Lots of interesting things happen when you instantiate every COM object registered
on the system and call every method on each of the installed ActiveX controls. You??™ll
find crashes as we saw earlier, but sometimes by-design behavior is even more interesting
than a crash, as evidenced by the RunCmd() SupportSoft ActiveX control. If a ???safe???
ActiveX control were to write or read attacker-supplied stuff from a web page into the
registry or disk, that would be potentially interesting behavior. AxMan 1.0 has a feature
to help highlight cases of ActiveX controls doing this type of dangerous thing with
untrusted input from the Internet. AxMan will use the unique string ???AXM4N??™ as part of
property and method fuzzing. So if you run filemon and regmon filtering for ???AXM4N??™
and see that string appear in a registry key operation or file system lookup or write, take a
closer look at the by-design behavior of that ActiveX control to see what you can make it
do. In the AxMan README file, H.D. points out a couple of interesting cases that he has
found in his fuzzing.
AxMan is an interesting browser-based COM object fuzzer that has led to several
Microsoft security bulletins and more than a dozen Microsoft-issued COM object kill
bits.
Pages:
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691