SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Opera Vendors:   Opera Software
Opera Web Browser Multiple Flaws Disclose Private Information and Let Remote Users Access Local Files and Directories
SecurityTracker Alert ID:  1006044
SecurityTracker URL:  http://securitytracker.com/id/1006044
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 5 2003
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): 7.00
Description:   Several vulnerabilities were reported in the Opera web browser. A remote user can create HTML that, when loaded, can access arbitrary files and directories on the target user's system. A remote user can obtain some browser history details.

GreyMagic Software issued five separate advisories regarding the version 7 of the Opera web browser.

In advisory GM#002-OP, it is reported that version 7 of the Opera web browser implements a "caller-based" domain security policy instead of the origin-based model used in other browsers. It is reported that model contains several flaws. Code from one domain can access and execute functions in different domains (though they will be executed using the caller's domain credentials) and code can override native and user-defined properties in other windows.

A remote user can create code that will modify native methods in a target window to contain malicious code. Then, when the modified target method is later executed, the malicious code will be executed with the privileges of the target user.

By exploiting these flaws, a remote user can attack a document that uses scripting (including local documents such as 'file://' resources). A remote user can read arbitrary files and directories on the system.

Some proof-of-concept demonstrations are available at:

http://www.greymagic.com/adv/gm002-op/vmSimple.asp
http://www.greymagic.com/adv/gm002-op/vmExp.asp


In advisory GM#003-OP, some flaws were reported in the Opera Javascript console. The Opera Javascript console file "console.html" allows remote users to display a custom exception using the "opera.postError" method. The method reportedly does not properly filter user-supplied input. A remote user can create Javascript that will throw an exception error message that displays HTML link attributes. The code can thus gain access to the 'file://' protocol. This allows the remote user to view arbitrary files and directories on the target user's system.

A demonstration exploit is provided:

open("file://localhost/console.html","","");
opera.postError("http://\"style=\"background-image:url('javascript:alert(location.href)')\"");

Some additional demonstration exploits are available at:

http://www.greymagic.com/adv/gm003-op/phSimple.asp
http://www.greymagic.com/adv/gm003-op/phExp.asp


In advisory GM#004-OP, it was reported that the browser does not properly filter user-supplied input when displaying images. A remote user can supply a 'file://' URL with specially crafted HTML code to cause arbitrary code to be executed on the target user's system when the URL is loaded.

Furthermore, a remote user can specify the "localhost/" directory as an alias to the actual directory. A remote user can reference one of the images supplied by default (e.g., file://localhost/images/file.gif) to conduct cross-site scripting attacks and read arbitrary files and directories on the target user's system.

Some demonstration exploit code is provided:

open("file://localhost/images/file.gif?\"><script>alert(location.href);</script>","","");

Some proof-of-concept demonstrations are available at:

http://www.greymagic.com/adv/gm004-op/oiSimple.asp
http://www.greymagic.com/adv/gm004-op/oiExp.asp


In advisory GM#005-OP, it was reported that the browser exposes some methods on the 'history' object that allow remote users to view the target user's previous URL visited. A demonstration exploit is provided:

alert("Last URL: "+history.previous+".\nNext URL: "+history.next+".");


In advisory GM#006-OP, it was reported that several methods in the "console.html" component of the Opera Javascript console allow a remote user to obtain a list of URLs that the target user visited that generated Javascript exceptions. The affected methods are opera.errorIndex() and opera.errorMessage(i).

Some demonstration exploit code to generate a list of visited URLs is provided:

var sMsg,
sFinal="",
iLen=opera.errorIndex();

for (var iErr=0;iErr<iLen;iErr++) {
sMsg=opera.errorMessage(iErr);
if (sMsg && /(https?:\/\/\S+)/i.test(sMsg)) sFinal+=RegExp.$1+"\n";
}
alert(sFinal);

GreyMagic credits Tom Gilder with assisting in the research of some of these vulnerabilities.

The vendor has reportedly been notified.

