- Buffer overflow attacks: Sending long argument to the Activex functions via java script. This can result into taking control of machine by attacker.
- Remote Code Execution : Executing commands via command line tools. Some activex programs provide functions which can execute programs given to them via arguments.
- Overwriting some files: Using some vulnerable activex programs, attackers can overwrite any file content. Typically it is used by attackers to overwrite some system programs with their own executable.
- Setting and Getting Registry values.
- Information disclosure : Reading any arbitrary file contents via activex functions.
- DOM Manipulation of HTML page by embedded java script: Some DOM Manipulations result into browser crash while they are rendered or during cleanup or garbage collection process.
- Removal of child elements.
- Modification of child elements
- Assigning bad values to the elements.
- Creating circular references across parent and children.
Simple Pattern based detection does not work well to detect these kinds of attacks.
- Java script is a language by itself. Patterns can be hidden very easily either through encoders or by different ways of programming logic to generate string (or argument to the ActiveX function).
- Simple pattern based protection systems stop (alert) the traffic whenever CLSID and vulnerable method are present. That is, they don't check for the exploiting argument to the method. This could result into false positives.
- Simple pattern based protection systems assume that CLSID and vulnerable methods are present within same packet or together separated by few bytes such as 2K/4K etc.. This can be used by attackers to put these two strings far apart by introducing lot of dummy java script logic or DOM elements. This is one example and there are many ways to evade the detection by IPS devices. Another example is different scripts in the same HTML page exploiting the vulnerability. That is, one java script in beginning of HTML page storing some data in DOM tree and second Java script using this data to pass the bad argument to the vulnerable method.
- Using transparent proxies or WCCP or other mechanisms, collect the HTML data.
- Get hold of all Java scripts in the page. If the page is referring to JS file via include primitive, download those java script files too. If the script is referred in the HTTP Referer method, get that too.
- Ensure the sandbox is created in virtual environment (Linux containers is fastest)
What are security considerations the IPS devices need to worry about?
Malware developers are smart and they continue to evade the detection by intermediate security devices and even try to attack these protection systems.