SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Opera Vendors:   Opera Software
Opera Web Browser May Execute Files Selected for Download Instead of Prompting the User for Approval
SecurityTracker Alert ID:  1001400
SecurityTracker URL:  http://securitytracker.com/id/1001400
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 23 2001
Impact:   Execution of arbitrary code via local system

Version(s): 5.02
Description:   A vulnerability has been reported in the Opera 5.02 web browser on Windows 98. The browser may, in certain situations, automatically execute certain files selected for download.

It is reported that the vulnerability applies to Opera 5.02 Build 856a (with no Java Runtime Environment installed) on Windows 98. If a file name ending with a ".exe" extension is downloaded, the browser will issue a security warning box asking the user to "open or save." If the user selects "open", the file will be opened with the default application associated with *.exe files. After that, all links that contain a file to be downloaded [presumably with *.exe file names] will reportedly be automatically opened by the browser without any input from the user.

The report also indicates that a file containing certain javascript code can cause the browser to crash (see the source message for details on this aspect of the vulnerability).

Impact:   An executable file selected for download may be automatically executed by the browser without the browser asking the user for confirmation.
Solution:   The report notes that a more recent release of Opera (5.10O Build 902) is not vulnerable. [Editors note: The current version is 5.11.]
Vendor URL:  www.opera.com (Links to External Site)
Cause:   State error
Underlying OS:  Windows (98)

Message History:   None.


 Source Message Contents

Subject:  AGAIN: Tested on Windows 98 with 'free' Opera 5.02 Build 856a (No


 Thursday, 19 April, 2001

There is an interesting oddity with the 'free' Opera 5.02 Build 856a (No
Java Runtime Environment installed) on Windows 98 with downloading files. In
particular *.exe. While the array of file type associations and instructions
what to do with them is wide, the instruction set for *.exe simply does not
stick.

Normally when executing a file download, the security warning box is invoked
asking whether you wish to 'open or save' -- this is default. Also, as it
should be, the ability to uncheck-mark the security warning box is greyed
out.

However if you select open, the file association settings seem to
automatically register 'open with default application' instead of reverting
to 'show download dialog'. Naturally, thereafter any file download is
automatically opened.

Simply put:

http://opera.online.no/win/ow32enen510.exe

will (should) invoke the security warning download dialog

(screen shot: http://www.malware.com/foopera.jpg 31KB)

But because we intend to install from the trusted source, we select 'open
file' in order to install, thereafter the file association settings seem to
register themselves to always 'open with default application' for an *.exe

and naturally when we go to:

[working example: harmless *.exe automatically launched]

http://www.malware.com/fauxpera.html simply viewing the page or clicking on
the link automatically runs our *.exe

Once again: test vehicle 'free' Opera 5.02 Build 856a (No Java Runtime
Environment installed) on Windows 98

Additionally we can crash it extremely hard with simple, yet unorthodox
JavaScripting squeezed into a shockwave file:

custom create a shockwave file (*.swf), select the interactive text or
button and force into the href field:

javascript:document.location="*.xbm?<script>alert()</script> simply add <img
src="malware.xbm">  -- what happens is Opera locates the *.xbm (we use an
obscure file to ensure no others are likely to be in the cache) and views it
automatically from the cache (note: without the need for a name):

(screen shot: http://www.malware.com/bar.jpg 25KB)

and the simple alert() then tries to fire from within the cache resulting
in:

OPERA caused an invalid page fault in
module OPERA.EXE at 015f:004e2b1a.
Registers:
EAX=00fcc0f0 CS=015f EIP=004e2b1a EFLGS=00010206
EBX=017855fc SS=0167 ESP=0084e530 EBP=0084e54c
ECX=00580038 DS=0167 ESI=01f701c3 FS=0e87
EDX=00007470 ES=0167 EDI=00000000 GS=0000
Bytes at CS:EIP:
80 3e 00 74 19 56 e8 eb 6e 05 00 40 50 e8 cf 6d
Stack dump:
00000000 00fcc110 00455f8a 01f701c3 0058002c 01785c40 01ee3f90 0084e570
00455e4f 00000002 00000001 0058002c 01f701c3 00000000 00000000 017856a0

IMPORTANT NOTES:

1. Tested on Windows 98 with 'free' Opera 5.02 Build 856a (No Java Runtime
Environment installed)
2. In the 10 days from today's date since the download and installation of
the 'free' Opera 5.02 Build 856a (No Java Runtime Environment installed),
the manufacturer http://www.opera.com has since come out with a newer
version: Opera 5.10 Build 902 which doesn't appear to be affected at all.
3. There also doesn't appear to be any mention of the above findings
anywhere for 'free' Opera 5.02 Build 856a (No Java Runtime Environment
installed) on Windows 98
4. Suggest to test your version/configuration and upgrade if affected
5. This all may very well be a unique combination system configuration
problem


One More Time: Tested on Windows 98 with 'free' Opera 5.02 Build 856a (No
Java Runtime Environment installed)


---
http://www.malware.com











_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC