Re: Opera Browser goes Crash

From: Aaron Lafferty (laffertyat_private)
Date: Tue Oct 23 2001 - 08:43:18 PDT

  • Next message: Greg Wirth: "Re: Opera Browser goes Crash"

    I can confirm this on Opera 5.11 build 904 running on windows 2000 sp2
    w/ all critical fixes.
    
    
    ----- Original Message -----
    From: "Holmes, Ben" <Ben.Holmesat_private>
    To: "Vuln-Dev (E-mail)" <vuln-devat_private>
    Sent: Tuesday, October 23, 2001 4:53 AM
    Subject: Opera Browser goes Crash
    
    
    >
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > I usually use Opera browser (it truly is a fast browser), and it just
    closed
    > when I went to a link...
    >
    > The link was "http://www.malware.com/hello.html"
    >
    > In Netscape, it is supposed to play a sound file...
    >
    > In I.E it just comes up and allows to view source.
    >
    > The source is basically a small JavaScript part (and that should work
    fine),
    > but the other part is a large embedded sound file.. it is in this form:
    >
    > '<embed src="data:audio/wav;base64,[Base 64 data of a sound file]"
    > autostart=true width=0 height=0 loop=true>' tag.
    >
    > It didn't seem to give an error message or anything.. if it was
    overflowing
    > a buffer I'd usually expect that it would generate a windows error message
    > when it gets random junk like this...  But it just closes.. completely and
    > gracefully... but it closes nevertheless..
    >
    > I am thinking:
    >
    > A> It is a configuration problem on this PC... It decodes the Base 64 (or
    > goes to) but some plug in or system it uses to play the file or decode it
    > that is possibly specific to this PC dies.
    >
    > B> The length of the embed tag is too long and overflows an internal
    buffer
    > and jumps right to a close (either graciously, or by super good error
    > checking routines)...  Or something else happens that makes windows not
    > notice that a program is doing wierd_funky_things (tm)
    >
    > C> The "embed" tag is touchy and its implementation is bad, this doesn't
    > seem the case though, because if I make the [Base 64 data of a sound file]
    > part much smaller, it just does the same as IE does.
    >
    > If it is "B"... is it exploitable in the form:
    >
    > '<embed src="data:audio/wav;base64,[Nasty code][Padding][address of a jmp
    > esp]" autostart=true width=0 height=0 loop=true>'
    >
    > or some other such thing, that would cause "Nasty Code" to be run in the
    > Opera process.
    >
    > Does it happen on anyone else's computer that runs Opera... or is this
    > little currently Opera specific DoS also "this computer" specific...
    >
    > - -- Benjamin Holmes
    >
    > E&OE. All spelling and grammatical errors are for your enjoyment and
    > entertainment only and are copyright Benjamin Holmes.
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
    > Comment: Pee Gee Peeeeee!
    >
    > iQA/AwUBO9Uv/HLvuelW5gClEQLO5wCg+K5tXdKdWAiaEBj71BiYnks964wAoJP5
    > VvPSGdUiC5c8kZ8/yhA5DZ06
    > =XF0I
    > -----END PGP SIGNATURE-----
    >
    



    This archive was generated by hypermail 2b30 : Tue Oct 23 2001 - 09:01:47 PDT