Vulnerability Note VU#378604

WeOnlyDo! SFTP ActiveX control fails to properly restrict access to methods

Original Release date: 30 May 2006 | Last revised: 31 May 2006

Overview

The WeOnlyDo! SFTP ActiveX control is incorrectly marked safe for scripting. This may allow a remote unauthenticated attacker to upload arbitrary files from a vulnerable system to an SFTP server or download arbitrary files from an SFTP server to a vulnerable system.

Description

ActiveX

ActiveX is a technology that allows programmers to create reusable software components that can be incorporated into applications to extend their functionality. Internet Explorer is a common Windows application that makes use of ActiveX controls.

ActiveX safety determination

Internet Explorer determines if an ActiveX control is safe by querying the IObjectSafety interface of the object and by querying the Implemented Categories registry key for the control, as specified by Microsoft Knowledge Base Article 216434 and the MSDN ActiveX safety article.

ActiveX security options

Through either the IObjectSafety interface or the appropriate registry values, an ActiveX control can be marked as "safe for scripting" and/or "safe for initialization." According to the MSDN article Signing and Marking ActiveX Controls:

    If you mark your control as safe for initializing, you are asserting that no matter what values are used to initialize your control, it won't do anything that would damage a user's system or compromise the user's security.

    If you mark your control as safe for scripting, you are asserting that your control won't do anything to damage a user's system or compromise the user's security, regardless of how your control's methods and properties are manipulated by the Web page's script. In other words, it has to accept any method calls (with any parameters) and/or property manipulations in any order without doing anything bad.
The MSDN article Designing Secure ActiveX Controls states:
    Controls are marked as not safe for scripting or data initialization by default. Don't implement them unless the functionality of the control is hampered without them.
wodSFTP control

The WeOnlyDo! SFTP (wodSFTP) ActiveX control is an ActiveX component that provides Secure File Transfer Protocol (SFTP) functionality to the application that uses it.

The problem

The wodSFTP ActiveX control can download arbitrary files to the local file system, but it is marked as "safe for scripting" via the IObjectSafety interface. It can also upload arbitrary files from the local file system. These methods require no user interaction to complete.

Impact

By convincing a victim to view an HTML document (web page, HTML email, or email attachment), an attacker could download arbitrary files to a vulnerable system within the security context of the user running IE. These files could contain code that could be executed through other means. The user may click the file inadvertently, or the file may be placed in a sensitive location, such as the Windows Startup folder where it will automatically execute the next time the user logs onto the system. An attacker can also retrieve arbitrary files from a victim's computer.

Solution

We are currently unaware of a practical solution to this problem.


Disable the wodSFTP control

Disable the wodSFTP control by setting the kill bit as described in Microsoft Knowledge Base article 240797. The CLSID for the wodSFTP control is:

    {6795FA0F-35C3-4BEB-B3AA-F19DB0B228EA}
This will prevent the wodSFTP control from being used in Internet Explorer but should not interfere with other applications that happen to use the control.

Disable Active scripting and ActiveX

Disabling Active scripting and ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. With ActiveX controls disabled, the wodSFTP ActiveX control will not be instantiated. With Active scripting disabled, the wodSFTP ActiveX control cannot be scripted by a web site. Instructions for disabling Active scripting and ActiveX in the Internet Zone can be found in the Securing Your Web Browser document and the Malicious Web Scripts FAQ.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
WeOnlyDo! SoftwareAffected25 May 200631 May 2006
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Will Dormann of CERT/CC for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

  • CVE IDs: CVE-2006-1175
  • Date Public: 30 May 2006
  • Date First Published: 30 May 2006
  • Date Last Updated: 31 May 2006
  • Severity Metric: 5.05
  • Document Revision: 10

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.