The following is a list of the advisory titles:

GM#002-OP: Opera's Security Model is Highly Vulnerable:
http://www.greymagic.com/adv/gm002-op/

GM#003-OP: Phantom of the Opera:
http://www.greymagic.com/adv/gm003-op/

GM#004-OP: Opera Images:
http://www.greymagic.com/adv/gm004-op/

GM#005-OP: Opera: What's Next:
http://www.greymagic.com/adv/gm005-op/

GM#006-OP: Sniffing Opera's Tracks:
http://www.greymagic.com/adv/gm006-op/

[Editor's note: Some of these flaws may have been previously reported or alluded to in our Alert #1005634 in November 2002. However, that previous report was short on details, so we are issuing a new alert covering these GreyMagic advisories.]

Impact:   A remote user can create specially crafted HTML that, when loaded by the target user, will execute arbitrary Javascript to access files and directories on the target user's system or access information about certain previously browsed URLs.
Solution:   The author of the report indicates that, as a temporary workaround to some of the flaws, users can disable Javascript (unchecking "Enable JavaScript" in File -> Preferences -> Multimedia).

Some of the "console.html" flaws can reportedly be solved with the following steps:

* Edit the file "console.html", which resides in Opera's installation directory.

* Line 52 should read: m.replace( /\\/g, "\\\\" ) +

* Replace it with: m.replace( /\\/g, "\\\\" ).replace(/"/g,"&quot;") +

Vendor URL:  www.opera.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  BeOS, Linux (Any), Apple (Legacy "classic" Mac), QNX, UNIX (FreeBSD), UNIX (macOS/OS X), UNIX (Solaris - SunOS), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  multiple Opera security flaws


GreyMagic released several advisories regarding the Opera web browser (version 7).

The following is a list of the advisory titles:

GM#002-OP: Opera's Security Model is Highly Vulnerable.
GM#003-OP: Phantom of the Opera.
GM#004-OP: Opera Images.
GM#005-OP: Opera: What's Next.
GM#006-OP: Sniffing Opera's Tracks. 

Each of the advisories is listed below, reproduced in unmodified form with permission from
GreyMagic.  The material below is copyright by GreyMagic Software.


---------------------------------------------------------

http://www.greymagic.com/adv/gm002-op/

GreyMagic Security Advisory GM#002-OP

By GreyMagic Software, Israel.
04 Feb 2003.

Topic: Opera's Security Model is Highly Vulnerable.

Discovery date: 14 Nov 2002.

Affected applications:

Opera 7 (final).

Introduction:

Opera recently released a new version of its browser.

Version 7 brings many long-awaited features such as proper DOM support and an improved rendering
engine. However, Opera seems to have neglected one of the most important aspects in any browser
today, its default cross-domain security model.

Discussion:

All browsers with Javascript support deploy a cross-domain security model, which, in essence,
attempts to prevent documents from one domain to access other documents in different domains.

Opera 7 deployed a fundamentally different approach to cross-domain security, a caller-based model,
rather than the origin-based model deployed in other browsers. The vulnerability is comprised of
three different flaws in that model:

    * Functions in different domains can be accessed and executed.
    * Functions are being executed under the caller's domain credentials and not in their
originating domain.
    * It is possible to override properties and methods (both native and user-defined) in other
windows.

The first flaw means that a window in one domain is able to execute functions in a window that's in
a different domain. This flaw in itself is not a big threat because of the second flaw, which means
that even if a function in the victim window is executed, it is executed with the attacker's
credentials, and therefore unable to access the victim's document.

The second flaw means that if the attacker can get the victim to execute a function, it will run
under the victim's credentials. And because of the first flaw, the victim will have no problems
accessing a malicious function created by the attacker.

The third, and most devastating flaw means that the attacker is able to trojanize native methods in
the victim window with his own code and simply wait for the victim to execute it.

With these three flaws combined, it becomes extremely easy to exploit any document that uses some
scripting, including local resources in the file:// protocol. Being able to access local resources
in Opera means that the attacker would be able to:

    * Read any file on the user's file system.
    * Read the contents of directories on the user's file system.
    * Read emails written or received by M2, Opera's mail program.
    * And more...

Exploit:

A perfect candidate for exploitation is Opera's own Javascript console, which arrives in the form of
three separate files in Opera's installation directory.

The file "console.html" makes a very early call to the native method "setInterval", which can be
overridden by an attacking window. This scenario does not require any user interaction.

