I can confirm this on Opera 5.11 build 904 running on windows 2000 sp2 w/ all critical fixes. ----- Original Message ----- From: "Holmes, Ben" <Ben.Holmesat_private> To: "Vuln-Dev (E-mail)" <vuln-devat_private> Sent: Tuesday, October 23, 2001 4:53 AM Subject: Opera Browser goes Crash > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I usually use Opera browser (it truly is a fast browser), and it just closed > when I went to a link... > > The link was "http://www.malware.com/hello.html" > > In Netscape, it is supposed to play a sound file... > > In I.E it just comes up and allows to view source. > > The source is basically a small JavaScript part (and that should work fine), > but the other part is a large embedded sound file.. it is in this form: > > '<embed src="data:audio/wav;base64,[Base 64 data of a sound file]" > autostart=true width=0 height=0 loop=true>' tag. > > It didn't seem to give an error message or anything.. if it was overflowing > a buffer I'd usually expect that it would generate a windows error message > when it gets random junk like this... But it just closes.. completely and > gracefully... but it closes nevertheless.. > > I am thinking: > > A> It is a configuration problem on this PC... It decodes the Base 64 (or > goes to) but some plug in or system it uses to play the file or decode it > that is possibly specific to this PC dies. > > B> The length of the embed tag is too long and overflows an internal buffer > and jumps right to a close (either graciously, or by super good error > checking routines)... Or something else happens that makes windows not > notice that a program is doing wierd_funky_things (tm) > > C> The "embed" tag is touchy and its implementation is bad, this doesn't > seem the case though, because if I make the [Base 64 data of a sound file] > part much smaller, it just does the same as IE does. > > If it is "B"... is it exploitable in the form: > > '<embed src="data:audio/wav;base64,[Nasty code][Padding][address of a jmp > esp]" autostart=true width=0 height=0 loop=true>' > > or some other such thing, that would cause "Nasty Code" to be run in the > Opera process. > > Does it happen on anyone else's computer that runs Opera... or is this > little currently Opera specific DoS also "this computer" specific... > > - -- Benjamin Holmes > > E&OE. All spelling and grammatical errors are for your enjoyment and > entertainment only and are copyright Benjamin Holmes. > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> > Comment: Pee Gee Peeeeee! > > iQA/AwUBO9Uv/HLvuelW5gClEQLO5wCg+K5tXdKdWAiaEBj71BiYnks964wAoJP5 > VvPSGdUiC5c8kZ8/yhA5DZ06 > =XF0I > -----END PGP SIGNATURE----- >
This archive was generated by hypermail 2b30 : Tue Oct 23 2001 - 09:01:47 PDT