Look at the following HTML snippet and decide whether you think it would work when
hosted on evil.com, a malicious web page in the Internet zone:
WMIScriptUtils.WMIObjectBroker2 is a Safe-For-Scripting ActiveX control. It was
included with Visual Studio and was presumably needed to do some stuff in the Visual
Studio environment. However, the WScript.Shell object, much like the ADODB
.Stream object discussed earlier, is not a safe object to be instantiated in an untrusted
environment. Attempts to instantiate WScript.Shell directly from the Internet zone
will fail, as it is only to be used in a trusted environment such as the Local Machine
zone. However, Russian hackers discovered that instantiating the safe-for-scripting
WMIScriptUtils.WMIObjectBroker2 ActiveX control, and then calling the method
CreateObject defined on the ActiveX control, allowed them to create any arbitrary
object, bypassing security checks! They promptly used this client-side vulnerability to
install malware by hosting the exploit code on hundreds of adult websites. At the time it
was being abused, no other IE zero-day vulnerability was widely known in the community,
so anybody who wanted to install malware was using this vulnerability.
Pages:
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667