<script language="jscript">
var oWin=open("file://localhost/console.html","","");
oWin.setInterval=function () {
    alert("Access to local resource achieved: "+oWin.document.location.href);
}
</script>

The "file://localhost/" URL appearing in this sample is a convenient method provided by Opera in
order to access the selected directory (Opera's home by default).
Demonstration:

We put together two proof-of-concept demonstrations:

    * Simple (http://www.greymagic.com/adv/gm002-op/vmSimple.asp): Reads cookies from a few
well-known sites and demonstrates access to a local resource.
    * GreyMagic Opera Disk Explorer (http://www.greymagic.com/adv/gm002-op/vmExp.asp): Browse your
entire file system using this explorer-like tool, which takes advantage of this vulnerability in
order to access local resources.

Solution:

Opera was notified of a variation of this issue on 14-Nov-2002, but appareantly failed to understand
the core issues and only patched one symptom of the problem (it was possible for foreign windows to
simply set event handlers in Beta 1).

In the meantime, until a patch becomes available, disable Javascript by going to: File ->
Preferences -> Multimedia, and uncheck the "Enable JavaScript" item.

Credits:

Many thanks to Tom Gilder for his excellent help in researching this vulnerability.

Tested on:

Opera 7 NT4.
Opera 7 Win98.
Opera 7 Win2000.
Opera 7 WinXP.

Disclaimer:

The information in this advisory and any of its demonstrations is provided "as is" without warranty
of any kind.

GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the
information or demonstrations provided in any part of this advisory.
Feedback:

Please mail any questions or comments to security@greymagic.com. 

---------------------------------------------------------

http://www.greymagic.com/adv/gm003-op/

GreyMagic Security Advisory GM#003-OP

By GreyMagic Software, Israel.
04 Feb 2003.

Topic: Phantom of the Opera.

Discovery date: 29 Jan 2003.

Affected applications:

Opera 7 (final).

Introduction:

Opera recently released a new version of its browser.

Version 7 brings many long-awaited features such as proper DOM support and an improved rendering
engine. Among the useful new features Opera added a shiny new Javascript console. The console is
mainly used by developers in order to efficiently track down exceptions in running scripts.

Discussion:

Opera's Javascript console is using three html files residing in Opera's installation directory. The
most important of them is "console.html", which contains all the logic behind the console.

The console lists unhandled exceptions that are thrown during the life of a session. Javascript can
throw custom exceptions using the "throw" statement and Opera also adds its own way to create debug
messages with the "opera.postError" method.

In order to display clickable URLs properly, Opera does some formatting on the thrown exception
message to turn them into links:

newmsg = msg.replace( /</g, "&lt;" ).
            replace( />/g, "&gt;" ).
            replace( /https?:\/\/\S+/g, create_link ).
            replace( /file:\/\/(?:\S|(?:[ ](?=[^\n\r]*\.)))+/g, create_link );

The first two lines supposedly handle the safety of this string, so it wouldn't contain HTML. The
last two lines are meant to transform strings that appear like URLs into actual links.
Unfortunately, each of these last two lines contains an obvious way for an attacker to inject his
own attributes to the link. By doing so, the attacker can gain access to the file:// protocol,
which, among others, have the following implications:

    * Read any file on the user's file system.
    * Read the contents of directories on the user's file system.
    * Read emails written or received by M2, Opera's mail program.

The first vulnerable regular expression is /https?:\/\/\S+/g, it's trying to match anything starting
with "http://" or "https://" and keeps consuming characters as long as they aren't whitespace. This
regular expression does not check for the existence of quotes, which are the delimiters of the
"href" attribute in the resulting link, and therefore opens up a way to add additional attributes
(spaces between attributes are not mandatory).

The second vulnerable regular expression is /file:\/\/(?:\S|(?:[ ](?=[^\n\r]*\.)))+/g, it's trying
to match anything starting with "file://" followed by a non-whitespace character or a regular space,
as long as a dot appears and no line breaks appear after it. The same mistake is made again; quotes
can be used to add additional attributes to the link.

Being able to add arbitrary attributes to a link may seem innocent, but with a little manipulation
it leads to the execution of arbitrary script code. The "style" attribute in most elements, for
example, may contain properties such as "background-image", which normally point to a URL. That URL
can be "javascript:[code]", which will be executed in the context of the console (file:// protocol).

