SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Opera Vendors:   Opera Software
Opera Buffer Overflow in Processing Skin Files May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1008277
SecurityTracker URL:  http://securitytracker.com/id/1008277
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 22 2003
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.22 and prior versions
Description:   A buffer overflow vulnerability was reported in the Opera web browser in the processing of skin files. A remote user may be able to execute arbitrary code on the target system.

It is reported that a remote user can create a specially crafted zip file with extra data after the zip data. When the target user loads HTML that points to the zip file as a skin file to be downloaded, the buffer overflow will reportedly be triggered. It is possible to modify the contents of the EIP register and other registers, the report said.

Impact:   A remote user can create HTML that, when loaded by the target user, will cause arbitrary code to be executed on the target user's computer. The code will run with the privileges of the target user.
Solution:   The vendor has released a fixed version (7.23), available at:

http://www.opera.com/download/

Vendor URL:  www.opera.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Opera directory traversal and buffer overflow





OVERVIEW
========

Two vulnerabilities were found in the Opera web browser versions up to 
7.22. They are related to skin files. The first one is a directory 
traversal problem which allows an attacker to upload a file to an 
arbitrary location on the victim system. The second is a buffer  
overflow in skin file handling. A new version, 7.23, was released to 
address the issues.



DETAILS
=======

Opera automatically downloads skin files which have the MIME type 
application/x-opera-skin. They are normally placed in
%USERPROFILE%\Application Data\Opera\Opera7\profile\Skin.

On November 12th S.G. Masood reported that a file of any type can be 
dropped to Opera's default folders. This was fixed in Opera 7.22. After 
the fix, only zip files are accepted. My further research revealed that 
a directory traversal attack allows skin files to be uploaded to 
arbitrary locations on the victim system.

When a skin file is downloaded, the resulting file name is determined 
by the Content-disposition HTTP header, or if it isn't supplied, the 
URL. In the latter case the last element of the URL is the filename 
which Opera uses. An attacker may however use an URL ending with 
hex-encoded backslashes, ie. "..%5c..%5c..%5c" to get out of Opera's 
folder hierarchy. For instance, a skin file fetched from an URL like

 http://server/..%5c..%5c..%5c..%5c..%5c..%5c..%5..%5c..%5ccskin.zip

would be downloaded to C:\ under a typical Windows installation.

As the browser doesn't accept just any file after the 7.22 update, 
exploiting the issue becomes slightly more difficult. The file format 
must pass some checks to assure Opera of it being a real zip file. The 
file extension can be chosen arbitrarily by the attacker.

One exploit scenario is to place a zip-like file in the victim user's 
Startup folder. The file extension determines how it will be opened by 
Windows. E.g. if the file name ends with ".bat", it will be opened as a 
batch file. It's relatively easy to create a file which passes the 
check as zip file but also works when opened as a batch file. Due to 
the zip file signature and other binary data it will produce some error 
messages but nevertheless command lines contained in the file will be 
executed. In this way an attacker can get access to the system with the 
privileges of the current user.

Locating the Startup folder isn't a problem because Opera's skin folder 
is below the %USREPROFILE% folder, and pointing to the startup folder 
with a relative path is easy.

The zip processing code also contains a buffer overflow which I found 
while testing the abovementioned vulnerability. If a valid zip file 
contains extra data after the zip data, a buffer overflow occurs. An 
attacker may control contents of some registers including EIP, so this 
buffer overflow seems exploitable, although I didn't produce an 
exploit.

In order to be exploited, these vulnerabilities require the victim to 
visit a web page created by a malicious user. An iframe tag may be used 
to automatically open a skin file.

The directory traversal problem doesn't exist on Linux because "\" isn't 
a directory separator. Other versions weren't tested. The buffer 
overflow can be produced on Linux, too.



VENDOR STATUS
=============

The vendor was notified on November 12, 2003 and a new version of Opera 
was released on November 21st. It can be downloaded at

  ftp://ftp.opera.com/pub/opera/




CREDITS
=======




-- 
jouko@iki.fi            GSM: +358 41 5504555

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC