Tutorial 5 - Fuzzing ActiveX

ActiveX controls are an interesting target for fuzzing because they have historically had many security vulnerabilities and these vulnerabilities can be exploited by any web site that you visit. To fuzz an ActiveX control you need to either know the CLSID or ProgId of the control.

For this tutorial we will use the Acrobat PDF ActiveX control. Create a new project in your Tutorials directory called Tutorial5, and select the 'Fuzz an ActiveX control' input source. On the input configuration page you can enter either 'AcroPDF.PDF' (the ProgId) or 'CA8A9780-280D-11CF-A24D-444553540000' (the CLSID). If you have gone through Tutorial 4 then we will note the similarity between the input configurations for ActiveX and those for WSDL; they are basically the same (Fuzzware actually generates a WSDL for the ActiveX control).

With nothing else configured, our fuzzing is probably not going to be very effective because we haven't asked the control to open any PDF files. To do this select IAcroAXDocShim.LoadFile as an Initial Method, this ensures that the control will invoke the method to load a file before calling other methods, this will make calls to the other methods more meaningful since a file will have been loaded. Now under Default Method Parameter values select 'Named method/parameter values' and choose IAcroAXDocShim.LoadFile again and select fileName (the only parameter) and the URL to a PDF file (you can use http://www.fuzzware.net/files/test.pdf). This ensures that the load function has a proper value and an actual document will be loaded.

ActiveX input source configuration

It is possible to provide default parameter values for all the methods of the control, or to provide values for certain matching criteria on the parameter name. The default parameter values that will get used if you haven't explicitly provided one can be changed also. It's important to note that the default parameter values are applied in the order specified, so you should have the most general rules at the top e.g. Any parameter name containing URL assign http://www.fuzzware.net, and the most specific rules at the bottom e.g. Named method/parameter: For IAcroAXDocShim.LoadFile assign value the value test.pdf. Use the arrow buttons to change the order of the default parameter values.

For the output destination, choose Invoke ActiveX Control.

Aside from configuring the fuzzing values, that is all there is to configure to fuzz ActiveX controls. By default the output destination uses the default script template file and Internet Explorer is used to invoke the script. To change these options expand the Advanced Options in the output destination configuration. It might be necessary to change the delay timing of IE depending on how quickly the control runs in script.

It is also a good idea to 'Use Post-Mortem Debugging' (select this on the 'Configure Monitoring' page) when fuzzing ActiveX controls. If evaluating the control in IE, Fuzzware is only able to detect when IE crashes, but by using post-mortem debugging if there are any crashes a crash dump will be saved containing all the information about the crash.

Fuzzware ships with an alternative script template to fuzz an ActiveX control, it is located at Resources\ActiveXInvoke.js and should be run with the cscript.exe (Windows command line script engine located in the Windows\System32 directory). The advantage of this is that it runs a lot faster than invoking each test case in a browser, however any bugs you find using cscript are not guaranteed to occur when the same test case is run in the browser. If you want to use this script template, under the Advanced Options change the script template file, change the application to cscript, change the output file extension to .js and change the delay timing to smaller values.

Alternative ActiveX output destination

If you have run through the tutorial this far, you may have noticed when you ran the fuzzing in IE that there were popup messages about printing. For the Adobe PDF control some of the methods involve printing the document. We could add Window Actions for IE to bypass these popups but we probably don't care about fuzzing these printing methods and ideally would not like to call them at all.

Fuzzware creates some XSD files and an XML file for the ActiveX control that describe all the methods and contain all the parameter values respectively. Once Fuzzware creates these files, it will reuse them, so this means they can be edited manually. In this case, open the 'IAcroAXDocShimInput.xml', in it is the list of methods of the control, in the order they will be called and the parameters that will be used. To stop calling any print methods, remove all method nodes (identified by the Interface.Methodname naming convention, and they are also the children of the root node) that reference printing. Now you can start fuzzing again without having to worry about the printing pop-ups.

Editing the XML file directly is useful if you only want to fuzz a subset of the controls methods, want to impose a certain order for calling the methods, or need to specify the majority of parameter values of the methods.

  Design by guenstige.shop-stadt.de & windows forum