lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040805101325.538F9F3241@nils.bezeqint.net>
Date: Thu, 5 Aug 2004 13:16:52 +0200
From: GreyMagic Software <security@...ymagic.com>
To: <bugtraq@...urityfocus.com>
Subject: Opera: Location, Location, Location


GreyMagic Security Advisory GM#008-OP
=====================================

By GreyMagic Software, 05 Aug 2004.

Available in HTML format at
http://www.greymagic.com/security/advisories/gm008-op/.

Topic: Location, Location, Location.

Discovery date: 19 Jul 2004.

Affected applications:
======================

Opera 7.53 and prior on Windows, Linux and Mac. 


Introduction:
=============

On 04-Feb-2003 GreyMagic released an advisory [1] concerning Opera's
security model in v7.0. The advisory depicted several flaws in Opera's
model, one of them allowed for an attacker to overwrite native and custom
functions in a victim window. When the victim web-page executed such
function, the attacker's code executed with the victim's privileges. 

Opera tried to prevent such scenarios in Opera 7.01, by blocking
write-access to objects on the victim window. 

[1] http://www.greymagic.com/security/advisories/gm002-op/

Discussion: 
===========

Unfortunately, Opera failed to block write-access to the often-used
"location" object. 

By overwriting methods in this object, an attacker can gain immediate script
access to any web-page that uses one of these methods. This includes both
web-pages in foreign domains and the victim's local file system. 

The impacts of this vulnerability include: 

* Read-access to files on the victim's file system 
* Read-access to lists of files and folders on the victim's file system 
* Read-access to emails written or received by M2, Opera's mail program 
* Cookie theft 
* URL spoofing (phishing) 
* Track user browsing history 
* Much more... 

Several methods are candidates for such attacks: assign(), replace(),
valueOf() and toString(). The first two would be triggered only when the
victim explicitly calls them. The latter ones would be called in many
implicit cases, including: 

* str+=location;
* decodeURI(location);
* location*7;
* location+"";

And many others... 

In order to gain access to the "file://" protocol, and hence to the entire
file-system, an attacker needs to know of an HTML file in the victim's file
system that actually makes a call to a method in the location object. Such
file was included in virtually all Windows Operating Systems, it is named
"CiAdmin.htm" and it can be found in a very predictable path -
%SystemRoot%/Help/. 


Exploit: 
========

To exploit this vulnerability an attacker can use a simple <iframe>,
pointing to the victim web-page, and inject the malicious code into its
window. Here's an oversimplified example: 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