Exploit:

A simple exploit of the first regular expression:

open("file://localhost/console.html","","");
opera.postError("http://\"style=\"background-image:url('javascript:alert(location.href)')\"");

A simple exploit of the second regular expression:

open("file://localhost/console.html","","");
opera.postError("file://\" style=\"background-image:url('javascript:alert(location.href)')\".");
Demonstration:

We put together two proof-of-concept demonstrations:

    * Simple (http://www.greymagic.com/adv/gm003-op/phSimple.asp): Demonstrates how the poisonous
debug message is being inserted.
    * GreyMagic Opera Disk Explorer (http://www.greymagic.com/adv/gm003-op/phExp.asp): Browse your
entire file system using this explorer-like tool, which takes advantage of this vulnerability in
order to access local resources.

Solution:

Fortunately, this vulnerability can be solved manually:

    * Edit the file "console.html", which resides in Opera's installation directory.
    * Line 52 should read: m.replace( /\\/g, "\\\\" ) +
    * Replace it with: m.replace( /\\/g, "\\\\" ).replace(/"/g,"&quot;") +

Tested on:

Opera 7 NT4.
Opera 7 Win98.
Opera 7 Win2000.
Opera 7 WinXP.

Disclaimer:

The information in this advisory and any of its demonstrations is provided "as is" without warranty
of any kind.

GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the
information or demonstrations provided in any part of this advisory.

Feedback:

Please mail any questions or comments to security@greymagic.com. 

---------------------------------------------------------

http://www.greymagic.com/adv/gm004-op/

GreyMagic Security Advisory GM#004-OP

By GreyMagic Software, Israel.
04 Feb 2003.

Topic: Opera Images.

Discovery date: 29 Jan 2003.

Affected applications:

Opera 7 (final).

Introduction:

Opera recently released a new version of its browser.

Opera 7, just like any other browser, supports a considerable amount of image formats. Images are
normally embedded in HTML documents but they can also be accessed directly via the browser.

Discussion:

By examining the HTML Opera produces when it displays a single image, it becomes obvious that Opera
doesn't bother to do any formatting on the provided URL. Luckily though, Opera automatically encodes
most characters in the URL, so access to other domains via this flaw becomes impossible.

However, URLs to local files (file:// protocol) do not get encoded and therefore cannot evade the
very basic form of XSS: file://path/to/image.jpg?">Arbitrary HTML here.

And to make this even more comfortable for attackers, Opera provided an easy way to refer to its own
installation directory - file://localhost/. So instead of searching for default images in the OS, an
attacker can simply refer to file://localhost/images/file.gif, one of the few images Opera ships by
default, and enjoy the following abilities:

    * Read any file on the user's file system.
    * Read the contents of directories on the user's file system.
    * Read emails written or received by M2, Opera's mail program.
    * And more...

Note: the same applies to embeddable media, such as SWF.
Exploit:

open("file://localhost/images/file.gif?\"><script>alert(location.href);</script>","","");
Demonstration:

We put together two proof-of-concept demonstrations:

    * Simple (http://www.greymagic.com/adv/gm004-op/oiSimple.asp): Demonstrates how a single local
image can be exploited.
    * GreyMagic Opera Disk Explorer (http://www.greymagic.com/adv/gm004-op/oiExp.asp): Browse your
entire file system using this explorer-like tool, which takes advantage of this vulnerability in
order to access local resources.

Solution:

Until a patch becomes available, disable Javascript by going to: File -> Preferences -> Multimedia,
and uncheck the "Enable JavaScript" item.

Credits:

Many thanks to Tom Gilder for his excellent help in researching this vulnerability.

Tested on:

Opera 7 NT4.
Opera 7 Win98.
Opera 7 Win2000.
Opera 7 WinXP.

Disclaimer:

The information in this advisory and any of its demonstrations is provided "as is" without warranty
of any kind.

GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the
information or demonstrations provided in any part of this advisory.

Feedback:

Please mail any questions or comments to security@greymagic.com. 

---------------------------------------------------------

http://www.greymagic.com/adv/gm005-op/

GreyMagic Security Advisory GM#005-OP

By GreyMagic Software, Israel.
04 Feb 2003.

Topic: Opera: What's Next.

