lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 13 Sep 2010 18:43:56 +0300 (EEST) From: Juha-Matti Laurio <juha-matti.laurio@...ti.fi> To: MustLive <mustlive@...security.com.ua>, full-disclosure@...ts.grok.org.uk Subject: Re: DLL Hijacking vulnerability in Opera It was reported on 24th August already http://www.exploit-db.com/exploits/14732/ It takes only a few seconds to check it http://secunia.com/advisories/41083/ Juha-Matti MustLive [mustlive@...security.com.ua] wrote: > Hello Full-Disclosure! > > I want to warn you about DLL Hijacking vulnerability in Opera. As I wrote in > Saturday in my post DLL Hijacking in different browsers > (http://websecurity.com.ua/4522/), besides Mozilla Firefox (which was fixed > in version 3.6.9) there is also vulnerable such browser as Opera. > > DLL Hijacking vulnerability in Opera allows to execute arbitrary code via > library dwmapi.dll. Attack will work in Opera on OS Windows. For attack > there can be used the same dwmapi.dll, as for Firefox (based on the sources > of Glafkos Charalambous). > > When I informed Opera, I draw their attention as to the hole itself, as to > possibility to attack version Opera 10.62 (which released recently), where > this hole was fixed by developers. > > There are possible two variants of attack: > > 1. Attack will work at opening in browser the file of web page (htm, html, > mht, mhtml) or other file, alongside with which there is file dwmapi.dll. > > 2. If file dwmapi.dll is placed at desktop or in any folder which is in > PATH, then code will work at every starting of the browser. > > >From second variant of attack it's clear, that in some applications (such as > Opera) it's possible to conduct DLL Hijacking attacks with other method, > then one which was mentioned in August. I.e. code will execute not only at > placing of dll-file alongside with file designed for opening in application, > but also if dll-file is placed at desktop or in any folder which is in PATH. > And code can be executed even at starting of application (as in Opera), > without opening of any files. > > Vulnerable are Opera 10.61 and previous versions. > > As I checked in Opera 10.62, which released at 09.09.2010, this version is > not vulnerable (to both variants of attack). Only if to place dll-file in > folder Opera or in System32, only then the code will work (so the attack can > take place on systems with FAT32 or when attacker will be having appropriate > rights on systems with NTFS). > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists