Hi, all.
We release the information about the vulnerability of Opera, here.
And we hope that this vulnerability be fixed by Vendor immediately.
___________________________________________________
-----------------------------------------------------------------
Synopsis: [Opera 7/6] Long Filename Buffer Overflow
Vulnerability in Download
Product: Opera for Windows
Version: 7.02 build 2668
7.02 bork build 2656b
7.01 build 2651
6.05 build 1140
Vendor: Opera Software ASA (http://www.opera.com/)
Risk: High. Execute arbitrary code
Discovered By: imagine (Operash webmaster)
Reported By: nesumin <nesuminat_private>
Reported Date: 2003-03-06
Published Date: 2003-03-10
-----------------------------------------------------------------
Product :
Opera for windows is GUI base WEB Browser.
It has Mail, News, IM clients.
Opera Software ASA
http://www.opera.com/
OverView :
Opera for Windows has the pernicious security hole.
Opera does not check the filename's length when it downloads files.
Therefore, if the file with "long filename" is downloaded while Opera shows
the "Download Dialog", a buffer overflow occurs on the stack.
It can overwrite saved RET address on the stack, and it enables to execute
the arbitrary code.
If the Opera user downloads the file which has long filename with
malicious code inside, this vulnerability would allow the attacker
to make your computer virus infected or destructed, etc.
Tested on :
Opera
Opera7.02 build 2668
Opera7.02 bork build 2656b
Opera7.01 build 2651
Opera6.05 build 1140
English edition and Japanese edition.
Platform
Windows98SE JP
Windows2000 Pro SP3 JP
WindowsXP Home SP1 JP
Vulnerable in tested :
Opera7.02 build 2668
Opera7.02 bork build 2656b
Opera7.01 build 2651
Opera6.05 build 1140
Unvulnerable in tested :
Non
Vendor status :
Already reported, 2003/03/06.
Vendor said that this issue would be fixed in the next version due out very soon.
Details :
* Reproduce
Step 1. Request file.
Step 2. Response.
Step 3. Try to display download dialog.
Step 4. Buffer Overflow occurs if it has long filename.
Opera does not check the length of the name of a file to download.
If Opera requests the file and the server returns a response,
the "Download Dialog" will be displayed depending on the contents of
the response or file extensions.
Then, it writes the temporary filename for checking file-type
into the buffer on a stack. This temporary filename is generated based on
the temporary directory name specified with the user environment variable
and based on the download filename.
(The file name is changed into 16bit WIDE characters)
Buffer overflow will occur on a stack,
when the long file name (more than the buffer size) is specified.
Since the length of the file name is not checked there.
The RET address is saved on the 4 bytes area of offsets 214H from the buffer.
The offset from the Filename or the File Extension depends on the length of
the temporary directory name.
Shortly, there is the temporary directory name in the top of the buffer.
And in the process of managing overwritten RET address,
ESP register is pointing the next RET address.
Therefore, it is possible to execute the arbitrary code
by overwriting the "jmp ESP" op-code address with the RET address,
and setting the code to the next RET address.
It could be easy to execute arbitrary malicious codes if the attacker
specifies the filename by "Inline Frame", "Frame", "Link", "Script" or etc.
But it's slightly difficult to execute arbitrary codes if the filename is
specified by a Meta data such as "Content-Disposition" header or etc.
That's because the filename will be changed into the WIDE Character with
"System Locale".
Although in this case, it is by no means safe because the stack corruption,
like overwriting RET address by the buffer overflow, can't prevent.
* Opera 7
[Windows 2000, Windows XP]
It has the area to which'd be referred after overwriting.
The 4 bytes area of offset 04H from the next 4bytes area of the RET address.
[Windows 9x]
It has the area to which'd be referred after overwriting.
The 4 bytes area of offset 04H from the next 4bytes area of the RET address,
and the area after offset 2CH.
The heap includes the same data of downloaded filename which the address
ESP+54H points the head address.
* Opera 6
If the filename includes ".",
the offset value of the RET address starts from next of last ".".
If "Encode all addresses with UTF-8" or "Determine action by MIME type" is
disabled, it could be difficult to execute codes because the filename will be
changed into the WIDE Character without "URL decode".
Although in this case, it is by no means safe because the stack corruption,
like overwriting RET address by the buffer overflow, can't prevent.
[Windows 2000, Windows XP]
It has the area to which'd be referred after overwriting.
The 4 bytes area of offset 04H from the next 4bytes area of the RET address.
[Windows 9x]
The offset to the RET address is 244H bytes.
You can avoid the "Exception" by preparing a writable address value
if the latter area of RET|4bytes|4bytes address area is referred to.
Sample Code : (attached file)
dlfnbof.pl
This sample is a little HTTP server which returns HTML with the exploit
code that would run Internet Explorer using this vulnerability.
It's made with Perl and checked on Active Perl5.6.x for Windows.
* This source code is just a sample for checking this vulnerability.
* We will take no responsibility for any kinds of disadvantages
by using this code.
Special thanks :
:: Operash ::
[ Unofficial Opera's Bug and Security information site for Japanese people ]
imagine (Operash webmaster)
melorin
piso (sexy)
Contacts, Etc :
nesumin <nesuminat_private>
We cannot guarantee the accuracy of all statements in this information,
all of the facts have been checked to the best of our ability.
We do not anticipate issuing updated versions of this information
unless there is some material change in the facts.
Should there be a significant change in the facts,
we may update this information. And we will take no responsibility for
any kinds of disadvantages by using this information.
___________________________________________________
--------------------------------------------------
nesumin <nesuminat_private>
This archive was generated by hypermail 2b30 : Tue Mar 11 2003 - 15:28:34 PST