it at it will give a "file not
found". Of course the problems of files not being in the locations that are
expected can easily be over come with a few well known programming
techniques.
Like I said in the beginning it is sort of moot; because the ActiveX
control could do anything it wanted without the subterfuge of a flash .swf
movie (here is the url to a POC of an ActiveX that formats the a:\ drive
when the ActiveX control is accepted without using flash
http://www.zoomnet.net/~quick/activex/formata/; but using this combination
tenique I believe it could be quite deadly for not only the novice but the
seasoned web surfer alike.
p.s.
here is the url to my latest test of it which allows me to change the name
of the .swf sort of on the fly and that way I can use several different
named .swf without having to rewrite the control to put in the name of the
.swf
http://home.adelphia.net/~dinosoft/activex/anyswf.html it is harmless but
like the above you must have security set to low the first time through and
allow the ActiveX after that you can come back with default and even say no
and it will still run. This opens up the possibility of a flash greeting
card or joke that can do literally anything from the webpage that can be
done from the keyboard
btw:
For educational reasons only <vbg>
P.S.
I do NOT lurk here and if you wish to reply you will have to do so via
email. I know a lot of people will think this rude to not come back to read
replies; but I just wished to make the flash community aware of what I had
created; because I am sure there are others out there that can and most
probably will create something just like it or similar and NOT tell anyone
and then it will hit the flash community full force; especially if they have
an Authenticode and or create one that will run at any security setting.
http://home.adelphia.net/~dinosoft
/}
@###{ ]:::::ino-Soft Software::::::>
\}
http://dinosoft.de.vu
A Flash Developer Resource Site
Reply With Quote
