Close

HAVE QUESTIONS?

Contact us today.

Subscribe me to your mailing list

How to get ActiveX version?

We have the idea: to make an online scanner for SAP ActiveX vulnerabilities. So that every user of the SAP GUI could test his software and its components for vulns. It is easy to implement – just get the version of every component and answer whether a component of this version has vulnerabilities or not.

You can find online services that test popular software (QuickTime, Flash Player ActiveX, Acrobat Reader ActiveX) but not SAP. Those services get versions using object properties like this: object.GetVersion(). For example for Flash – flashActiveX.

GetVariable(“$version”) returns the version number of installed Flash ActiveX. But some ActiveX components don’t use such methods. We cannot get a version for SAP ActiveX components using any methods or properties. So what do we have to do? After some research I’ve found the way to determine the version of any ActiveX object. So this is what this post is about.

Ok, there’s nothing new here, just some default functions used for good purposes. For example, how does the browser understand that your ActiveX needs an update? The answer is:

<object classid=’CLSID: 0C0F1283-6027-11D1-B766-00A0C9308BE6′ id=’obj’ codebase=’http://server/get.cab#version=5,5,0,0′></object>

So if a DLL version is less than 5.5.0.0, a browser makes GET request “‘http://server/get.cab” . That way we can make an ActiveX version scanner. For example:

object classid='CLSID: 0C0C0C0C-1111-1111-1111-00AA00AA00AA' id='obj1' codebase='http://server/get.cab?result=no#version=0,0,0,0'> < /object >

object classid='CLSID: 0C0C0C0C-1111-1111-1111-00AA00AA00AA' id='obj2' codebase='http://server/get.cab?result=4.x.x.x#version=5,0,0,0' > < /object >

object classid='CLSID: 0C0C0C0C-1111-1111-1111-00AA00AA00AA' id='obj3' codebase='http://server/get.cab?result=5.0.x.x#version=5,1,0,0' > < /object >

object classid='CLSID: 0C0C0C0C-1111-1111-1111-00AA00AA00AA' id='obj4' codebase='http://server/get.cab?result=5.1.x.x #version=5,2,0,0' > < /object >

object classid='CLSID: 0C0C0C0C-1111-1111-1111-00AA00AA00AA' id='obj5' codebase='http://server/get.cab?result=5.2.0-4.x#version=5,2,5,0'> < /object>

object classid='CLSID: 0C0C0C0C-1111-1111-1111-00AA00AA00AA' id='obj6' codebase='http://server/get.cab?result=5.2.5.x#version=5,3,0,0' > < /object >

 

If we have 5.2.3.0 version in this case we should create 4 objects first and then the browser starts the update, so that we get the URL: “http://server/get.cab result=5.2.0-4.x”. The last object (obj6) won’t be created because the browser blocks the other stuff (as well as if we have no ActiveX at all, the first GET request will be sent (“http://server/get.cab?result=no”) but other 5 following objects won’t be parsed, and no more GET requests will be sent . So just make get.cab as the PHP script that reads the ‘result’ GET parameter. This is my way of detecting the version of ActiveX components without calling methods of an object. Soon (maybe next week) you will get the SAP GUI scanner based on this idea.

Thank you for your attention.

Alexey Sintsov

Do you want more?

Subscribe me to your mailing list