Discovery date: 28 Jan 2003.

Affected applications:

Opera 7 (final).

Introduction:

Opera recently released a new version of its browser.

Like any other browser, Opera supports the "history" object, which makes it possible to navigate
through the browser history by exposing the "back", "forward", and "go" methods.

Discussion:

Opera exposed a little more than a few methods on the history object. It also exposes two
properties, "next" and "previous". Unlike the methods mentioned above, these properties contain
actual URLs.

This means that when a user navigates to a website, the owner can easily check and log where the
user had last been, and even where he went right afterwards (in case the user goes back in history),
regardless of whether that previous URL referred to the owner's web site or not.

Notice that "history.previous" is not the same as the "HTTP_REFERER" header. It will return the last
URL even if it was not the direct referrer to the current URL, which makes Opera's "Enable referrer
logging" configuration option completely pointless.

That's a serious breach of privacy, which Opera seemed to have implemented intentionally.

Exploit:

The following code demonstrates how to retrieve these properties:

alert("Last URL: "+history.previous+".\nNext URL: "+history.next+".");

Demonstration:

Press the button below in order to view the previous and next entries in the history object. For a
better demonstration of this flaw browse to a different web site and then hit the back button.

<Display last and next history entries>

Solution:

Hopefully, Opera will reconsider these properties and remove them from the history object. Until
then you may prefer to disable Javascript by going to: File -> Preferences -> Multimedia, and
uncheck the "Enable JavaScript" item.

Tested on:

Opera 7 NT4.
Opera 7 Win98.
Opera 7 Win2000.
Opera 7 WinXP.

Disclaimer:

The information in this advisory and any of its demonstrations is provided "as is" without warranty
of any kind.

GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the
information or demonstrations provided in any part of this advisory.

Feedback:

Please mail any questions or comments to security@greymagic.com. 

---------------------------------------------------------

http://www.greymagic.com/adv/gm006-op/

GreyMagic Security Advisory GM#006-OP

By GreyMagic Software, Israel.
04 Feb 2003.

Topic: Sniffing Opera's Tracks.

Discovery date: 29 Jan 2003.

Affected applications:

Opera 7 (final).

Introduction:

Opera recently released a new version of its browser.

The new browser features a very useful Javascript console, which uses a few methods Opera
implemented in the "opera" object.
Discussion:

These methods appear in the comments of the "console.html" file as follows:

    * opera.errorIndex()
      Returns the index of the last error message. This index is monotonically increasing (which
limits us to about 2^53 errors per Opera session).

    * opera.errorMessage(i)
      Returns the error message at index i. The value returned may be #f, if that message has been
flushed from the cache.

Opera hadn't bothered to restrict these methods to certain credentials and they are available for
any web page to use. At first glance this doesn't appear to be a big deal, but a short inspection of
the generated error messages reveals that each of them contains the URL that threw the exception.

In practice, this means that a web page can extract a list of all URLs the user had visited and that
threw any exceptions. And since Opera pretends to be Internet Explorer by default, it often
encounters errors in web pages. Harvesting visited URLs had never been this simple.

Exploit:

The following code will generate a list of visited URLs:

var sMsg,
    sFinal="",
    iLen=opera.errorIndex();

for (var iErr=0;iErr<iLen;iErr++) {
    sMsg=opera.errorMessage(iErr);
    if (sMsg && /(https?:\/\/\S+)/i.test(sMsg)) sFinal+=RegExp.$1+"\n";
}
alert(sFinal);

Demonstration:

Pressing the button below should display a list of unique URLs, which were collected by iterating
through the error messages. Make sure you browse around for a bit before hitting it in order to
collect a few URLs.

<List unique visited URLs>

Solution:

Until a patch becomes available, disable Javascript by going to: File -> Preferences -> Multimedia,
and uncheck the "Enable JavaScript" item.

Tested on:

Opera 7 NT4.
Opera 7 Win98.
Opera 7 Win2000.
Opera 7 WinXP.

Disclaimer:

The information in this advisory and any of its demonstrations is provided "as is" without warranty
of any kind.

GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the
information or demonstrations provided in any part of this advisory.

Feedback:

Please mail any questions or comments to security@greymagic.com. 

---------------------------------------------------------


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC