lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 13 Sep 2010 18:43:56 +0300 (EEST)
From: Juha-Matti Laurio <juha-matti.laurio@...ti.fi>
To: MustLive <mustlive@...security.com.ua>, full-disclosure@...ts.grok.org.uk
Subject: Re: DLL Hijacking vulnerability in Opera

It was reported on 24th August already
http://www.exploit-db.com/exploits/14732/

It takes only a few seconds to check it
http://secunia.com/advisories/41083/

Juha-Matti

MustLive [mustlive@...security.com.ua] wrote: 
> Hello Full-Disclosure!
> 
> I want to warn you about DLL Hijacking vulnerability in Opera. As I wrote in
> Saturday in my post DLL Hijacking in different browsers
> (http://websecurity.com.ua/4522/), besides Mozilla Firefox (which was fixed
> in version 3.6.9) there is also vulnerable such browser as Opera.
> 
> DLL Hijacking vulnerability in Opera allows to execute arbitrary code via
> library dwmapi.dll. Attack will work in Opera on OS Windows. For attack
> there can be used the same dwmapi.dll, as for Firefox (based on the sources
> of Glafkos Charalambous).
> 
> When I informed Opera, I draw their attention as to the hole itself, as to
> possibility to attack version Opera 10.62 (which released recently), where
> this hole was fixed by developers.
> 
> There are possible two variants of attack:
> 
> 1. Attack will work at opening in browser the file of web page (htm, html,
> mht, mhtml) or other file, alongside with which there is file dwmapi.dll.
> 
> 2. If file dwmapi.dll is placed at desktop or in any folder which is in
> PATH, then code will work at every starting of the browser.
> 
> >From second variant of attack it's clear, that in some applications (such as
> Opera) it's possible to conduct DLL Hijacking attacks with other method,
> then one which was mentioned in August. I.e. code will execute not only at
> placing of dll-file alongside with file designed for opening in application,
> but also if dll-file is placed at desktop or in any folder which is in PATH.
> And code can be executed even at starting of application (as in Opera),
> without opening of any files.
> 
> Vulnerable are Opera 10.61 and previous versions.
> 
> As I checked in Opera 10.62, which released at 09.09.2010, this version is
> not vulnerable (to both variants of attack). Only if to place dll-file in
> folder Opera or in System32, only then the code will work (so the attack can
> take place on systems with FAT32 or when attacker will be having appropriate
> rights on systems with NTFS).
> 
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists