Security Watch

Vendor-Issued ActiveX Means BOV for Users

HP guilty this time, and so is AMX NetLinx. At least HP's buffer overflow flaws come with fixes.

• By Russ Cooper
• 08/20/2007

First, let us say it again: Why do vendors write ActiveX controls designed to be used only with their own sites, which fail to ensure they cannot be invoked from criminal sites? This control is intended to be used only by HP customers with HP support sites to aid their customers. However, it could be invoked by anyone for any purpose.

Worse yet is the way HP has handled delivering a patch. In order to get the patch, you must go to the HP driver check site and invoke the control. This causes the updated control to overwrite the vulnerable control.

Great, but what would trigger this? Only another need to go there to have your configuration checked. Meanwhile, assuming the vulnerability were to be used by a criminal, why wouldn’t they now send out a mass e-mail encouraging HP users to visit a bogus driver check site to retrieve malware? How would an unsuspecting end user know there was an update? How could they tell they weren’t at an official HP site?

This is an extreme example of how the process can fail if sufficient thought isn’t used. First there is the mistake of allowing the control to be Safe for Scripting for the world. Then there is the mistaken belief that the best way to fix it is to get people to visit a Web site that invokes the control. Instead, HP should deliver the updated control to all of its customers, with an installer that simply verifies whether it had been previously run and, if so, installs the updated control. As it is, they leave customers wide open to fraud.

AMX NetLinx Has a Similar ActiveX Problem
The milw0rm exploit database has information on AMX NetLinx controller products that employ an ActiveX control to allow connection via VNC. This control contains a vulnerability in the way it parses parameters passed to it. A criminally-crafted Web page could exploit the control and run code of their choosing on the victim system in the security context of the victim. Updates are unavailable.

While this is just another run-of-the-mill ActiveX control vulnerability -- showing yet again that control developers are not taking abuse of their controls seriously when developing them -- it is interesting from another perspective: This control is present on your system if you use an AMX NetLinx controller. These controllers are used to create automated rooms, such as a Presentation room where you may wish to control a projector, video device, lights, etc. To do this you’d use your browser to connect to the controller. The ActiveX control allows you to make this connection and is supplied by the controller's embedded Web server.

To most, the device would seem to be benign and could easily be overlooked when considering the security risks in an environment. Updating it may mean a firmware update, and in organizations where they’re deployed there may be very many of them and they may not be inventoried. In other words, the vulnerable control may be delivered even after updating some of the devices if all aren’t updated.

Embedded hardware devices are a category of systems that must be inventoried correctly in order to make this upgrading task easier and, more importantly, complete. The likelihood of exploitation is extremely small as few people are likely to have the control installed, but it does prove a useful reminder that these devices must be maintained.