lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <003201cb5500$bb992d10$c103fea9@ml>
Date: Wed, 15 Sep 2010 21:05:59 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: "Juha-Matti Laurio" <juha-matti.laurio@...ti.fi>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: DLL Hijacking vulnerability in Opera

Hello Juha-Matti!

Thanks for mentioning about exploit of Nicolas Krassas for Opera.

I don't read such sites as exploit-db.com and secunia.com, but I read other
sites, such as securityvulns.ru (securityvulns.com). And at his
site (http://securityvulns.com/news/Microsoft/Windows/DLLHijacking.html)
3APA3A didn't mentioned about such vulnerability in Opera, but mentioned
about many other vulnerabilities, including in such browsers as Firefox,
Maxthon and QtWeb. It looks like he didn't see it (he's checking Bugtraq and
Full-Disclosure) or forgot to mentioned about it (and I waited a lot of
time, after first mentioning about DLL Hijacking, before I conducted my own
research of DLL Hijacking vulnerabilities in different browsers, to gave him
time to publish such exploit if there is such one).

So I was thinking that people forgot to check DLL Hijacking in Opera, so I
reminded about that it was also vulnerable. Besides Opera released update
only at 09.09.2010 (so for long time not showing that they were aware about
it) and they didn't mention in their official advisory about anyone who
informed them about this hole. I.e. they made a look that they found the
hole by themselves.

But there is large difference between my research and Nicolas' research. If
you'll attentively read, you'll find that besides first attack vector,
mentioned in first information about DLL Hijacking (and in many advisories
on this topic which were released later), I wrote about second attack
vector. And also I mentioned about version of Opera where developers
officially fixed the hole and the methods of bypass of this fix.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: "Juha-Matti Laurio" <juha-matti.laurio@...ti.fi>
To: "MustLive" <mustlive@...security.com.ua>;
<full-disclosure@...ts.grok.org.uk>
Sent: Monday, September 13, 2010 6:43 PM
Subject: Re: [Full-disclosure] DLL Hijacking vulnerability in Opera


> It was reported on 24th August already
> http://www.exploit-db.com/exploits/14732/
>
> It takes only a few seconds to check it
> http://secunia.com/advisories/41083/
>
> Juha-Matti
>
> MustLive [mustlive@...security.com.ua] wrote:
>> Hello Full-Disclosure!
>>
>> I want to warn you about DLL Hijacking vulnerability in Opera. As I wrote
>> in
>> Saturday in my post DLL Hijacking in different browsers
>> (http://websecurity.com.ua/4522/), besides Mozilla Firefox (which was
>> fixed
>> in version 3.6.9) there is also vulnerable such browser as Opera.
>>
>> DLL Hijacking vulnerability in Opera allows to execute arbitrary code via
>> library dwmapi.dll. Attack will work in Opera on OS Windows. For attack
>> there can be used the same dwmapi.dll, as for Firefox (based on the
>> sources
>> of Glafkos Charalambous).
>>
>> When I informed Opera, I draw their attention as to the hole itself, as
>> to
>> possibility to attack version Opera 10.62 (which released recently),
>> where
>> this hole was fixed by developers.
>>
>> There are possible two variants of attack:
>>
>> 1. Attack will work at opening in browser the file of web page (htm,
>> html,
>> mht, mhtml) or other file, alongside with which there is file dwmapi.dll.
>>
>> 2. If file dwmapi.dll is placed at desktop or in any folder which is in
>> PATH, then code will work at every starting of the browser.
>>
>> >From second variant of attack it's clear, that in some applications
>> >(such as
>> Opera) it's possible to conduct DLL Hijacking attacks with other method,
>> then one which was mentioned in August. I.e. code will execute not only
>> at
>> placing of dll-file alongside with file designed for opening in
>> application,
>> but also if dll-file is placed at desktop or in any folder which is in
>> PATH.
>> And code can be executed even at starting of application (as in Opera),
>> without opening of any files.
>>
>> Vulnerable are Opera 10.61 and previous versions.
>>
>> As I checked in Opera 10.62, which released at 09.09.2010, this version
>> is
>> not vulnerable (to both variants of attack). Only if to place dll-file in
>> folder Opera or in System32, only then the code will work (so the attack
>> can
>> take place on systems with FAT32 or when attacker will be having
>> appropriate
>> rights on systems with NTFS).
>>
>> Best wishes & regards,
>> MustLive
>> Administrator of Websecurity web site
>> http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