lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200811171816.mAHIGMCt021206@www3.securityfocus.com>
Date: Mon, 17 Nov 2008 11:16:22 -0700
From: send9@...seclabs.com
To: bugtraq@...urityfocus.com
Subject: Opera 9.6x file:// overflow

Hello all -

I don't have time for a fancy advisory format, but I did want to disclose an issue.

Sometime in early October (late September?), around the time Opera 9.6 was released, I noticed that you could get it to crash after supplying the file:// handler with ~16,500 characters. I played around with it, but having very little memory corruption skillz I wasn't able to do much with it. I did, however, contact Opera through their web submission form.

Opera 9.61 was released in late October and still no fix. I contacted Opera using the e-mail address provided by the web form to follow up on the bug. Opera 9.62 then came out and still nothing.

I contacted Guido Landi aka k`sOSe to take a look. We determined that the file:// handler cannot be invoked from the Internet, but, it does work from a local HTML file. k`sOSe figured out that it was a heap overflow and was able to write a PoC for the bug: http://milw0rm.com/exploits/7135

Since Opera doesn't seem to care at all about this bug, I figured it was time to notify the public.

send9 <send9 [at] chiseclabs.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