[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030428030813.8DF3.NESUMIN@softhome.net>
Date: Mon, 28 Apr 2003 03:09:01 +0900
From: nesumin <nesumin@...thome.net>
To: bugtraq@...urityfocus.com
Subject: [Opera 7/6] Long File Extension Heap Buffer Overrun Vulnerability in Download.
Greetings.
We, :: Operash :: here release the information about vulnerability of Opera.
_________________________________________________
---------------------------------------------------------------------------------
SUMMARY : [Opera 7/6] Long File Extension Heap Buffer Overrun Vulnerability
in Download.
PRODUCT : Opera for Windows
VERSIONS : 7.10 build 2840
7.03 build 2670
7.02 build 2668
7.02 bork build 2656b
7.01 build 2651
6.06b build 1145
6.06 build 1144
6.05 build 1140
VENDOR : Opera Software ASA (http://www.opera.com/)
SEVERITY : Medium.
DoS such as Crash, Abnormal Termination, Opera Unexecutable,
System Unstable/Freeze.
DISCOVERED BY : :: Operash :: (imagine, nesumin)
REPORTED DATE : 2003-04-25
PUBLISHED DATE : 2003-04-28
----------------------------------------------------------------------------------
0. PRODUCT INFORMATION
========================
Opera for Windows is a GUI base Web browser.
Opera Software ASA (http://www.opera.com/)
1. DESCRIPTION
================
A buffer overrun occurs by the unchecked buffer on the heap and it taints the data on heap.
That's because Opera6/7 for Windows don't check the length of filename.
Opera users, therefore, would face the DoS Attack such as the abnormal termination, OS crash,
be unexecutable, etc when he is in the part of long extension name file downloading.
2. SYSTEMS AFFECTED
=====================
Opera (For Windows)
Opera 7.10 build 2840
Opera 7.03 build 2670
Opera 7.02 build 2668
Opera 7.02 bork build 2656b
Opera 7.01 build 2651
Opera 6.06b build 1145
Opera 6.06 build 1144
Opera 6.05 build 1140
Other versions could have this vulnerability.
3. SYSTEMS NOT AFFECTED
=========================
----
4. EXAMINES
=============
Opera (For Windows, English/Japanese) :
Opera 7.10 build 2840
Opera 7.03 build 2670
Opera 7.02 build 2668
Opera 7.02 bork build 2656b
Opera 7.01 build 2651
Opera 6.06b build 1145
Opera 6.06 build 1144
Opera 6.05 build 1140
Platform :
Windows 98SE Japanese
Windows 2000 PRO SP3 Japanese
5. TO VENDOR
==============
Reported (2003/04/25).
6. DETAILS
=============
Opera writes 16-bit wide character encoded cache file name which is made of
like file extensions into the buffer of heap area which is about 512 bytes.
While this process, Opera doesn't check the length of extension
and writes data ahead of buffer's bound.
That causes a destruction of pointer and data of memory managers on the heap,
which could be overwritten by arbitrary data.(sequential like "XX00XX00")
Opera would overdrive and get some abnormal termination.
Moreover, when you restart Opera with a corrupted cache-index due to
the cache configuration, there again occurs buffer overrun on the heap
and Opera would be unexecutable.
This could be avoided by rectifying or deleting the cache-index "dcache4.url".
However, even at randomly destructed heap area could make Windows 9x systems
unstable and down.
About the risk of arbitrary code execution, we estimate that it's slightly
difficult to process the buffer with arbitrary codes.
Because(nn below means hexadecimal from 0x00 to 0xFF);
a. Can overwrite merely with sequential record like "nn00nn00nn00nn00".
DWORD value must be allocated only by "0x00nn00nn".
b. It's not easy to overwrite the pointers and data or to forecast the address
because the layout on the heap is variable due to the system configurations,
Opera's chache or memory relevant configuration.
Algate, its potential risk is so high.
This could be more serious security hole if a further exploit would be found.
7. SAMPLE CODE
================
This is a Perl script.
---------------------------------------------------------------
#!/usr/bin/perl
# Smash Heap Memory.
# This script is CGI program.
$|=1;
my $filename = "." . "\xCC" x (int(rand(0x20000)) + 0x100);
print "Content-type: text/html\r\n";
print qq~Content-Disposition: filename="$filename"\r\n~;
print "\r\n";
print "<html><body>Love & Peace :)</body></html>\r\n";
---------------------------------------------------------------
8. DISCLAIMER
===============
a. We cannot guarantee the accuracy of all statements in this information.
b. We do not anticipate issuing updated versions of this information
unless there is some material change in the facts.
c. And we will take no responsibility for any kinds of disadvantages by
using this information.
d. Copyright is held by :: Operash :: and relatives.
9. CONTACT, ETC
=================
:: Operash ::
[ Unofficial Opera's Bug and Security information site for Japanese people ]
imagine (Operash Webmaster)
nesumin <nesumin@...thome.net> if you have any question, please contact nesumin.
Thanks to :
melorin
piso(sexy)
_________________________________________________
-------
nesumin <nesumin@...thome.net>
Powered by blists - more mailing lists