Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

Subscribe me to your mailing list

How to get ActiveX version?

We have the idea: make online scanner for SAP ActiveX vulns. So that every user having SAP GUI can test his software and components for vulnerabilities. It is easy to implement – just get the version of every component and answer whether a component of this version has vulnerabilities or not.

On WWW you can find services that test popular software (QuickTime, Flash Player ActiveX, Acrobat Reader ActiveX) but not SAP. Those services get versions using object properties like this object.GetVersion(). For example for Flash – flashActiveX.

GetVariable("$version") returns the version number of installed Flash ActiveX. But in some ActiveX components methods like this do not exist. For SAP ActiveX components we cannot get a version number using methods or properties. So what we gonna do? After some research I've found the way to determine the version of any ActiveX object. So this is what this post is about 8)

Ok, there's nothing new, just default functional used for good purposes. For example, how does the browser understand that your ActiveX needs an update? Answer:

<object classid='CLSID: 0C0F1283-6027-11D1-B766-00A0C9308BE6' id='obj' codebase='http://server/get.cab#version=5,5,0,0'></object>

So if DLL file version is less than 5.5.0.0 then browser makes GET request "'http://server/get.cab" . So we can make ActiveX version scanner. For example:

...

object classid='CLSID: 0C0C0C0C-1111-1111-1111-00AA00AA00AA' id='obj1' codebase='http://server/get.cab?result=no#version=0,0,0,0'> < /object >

object classid='CLSID: 0C0C0C0C-1111-1111-1111-00AA00AA00AA' id='obj2' codebase='http://server/get.cab?result=4.x.x.x#version=5,0,0,0' > < /object >

object classid='CLSID: 0C0C0C0C-1111-1111-1111-00AA00AA00AA' id='obj3' codebase='http://server/get.cab?result=5.0.x.x#version=5,1,0,0' > < /object >

object classid='CLSID: 0C0C0C0C-1111-1111-1111-00AA00AA00AA' id='obj4' codebase='http://server/get.cab?result=5.1.x.x #version=5,2,0,0' > < /object >

object classid='CLSID: 0C0C0C0C-1111-1111-1111-00AA00AA00AA' id='obj5' codebase='http://server/get.cab?result=5.2.0-4.x#version=5,2,5,0'> < /object>

object classid='CLSID: 0C0C0C0C-1111-1111-1111-00AA00AA00AA' id='obj6' codebase='http://server/get.cab?result=5.2.5.x#version=5,3,0,0' > < /object >

 

...

If we have 5.2.3.0 version for example in this case we create 4 objects first and then the browser goes for update, and we get the URL: "http://server/get.cab result=5.2.0-4.x". The last object (obj6) won't be created cos the browser blocks the other stuff (the same will happen if we have no ActiveX at all, the first GET request will be sent ("http://server/get.cab?result=no") but 5 following objects will never be parsed and created, and no more GET requests will be sent . So just make get.cab as PHP script that reads the ‘result' GET parameter. This is my way of detecting the version of ActiveX components without calling methods of an object. Soon (may be next week) you will get SAP GUI scanner based on this idea…

Thank you for your attention.

Alexey Sintsov