SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Opera Vendors:   Opera Software
Opera Web Browser Download Dialog Lets Remote Users Delete Arbitrary Files
SecurityTracker Alert ID:  1008460
SecurityTracker URL:  http://securitytracker.com/id/1008460
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 12 2003
Impact:   Modification of system information, Modification of user information
Fix Available:  Yes  Exploit Included:  Yes  
Version(s): 7.22 and prior 7.x versions
Description:   A vulnerability was reported in the Opera web browser. A remote user can cause arbitrary files to be deleted in certain cases.

':: Operash ::' reported that when the browser displays a download dialog, the browser creates a temporary file in the temporary directory based on the name of the file to be downloaded. The browser reportedly does not validate the filename, so a filename can contain the '..%5C' directory traversal characters. As a result, a remote user can create a specially crafted file name as part of a URL to cause files on the target user's system to be overwritten and then deleted when the target user loads the URL and receives the download dialog. Only files that the target user has write permissions for can be deleted.

A demonstration exploit filename that will cause c:\windows\calc.exe to be deleted is provided:

http://server/path/AAAAAAAAAA%5C..%5C..%5Ccalc.exe

The following notification timeline is provided:

2003-10-09 Discovered this vulnerability.
2003-11-26 Reported to vendor.
2003-12-12 Released this advisory.

The vendor has reportedly not responded.

Impact:   A remote user can cause an arbitrary file on the target user's computer to be deleted with the permissions of the target user when the target user attempts to download a specially crafted filename (even if the file is not actually downloaded).
Solution:   The author reports that version 7.23 build 3227 (JP:build 3226) is not vulnerable.
Vendor URL:  www.opera.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Opera 7] Arbitrary File Delete Vulnerability


----------------------------------------------------------------------
TITLE         : [Opera 7] Arbitrary File Delete Vulnerability
                -= How Dare You Delete My Important Files? =-
PRODUCT       : Opera 7 for Windows
VERSIONS      : 7.22 build 3221 (JP:build 3222)
                7.21 build 3218 (JP:build 3219)
                7.20 build 3144 (JP:build 3145)
                7.1x
                7.0x
VENDOR        : Opera Software ASA (http://www.opera.com/)
SEVERITY      : Critical.
                An arbitrary file could be deleted on Local Disk
                from Remote.
DISCOVERED BY : nesumin
AUTHOR        : :: Operash ::
REPORTED DATE : 2003-11-26
RELEASED DATE : 2003-12-12
ORIGINAL URL  : http://opera.rainyblue.org/adv/opera07-autodel-en.php
----------------------------------------------------------------------

0. PRODUCT
============

  Opera for windows is a GUI base WEB Browser.
  Opera Software ASA (http://www.opera.com/)


1. DESCRIPTION
================

  Displaying a Download Dialog, Opera creates a temporary file.
  But this file name is not sanitized enough, so that an existing
  file can be deleted.

  Exploiting this vulnerability,  an attacker can delete
  an arbitrary existing file on a local disk from remote.

  With this vulnerability, there could be following risks;

  * Destruction of the system.
  * Destruction of application data.


2. SYSTEMS AFFECTED
=====================

  7.22 build 3221 (JP:build 3222)
  7.21 build 3218 (JP:build 3219)
  7.20 build 3144 (JP:build 3145)
  7.1x
  7.0x


3. SYSTEMS NOT AFFECTED
=========================

  7.23 build 3227 (JP:build 3226)


4. EXAMINES
=============

  Opera for Windows:
    Opera 7.23 build 3227 (JP:build 3226)
    Opera 7.22 build 3221 (JP:build 3222)
    Opera 7.21 build 3218 (JP:build 3219)
    Opera 7.20 build 3144 (JP:build 3145)
    Opera 7.11 build 2887
    Opera 7.11 build 2880
    Opera 7.10 build 2840
    Opera 7.03 build 2670
    Opera 7.02 build 2668
    Opera 7.01 build 2651

  Platform:
    Windows 98SE Japanese
    Windows 2000 Professional SP4 Japanese
    Windows XP Professional SP1 Japanese


5. SOLUTION
===============

  Upgrade to version 7.23 or later version.


6. TECHNICAL DETAILS
======================

  Displaying a Download Dialog,  Opera creates a temporary file
  which is based on the name used while downloading in the
  temporary directory.  This temporary file is for searching
  the associated application.

  ---------------------------------------------------------------
  ex)

    Download URL:
        "http://server/path/FILENAME.ext"

    Temporary Filename:
        "c:\windows\temp\FILXXX.tmp.FILENAME.ext"

    (XXX is random string, like "01A")
  ---------------------------------------------------------------

  But this temporary file name is not sanitized enough so that
  it can possibly contain the illegal character string '..%5C'.
  The file with this string can be located on any paths on the
  same drive as the temporary file.
  If there's an already existing file with the same name on
  the path,  it will be overwritten and deleted soon.

  ---------------------------------------------------------------
  ex)

    Download URL:
      http://server/path/AAAAAAAAAA%5C..%5C..%5Ccalc.exe

    Temporary Filename:
      "c:\windows\temp\AAAXXX.tmp.AAAAAAAAAA\..\..\calc.exe"

      this is... "c:\windows\calc.exe"

  ---------------------------------------------------------------

  Therefore, if a user goes to a malicious URL which makes Opera
  display the Download Dialog, his files could be deleted with
  this vulnerability.


  The conditions of deletable files;

  1. File's path can be specified with a relative path.
     from a temporary directory.
  2. File name contains '.' .
  3. Writable file within Opera process's authority.
  4. Except "Read Only" attribute on Windows 9x Kernel.
     Except "Read Only", "System" or "Hide" attributes on
     Windows NT Kernel.


7. SAMPLE CODE
================

  None release.


8. TIME TABLE & VENDOR STATUS
===============================

  2003-10-09 Discovered this vulnerability.
  2003-11-26 Reported to vendor.
  2003-12-12 Released this advisory.

  No reply from vendor.


9. DISCLAIMER
===============

  A. We cannot guarantee the accuracy of all statements in this information.
  B. We do not anticipate issuing updated versions of this information
     unless there is some material change in the facts.
  C. And we will take no responsibility for any kinds of disadvantages by
     using this information.
  D. You can quote this advisory without our permission if you keep the following;
     a. Do not distort this advisory's content.
     b. A quoted place should be a medium on the Internet.
  E. If you have any questions, please contact to us.


10. CONTACT, ETC
==================

  :: Operash :: http://opera.rainyblue.org/

  imagine (Operash Webmaster)
  nesumin <nesumin[at]softhome[dot]net>


  Thanks to :

    anima
    melorin
    piso

-----
Out of Office replies to list messages cause you to be unsubscribed
automatically. Either subscribe a Public Folder, or ensure your rules are
set to ensure list messages are filtered prior to your Out of Office reply.
Such automatic replies are a bane to posters, and cause us to have fewer
researchers post to NTBugtraq.
-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC