Set KillBit on Arbitrary ActiveX Controls with GPO or an EMS

In a parallel universe, where our normal rules of logic do not apply, security is enhanced by publishing exploits for unpatched vulnerabilities. Straight from that universe, we received a gift from H.D. Moore today - a brand new MetaSploit toolkit for an unpatched vulnerability in an ActiveX control that ships with the Windows Shell. The control is called the WebViewFolderIcon and is among other things used for rendering the Web View in Windows Explorer. It can also be called from inside Internet Explorer, and can therefore be exploited if a user allows ActiveX controls to run from a hostile site. Sandi says IE 7 is also vulnerable.

While I have yet to hear of exploits in the wild, and the actual vulnerability has been public for a couple of months already, the presence of a toolkit lowers the bar for large-scale exploitation to next to nothing. Microsoft released an advisory today, and most of the other outlets have too. The advisory contains several work-arounds, the most easily implemented of which is the advice to set the kill bit on the control.

As with the other recent web-based security issues, setting the killbit on a large number of systems is not simple though. Microsoft does mention in the advisory that it can be done with Group Policy, but leaves it up to the community to determine how exactly to do that. After discussing the risk a bit with my good friend Alun, we decided it was time to do something.

To solve this problem more generically I went ahead and wrote a script that can be used either on the command line, as a startup script, or be called from an Enterprise Management System (EMS), such as Microsoft's Systems Management Server (SMS). The script takes three arguments:

SlayOCX.vbs -k|-r GUID [-l]
          where:
                  -k - Turn on the killbit of the control
                  -r - Turn off (revive) the killbit of the control
                  GUID - The GUID of the control, complete with the opening and closing {}
                  -l - Log the action to %systemdrive%\SlayOCX.log

The -l parameter is optional, the others are required. The reason the script requires the GUID is that it makes it more generic, allowing it to be applied to any ActiveX control you wish to killbit, or enable again. The script is attached to this post.

To set the kill bit on the first of the WebViewFolderIcon control, you would run the following command:

SlayOCX.vbs -k e5df9d10-3b52-11d1-83e8-00a0c90dc849 -l

To turn the control back on again, run this command:

SlayOCX.vbs -r e5df9d10-3b52-11d1-83e8-00a0c90dc849 -l

There are two controls that implement the vulnerable function. To kill/revive the second one, substitute 844F4806-E8A8-11d2-9652-00C04FC30871 for the GUID above and run the script again. You can only kill/revive one control each time the script executes.

You can configure this script to run as a logon script in Group Policy using the following steps, copied and pasted from the post about the DAXCTL and VML vulnerabilities:

  1. Copy the script above (everything between the begin and end tags) and paste it into a new text document. Save the document as "ProtectIE.cmd". Alternatively, just download and expand the SlayOCX_vx.zip file attached to this post.
  2. Copy the ProtectIE.cmd file to \\<your domain>\sysvol\<your domain>\scripts. where you replace "<your domain>" with the full DNS name of your domain.
  3. Open the GPMC (if you do not have the Group Policy Management Console, you need to get it. Strictly speaking you can manage GPOs without it, but you really don't want to)
  4. Right-click the domain or OU where you want to link the GPO - you may as well do it at the domain level - and select "Create and Link a GPO Here..." Name your new GPO "SlayOCX"
  5. Right-click the GPO ProtectIE and select "Edit..."
  6. Expand "Computer Configuration:Windows Settings" and click on "Scripts (Startup/Shutdown).
  7. Double-click "Startup" in the right-hand pane
  8. Click "Add..."
  9. Browse to \\<your domain>\sysvol\<your domain>\scripts and select "SlayOCX". Click "Open"
  10. In the "Script Parameters:" box type "-k e5df9d10-3b52-11d1-83e8-00a0c90dc849 -l" without the quotes. Click "OK."
  11. Repeat steps 8-10, but this time, type "-k 844F4806-E8A8-11d2-9652-00C04FC30871 -l" in the parameters box.
  12. Click "OK" again.
  13. Close the GPO editor and go back to the GPMC
  14. In the "Security Filtering" pane remove "Authenticated Users" and click Add...
  15. In the text box called "Enter the object name..." type "Domain Computers" or some other relevant group that you want to apply the policy to. Click OK.

The script should be run as a startup script, not as a logon script. Unregistering an ActiveX control is an administrative action, and as users should not be administrators, the script will not work properly as a logon script. Needless to say, this also means you have to restart the computer for the script to take effect if you run it from a GPO.

 If you also want to use this script to block the, still unpatched, DAXCTL vulnerability, repeat steps 8 through 10 above, but type the following parameters in step 10:

-k D7A7D7C3-D47F-11D0-89D3-00A0C90833E6 -l

 I should also mention that, while I am blissfully unaware of any adverse effects associated with killbitting this control at this time, that does not mean there are none.

 Update Sept. 29

  • There are two controls containing the WebViewFolderIcon issue. Added the GUID for the second one.
Attachment: SlayOCX_v1.zip
Published 29 September 2006 12:01 AM by jesper
Filed under:

Comments

# Andrew from Vancouver said on 29 September, 2006 12:21 PM
Jesper, your script requires the braces around the CLASSID, but your example doesn't use the braces! Checking for the presence of the braces would make sense, and the lack would be logged if the -l option was chosen. You might also point out that the logging option only works when the user who executes it is an administrator equivalent; if your script is called from the user's login script, they won't have the privilege write to the %systemdrive% location.
# Roger Heim said on 29 September, 2006 12:46 PM
Jesper, I was trying to create an ADM template for this control like Romeo did for the DAXCTL vuln. In one of my systems there is already an entry in ActiveX Compatiblity for this control with setting 0x00020000 (COMPAT_NEVERFOCUSSABLE). Your script handles this but an ADM template will nuke the NEVERFOCUSSABLE flag. Do you know what the ramifications are of losing this existing flag?
# jesper said on 29 September, 2006 12:47 PM

Actually, the script works either with or without the braces. At the beginning of the script it checks for them and removes them if they are there.

I did not think to point out that you have to be an admin to log the action since the whole script will fail if you are not an admin as you would not have the right to killbit any ActiveX controls in that case. In hindsight, I could have actually checked for that, but I did not think about it. Maybe in v.2...

# jesper said on 29 September, 2006 10:42 PM

Roger, I do not know what happens if you lose the COMPAT_NEVERFOCUSSABLE flag in this case. However, the fact that there may be other flags is one of the major reasons I decided to write the script the way I did.

I was actually struggling to find any documentation at all on what the Compatibility Flags were. Apparently you have found them, and now I did too:

http://windowssdk.msdn.microsoft.com/en-gb/library/ms688755.aspx. I understand that it means the control cannot receive focus, but what that means I do not get. It sounds like it simply puts up an Icon, and that might not need mouse focus I suppose.

# HiltonT said on 30 September, 2006 04:31 PM
Hi Jesper, This vulnerability seems to be actively exploited. I have some updated information in my blog: http://hiltont.blogspot.com/ I just wish the term "responsible disclosure" was a lot more widely used, accepted and practiced. I also wish Microsoft would release critical fixes when they are ready, not wait for the next Black Tuesday to meander around, ESPECIALLY for actively exploited vulnerabilities. We currently have to hound them to get critical issues addressed, and that is not a good thing.
# Yakov Shafranovich said on 01 October, 2006 08:53 AM
We deployed this script without any issues in our organization. However, we did modify it to log to the event log as opposed to the file using WshShell.LogEvent method. We even consider logging to a remote computer, but that probably would be a management nightmare. Thanks!
# John Smitg said on 02 October, 2006 02:51 AM
I get the following message: The specified ActiveX control: 844F4806-E8A8-11d2-9652-00C04FC30871 does not exist on this system For the other GUID it works ok. Is that normal or is there someting I have to worry about? It also doesnt work for the DACTL vulnerability.
# malynj said on 02 October, 2006 05:19 AM
This script is programmed to bail out if the registry key for the ActiveX doesn't exist. Shouldn't the script create the missing key and set the killbit? KB article 240797 indicates that typically the key will need to be created in order to kill an ActiveX control, seeming to indicate the key won't always exist. For my use I modified the script to create the key if missing, but I wanted to see if there were any specific reasons for not creating the key with the script, or if it was only the risk of not knowing enough for non-existent keys.
# jesper said on 02 October, 2006 11:35 AM

Malyn and John, I took a very conservative approach to the script in that if the registry key for the particular control does not exist under the Internet Explorer\ActiveX Compatibility key then do not make any changes. That was based on the assumption that if there is no key there, the control probably was not designed to be used in IE at all, and IE may have undefined behavior if I killbit a non-existent control. As it were, I have no idea if those assumptions are correct or not. I have been unable to find any documentation on the behavior of the flags or that key at all. If anyone feels like educating me, I would appreciate it.

# Magnus L&#246;&#246;f said on 03 October, 2006 01:51 AM
There are some discussions regarding the killbit and wether it will prevent an ActiveX control from installing, or just prevent it from running - http://tinyurl.com/zrcnv . It seems that the killbit is only effective *after* an ActiveX control is installed. It could be possible to set the killbit beforehand, but since the killbit does not prevent (it seems) the control from being installed, a smart (from the perspective of the malware author) ActiveX installer would reset the killbit to allow it to be run. And we know that most our users are "Curious Georges" that will happily "OK" an installation of an ActiveX control, if the content of the website is interesting enough. What I would like MS to do, is to create an Enterprise grade management facility (GPOs par example) for *whitelisting* what AX controls can be installed and used. Just my SEK 0.50
# dickcarl@dickcarlson.com said on 04 October, 2006 10:28 AM

It's really great (for those of us at the user level) to be able to follow along in these discussions and learn.  Thanks to Jesper and all of you for sharing.

Leave a Comment

(required) 
(required) 
(optional)
(required)