ActiveX not working properly with default security settings - c#

I have written an ActiveX control in C# and have made it working using regasm command, and it works fine as long as the security level is set to low.. Then as a next step I have made a .cab installer (ICD - Internet component downloader), and have signed my .cab file and ActiveX .dll file with a test certificate. when I hit the html page from my browser the installation parts works fine with default security settings of IE, but at the end it seems that nothing is installed and a red cross is shown on place of ActiveX. Moreover I have explored the Download Program Files folder under Windows directory, in status column it is showing word "unknown". while it is "installed" for all other activeX. what may be the problem.
Moreover if i use the regasm command to register the assembly it works fine, and I have signed the ActiveX but still I have to move the security bar to low in my browser setting? why it is so? then what is the purpose of signing? I have used RegisterServer=yes in my .inf file
Please let me know, if some one has gone through this problem already?

In order to run in IE, you also need to implement IObjectSafety so that IE knows that it is safe to be called by an untrusted caller and/or with untrusted data. (If it is actually safe, that is)
Personally, I have only done this in C++ & ATL, not C#, but here is a blog post that looks like it should help you achieve this in C#.
http://blog.devstone.com/aaron/2007/06/12/ImplementingIObjectSafetyInNETMarkingClassesSafeForScripting.aspx
The reason for this is that scripts by nefarious individuals may use your object to bypass the normal security offered by IE, so your ActiveX Object must defend against untrusted pages itself.
When you sign a cab, you are telling the user that the cab they are downloading is the one they think they are downloading - i.e. that some malicious individual hasn't replaced your cab with a dangerous one. If they trust you as a publisher, then they can trust that the ActiveXObject will not do anything evil on its own, or in combination with other code that they trust.
When you implement IObjectSafety, to return INTERFACESAFE_FOR_UNTRUSTED_CALLER | INTERFACESAFE_FOR_UNTRUSTED_DATA, you are telling IE that the object cannot be used maliciously by anyone else, and is therefore safe to run in conjunction with code that the user doesn't explicitly trust.

For me the solution above doesn't work.
I needed to register also the tlb
with : regasm MyDll.DLL /tlb

Related

stop smartscreen warning for the same .exe on every execution and how to predict if a smartscreen warning will appear

I wrote a VS12 .net4.5 .exe that copies itself to the user directory (unless it's executed from there) and creates a shortcut to the user directory .exe in shell:sendto.
Every time it's executed with the send to menu just one of my colleagues gets the smartscreen warning where he needs to click on "more information" and then "execute anyway".
In the .exe properties there is an Allow button, if you click it it disappears but once you close the .exe property dialogue and open it again the button is there again!How do I get rid of it?
I am often writing helpful little C# applications with different distribution strategies: Sometimes it's in a rar/zip archive and I put it on our NAS, sometimes I send it via email and sometimes it's transmitted with a data stick.
How can I reliably predict whether there will be a smartscreen warning?
I have read lots of unverified information about an invisible magical reputation value.
Is there truly no way to properly sign my applications to be sure there won't be a warning? We'd be ready to buy a certificate if we know for sure that it will remove the smartscreen warning.
Smartscreen is a technology from microsoft that establishes an internet connection to one of microsofts servers and checks if the exe that you are trying to execute is on a whitelist or correctly signed.
Therefor it will warn the user when executing all not fully signed and unknown applications.
You can use any official digital signing company to get a certificate (they cost something). One of the most popular is VeriSign. As far as I know this should stop the warnings from smartscreen.
Also you should use the signtool to create an assembly with a strong name. That gives the assembly a basic level of trust. However this will not stop Smartscreen from warning the user from executing your application.
http://msdn.microsoft.com/en-us/library/ms247123(v=vs.90).aspx
An assembly signed with a strong name is ensured to not have undergone any changes since the assembly got compiled. It therefor prevents viruses from infecting the assembly, that makes the computer trust the exe file more.

Is there an Adobe equivalent to the Java deployment.properties file?

Just as the title states, is there an Adobe equivalent to the Java deployment.properties file?
I am writing a c# application to test installations of application in our network. The top three on my boss's list are java, flash, and reader. I need to be able to find out what versions of each application are installed on a machine for the reports im going to generate (force the user to update/etc).
I know i can check version number and confirm the ability of IE to access my JRE by checking "\Sun\Java\Deployment\deployment.properties". What file would I check to confirm the same for adobe reader and flash?
Thanks in advance for any help given or links provided to more info.
edit: I need to do this from the browser.
This is not a very clean solution, but since the only "official" way seems to be to check it from the Windows registries perhaps this will help:
We know that the flash files are located are in the (windows directory)\system32\Macromed\Flash (or SysWow64\Macromed\Flash on 64 bit systems).
Each time a flash updates it keeps the track of the progress in the log files. Depending on the flash version you will either have a) install.log (very old versions of flash) or b) FlashInstall.log
a) If you browse through the file you see various entires and one type goes like this:WriteRegStr: "HKEY_CURRENT_USER\SOFTWARE\Macromedia\FlashPlayer" "FlashPlayerVersion"="10.0.45.2".
Now you can just go through that file bottom-top and match the "FlashPlayerVersion"= string to get the most recent version.
However, this is for a really old versions of flash and the install.log file never got deleted from this directory, so make sure you check for the FlashInstall.log too!
b) Use a similar approach, except the new install logs don't keep the "WriteRegStr" information. Now you can instead look for the dll file name itself, for example my last update created an install log 0009 [I] 00000014 C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_146.dll, meaning my flash version is 11.5.502.146
another options are to
check the plugin core files creation date and compare with the versions release dates (quite unreliable in case someone somehow manages to install an older version)
check the actual property of the NPSWF[..version..].dll file. You can see all the complete and precise version details in the "Version" tab. however, I don't know how to access the rightclick->properties from inside a script, so you'll have to find out by yourself if you decide to go for this option
ask the unicorns

Is it possible to run exe file with silverlight c# or javascript on client side?

Is it possible to run a .exe file on client side with Silverlight.
Or with javascript or something other.
Thanks
Assuming you mean from the context of a remote domain, most definitely not. Think of the ease with which you might deliver a virus by such a mechanism.
In general no - it would be a huge security hole.
It might be possible for specific browser using plug-ins or ActiveX components (in Internet Explorer) that add such a feature - that will leave the browser very exposed though.
See also this - one of the answers there suggest a clever trick if you want to start from the browser an application that you have control over: have the application installer associate a file extension with its EXE, and then you download from the browser a dummy file with that extension.
Yes, But not seemlessly and not cross browser
Browsers are specifically designed to prvent this sort of thing but....
You can do it in internet explorer through activex javascript
function runApp()
{
var shell = new ActiveXObject("WScript.shell");
shell.run("notepad.exe", 1, True);
}
You might be able to do it via plugin with firefox and chrome, but I don't know and I wouldn't be surprised if you can't

SharePoint fails to load a C++ DLL on Windows 2008

I have a SharePoint DLL that does some licensing things and as part of the code it uses an external C++ DLL to get the serial number of the hardisk.
When I run this application on Windows Server 2003 it works fine, but on Windows Server 2008 the whole site (loaded on load) crashes and resets continually. This is not Windows Server 2008 R2 and is the same in 64 or 32 bits.
If I put a Debugger.Break before the DLL execution then I see the code get to the point of the break and then never come back into the DLL again. I do get some debug assertion warnings from within the function, again only in Windows Server 2008, but I'm not sure this is related.
I created a console application that runs the C# DLL, which in turn loads the C++ DLL, and this works perfectly on Windows Server 2008 (although it does show the assertion errors, but I have suppressed these now).
The assertion errors are not in my code but within ICtypes.c, and not something I can debug.
If I put a breakpoint in the DLL it is never hit and the compiler says:
"step in: Stepping over non user code"
If I try to debug into the DLL using Visual Studio.
I have tried wrapping the code used to call the DLL in:
SPSecurity.RunWithElevatedPrivileges(delegate()
But this also does not help.
I have the source code for this DLL so that is not a problem.
If I delete the DLL from the directory I get an error about a missing DLL. If I replace it, back to no error or warning just a complete failure.
If I replace this code with a hardcoded string the whole application works fine.
Any advice would be much appreciated, I can't understand why it works as a console application, yet not when run by SharePoint. This is with the same user account, on the same machine...
This is the code used to call the DLL:
[DllImport("idDll.dll", EntryPoint = "GetMachineId", SetLastError = true)]
extern static string GetComponentId([MarshalAs(UnmanagedType.LPStr)]String s);
public static string GetComponentId()
{
Debugger.Break();
if (_machine == string.Empty)
{
string temp = "";
id= ComponentId.GetComponentId(temp);
}
return id;
}
This could be security related:
An important point is that it works in a console app.
In a console app RunWithElevatedPrivileges has no effect since it emulates the app pool user for your worker process, a user that should have no special rights on the box itself.
In contrast a console app runs in context of the logged in user.
Try emulating a user with rights like when you run the console application specified here (with Undo() inside try/finally mind you!). When obtaining the token you can create an SPUserToken and establish site context using the SPSite constructor that takes a GUID and a SPUserToken
Theres several examples out there documenting this approach, here for example.
EDIT: oh and the reason it worked on 2003 could be that your app pool account had way too many rights ;-)
Why not use WMI to get the serial number of hard disk, thus avoids execution of unmanaged code. See this sample How to Retrieve the REAL Hard Drive Serial Number
That non-deterministic crashing behavior is often seen with memory overwrites/corruption; sometimes it matters (crash), sometimes you get lucky.
You might want to check into getting a crash dump and analyze it with WindDbg. Since you have the source you could re-build it with the various stack, heap memory protection and warning systems enabled (depending on your compiler) and see what you get.
I'd find out if it is a User Account Control related problem, you can try to disable it.
2003 doesn't have UAC.
Your app pool account might not have the right to retrieve this information?
In visual studio, go into the properties of your executable assembly, and under the debug tab, check the enable debugging unmanaged code option.
If the method your are importing belongs to a class, you need to add the mangled C++ name (e.g. 2#MyClass#MyMethod?zii) as an entry point to the DllImport attribute (run depends on the native DLL to get it).
You do not need C++ for that: http://www.codeproject.com/KB/cs/hard_disk_serialno.aspx
If i put a breakpoint in the DLL it is
never hit and the compiler says :
"step in: Stepping over non user code"
That's the debugger, not the compiler, and if you configured it properly it wouldn't do that. Look for the options calls "Use native debugging" and "Just my code". The first one should be on and the second one off.
This problem may happen due to one of the problems listed below.
the web part may not have the right permissions to call the DLL or
you may not have set the appropriate trust level for your SharePoint site.
For the permission you can use impersonation and for the trust level below site can help you.
http://msdn.microsoft.com/en-us/library/dd583158(office.11).aspx
I made a new C++ DLL from scratch which works fine when referenced as a console application on Windows Server 2003 and Windows Server 2008, but as soon as I reference it from the DLL in SharePoint the same things happens and it won't run.
It does find the DLL, but I think it has no permissions to execute it, even if I put it into the My Documents section and reference it directly!

Why can't I delete a file in %ProgramFiles% from a Unit Test via Resharper's Test Runner Unit Test?

I am trying to write a test which, in it's fixtures Setup, it backs up a file and deletes the original, runs the test without the original present, then in the teardown, restores the original from the backup. The file is located in my %ProgramFiles% folder. I get an UnauthorizedAccessException on the fileInfo.Delete() statement. I have no problem deleting this file from another test project on the same machine that is not running from the Resharper Test Runner.
I can't move the file to somewhere else - it's ssapi.dll, an installed dll for Visual SourceSafe. (Yes, I'm doing something invasive in a Unit Test.)
It's the same user (me) for both ways -- I checked it via Task Manager. My user account is a member of the local Administrators group. What other factors are there which determine my "Authorization" to do something with a file?
RESOLVED: Though it doesn't answer my original question (which I'd still like to know the answer to), I have found a workaround for my testing purposes, using the System.Security.Permissions framewok, doing a Demand for FileIOPermissionAccess.Read in the app (non-test) code which requires the file (for an Interop call), and a Deny for the same in the test of that code which requires a scenario that that file is not there. This should work for now (and I love having learned a bit about the System.Security.Permissions namespace)!
Not really a solution, but I'd consider fixing this problem from a different angle.
You could perhaps consider changing the directory to %AppData% (you might need to make this change for you main application also).
It might solve your problem and also will see you well when you move to Vista, since UAC could stop you (or the application user) from using the %ProgramFiles% directory.
It is possible that ReSharper is running its Test Runner as a separate process, and that separate process is not using your Windows identity but, instead, another one with lower privileges.
You might be able to verify this opening Task Manager and checking Show processes from all users.
You can probably fix this by giving your user account full access to that folder.
Navigate to the folder in windows explorer. Right click on the folder and select properties. Select the security tab, then the Edit button, and add full control for yourself. Yes - I suppose it's a potential security issue, but you have to change the files in that directory, and you seem to know what you're doing, so it should work.
You could activate auditing for the file, and check the error message in the event log. Note that you have to turn on auditing in two places, once under Local Security Policy/Local Policies/Audit Policy and once on the file itself.
This would not solve the problem, but would at least help diagnose the problem.
Are you running Vista or Server 2008 with UAC turned on? If yes, this might be the cause - the test runner process might not be in "elevated" mode.

Categories

Resources