SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Opera Vendors:   Opera Software
Opera Input Validation Flaw in Opera MIME Types Lets Remote Users Write Arbitrary Files
SecurityTracker Alert ID:  1008275
SecurityTracker URL:  http://securitytracker.com/id/1008275
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 22 2003
Impact:   Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 7.23; Tested on 7.22 build 3221, 7.21 build 3218, 7.20 build 3144, Opera 7.11 build 2887, Opera 7.11 build 2880, Opera 7.10 build 2840, Opera 7.03 build 2670, Opera 7.02 build 2668, and Opera 7.01 build 2651
Description:   A vulnerability was reported in the Opera web browser in the auto-install feature. A remote user can cause arbitrary files to be written to arbitrary locations on the target user's system.

Operash reported that a remote user can create HTML that, when loaded by the target user, will exploit the auto-install function for Skin Files and Configuration Files to write an arbitrary file to an arbitrary path on the target user's system.

The vulnerability can be triggered by the following MIME types:

application/x-opera-skin
application/x-opera-configuration-skin
application/x-opera-configuration-mouse
application/x-opera-configuration-keyboard
application/x-opera-configuration-toolbar
application/x-opera-configuration-menu

According to the report, files specified by these MIME types will ordinarily be installed in the User-Directory or Installed-Directory. However, a remote user can specify a file name and path containing the '..%5C' directory traversal characters to change the name and location of the save file. For example, a remote user can save an executable file to the start-up directory, the report said.

The following notification timeline is provided:

2003-09-30 Discovered this vulnerability.
2003-11-20 Reported to vendor.
2003-11-20 Vendor said "we have already fixed it in 7.23".
2003-11-21 Released this advisory.

[Editor's note: A similar vulnerability was reported in November 2003 by S G Masood and reported in Alert ID 1008154. The vendor indicated that the previously reported vulnerability was fixed in 7.22. However, the previously reported flaw did not involve directory traversal.]

Impact:   A remote user can create HTML that, when loaded by the target user, will write or overwrite arbitrary files on the target system.
Solution:   The vendor has reportedly issued a fixed version (7.23), available at:

http://www.opera.com/download/

Vendor URL:  www.opera.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Opera 7] Arbitrary File Auto-Saved Vulnerability.


---------------------------------------------------------------------------------
TITLE          : [Opera 7] Arbitrary File Auto-Saved Vulnerability.
                 -= For Whom The Remote Customizing Runs? =-
PRODUCT        : Opera 7 for Windows
VERSIONS       : 7.22 build 3221 (JP:build 3222)
                 7.21 build 3218 (JP:build 3219)
                 7.20 build 3144 (JP:build 3145)
                 7.1x
                 7.0x
VENDOR         : Opera Software ASA (http://www.opera.com/)
SEVERITY       : Critical.
                 An arbitrary file could be saved on Local Disk from Remote.
DISCOVERED BY  : nesumin
AUTHOR         : :: Operash ::
REPORTED DATE  : 2003-11-20
RELEASED DATE  : 2003-11-21
----------------------------------------------------------------------------------

0. PRODUCT
============

  Opera for windows is a GUI based WEB Browser.
  Opera Software ASA (http://www.opera.com/)


1. DESCRIPTION
================

  Opera 7 has a serious Security-Hole in the auto-install function
  for Skin Files and Configuration Files.
  When a user goes to a malicious Web site,  attackers can exploit
  this Security-Hole and make an arbitrary file on arbitrary path
  inside of user's Local Disk from a WEB page.

  With this Security-Hole,  there could be following risks;

    * Infection with Virus or Trojan, etc.
    * Destruction of the system.
    * Leak or alteration of the local data.


2. SYSTEMS AFFECTED
=====================

  7.22 build 3221 (JP:build 3222)
  7.21 build 3218 (JP:build 3219)
  7.20 build 3144 (JP:build 3145)
  7.1x
  7.0x

  All of version 7.xx above has this Security-Hole.


3. EXAMINES
=============

  Opera for Windows:
    Opera 7.22 build 3221 (JP:build 3222)
    Opera 7.21 build 3218 (JP:build 3219)
    Opera 7.20 build 3144 (JP:build 3145)
    Opera 7.11 build 2887
    Opera 7.11 build 2880
    Opera 7.10 build 2840
    Opera 7.03 build 2670
    Opera 7.02 build 2668
    Opera 7.01 build 2651

  Platform:
    Windows 98SE Japanese
    Windows 2000 Professional SP4 Japanese
    Windows XP Professional SP1 Japanese


4. WORKAROUND
===============

  Main Menu "Preferences" -> "File Types", MIME-type list;
  (check-off "Hide file types opened with Opera")

    application/x-opera-skin
    application/x-opera-configuration-skin
    application/x-opera-configuration-mouse
    application/x-opera-configuration-keyboard
    application/x-opera-configuration-toolbar
    application/x-opera-configuration-menu

  If you change the actions of all MIME types above from
  "Open with Opera"  to  "Show download dialog"  or etc,
  the auto-install function will be disabled and you can avoid
  this vulnerability.

  If you want to re-enable the auto-install function, change the
  actions of these MIME types to  "Open with Opera".


5. TECHNICAL DETAILS
======================

  Opera 7 has the auto-install function for Skin File, and version
  7.10 or later has the same one for Configuration Files.
  This auto-install function will be executed when Opera gets an
  arbitrary file with MIME-types from a Remote Server;
  "application/x-opera-configuration-XXXXX" or "application/x-opera
  -skin".
  When Opera receives a file and one of these MIME-types,  whether
  user accept them or not,  the file will automatically be saved
  with the name that was used while downloading to the directory
  for Configuration Files in the User-Directory or Installed-
  Directory.
  But this automatically saved file's name is not sanitized enough.
  Therefore, the file could be saved in any directory which can be
  specified with a relative path when the file name contains the
  illegal character string '..%5C'.  Even though the directory is
  outside of expected scope.
  (This is restricted within the directory that Opera's process
  can write and the existing files cannot be overwritten and deleted.)

  For example, if an executable file was saved in the start-up
  directory and it ran when a user reboots computer, the user would
  face a risk of Virus infection or Trojan horse running inside.
  Moreover, the executable file could be for destroying a computer,
  deleting data or any kinds of malicious one.

  In addition, this vulnerability is different from other
  vulnerabilities like buffer overflow, any advanced skills
  are not necessary for exploiting.  So we assume this is
  highly dangerous for users.


  Additional Description:

  Mr. S. G. Masood has reported a similar vulnerability on 12 Nov 2003
  while we were researching on this vulnerability.
  And it was announced that the vulnerability Mr. Masood reported has
  fixed at version 7.22.
  Though, what we researched has higher severity and hasn't been
  fixed yet even at version 7.22 now.


6. SAMPLE CODE
================

  The sample code can be found on our WEB page.

  http://opera.rainyblue.org/adv/opera06-autosaved-en.php


7. TIME TABLE & VENDOR STATUS
===============================

  2003-09-30 Discovered this vulnerability.
  2003-11-20 Reported to vendor.
  2003-11-20 Vendor said "we have already fixed it in 7.23".
  2003-11-21 Released this advisory.


8. DISCLAIMER
===============

  A. We cannot guarantee the accuracy of all statements in this information.
  B. We do not anticipate issuing updated versions of this information
     unless there is some material change in the facts.
  C. And we will take no responsibility for any kinds of disadvantages by
     using this information.
  D. You can quote this advisory without our permission if you keep the following;
     a. Do not distort this advisory's content.
     b. A quoted place should be a medium on the Internet.
  E. If you have any questions, please contact to us.


9. CONTACT, ETC
=================

  :: Operash :: http://opera.rainyblue.org/

  imagine (Operash Webmaster)
  nesumin <nesumin_at_softhome.net>


  Thanks to :

    melorin
    piso(sexy)

----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
12/31/03 and cannot be used in combination with other offers.

----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC