SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Opera Vendors:   Opera Software
Opera 'location' Method Overwriting Lets Remote Users Access a Target User's File System
SecurityTracker Alert ID:  1010879
SecurityTracker URL:  http://securitytracker.com/id/1010879
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 5 2004
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 7.53 and prior versions
Description:   A vulnerability was reported in Opera in the processing of the 'location' object. A remote user can gain read access to the target user's file system.

GreyMagic Software reported that a remote user can create HTML that, when loaded by the target user, will be able to read files on the target user's system or run in the context of a remote domain.

This is achieved by loading HTML code that invokes a method within the vulnerable 'location' object and then replacing or overwriting a function with arbitrary scripting code. HTML code on the target user's file system or on remote web sites can be exploited.

To gain read access to files on the target user's system, the remote user can load an HTML file from a known location on the target user's system and then overwrite a method within that file.

The vendor was reportedly notified on July 22, 2004.

Some demonstration exploits and the original advisory are available at:

http://www.greymagic.com/security/advisories/gm008-op/

Impact:   A remote user can access a target user's file system.
Solution:   The vendor has released a fixed version (7.54), available at:

http://www.opera.com/download/

Vendor URL:  www.opera.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (macOS/OS X), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 6 2004 (Gentoo Issues Fix) Opera 'location' Method Overwriting Lets Remote Users Access a Target User's File System
Gentoo has released a fix.



 Source Message Contents

Subject:  [Full-Disclosure] Opera: Location, Location, Location


GreyMagic Security Advisory GM#008-OP
=====================================

By GreyMagic Software, 05 Aug 2004.

Available in HTML format at
http://www.greymagic.com/security/advisories/gm008-op/.

Topic: Location, Location, Location.

Discovery date: 19 Jul 2004.

Affected applications:
======================

Opera 7.53 and prior on Windows, Linux and Mac. 


Introduction:
=============

On 04-Feb-2003 GreyMagic released an advisory [1] concerning Opera's
security model in v7.0. The advisory depicted several flaws in Opera's
model, one of them allowed for an attacker to overwrite native and custom
functions in a victim window. When the victim web-page executed such
function, the attacker's code executed with the victim's privileges. 

Opera tried to prevent such scenarios in Opera 7.01, by blocking
write-access to objects on the victim window. 

[1] http://www.greymagic.com/security/advisories/gm002-op/

Discussion: 
===========

Unfortunately, Opera failed to block write-access to the often-used
"location" object. 

By overwriting methods in this object, an attacker can gain immediate script
access to any web-page that uses one of these methods. This includes both
web-pages in foreign domains and the victim's local file system. 

The impacts of this vulnerability include: 

* Read-access to files on the victim's file system 
* Read-access to lists of files and folders on the victim's file system 
* Read-access to emails written or received by M2, Opera's mail program 
* Cookie theft 
* URL spoofing (phishing) 
* Track user browsing history 
* Much more... 

Several methods are candidates for such attacks: assign(), replace(),
valueOf() and toString(). The first two would be triggered only when the
victim explicitly calls them. The latter ones would be called in many
implicit cases, including: 

* str+=location;
* decodeURI(location);
* location*7;
* location+"";

And many others... 

In order to gain access to the "file://" protocol, and hence to the entire
file-system, an attacker needs to know of an HTML file in the victim's file
system that actually makes a call to a method in the location object. Such
file was included in virtually all Windows Operating Systems, it is named
"CiAdmin.htm" and it can be found in a very predictable path -
%SystemRoot%/Help/. 


Exploit: 
========

To exploit this vulnerability an attacker can use a simple <iframe>,
pointing to the victim web-page, and inject the malicious code into its
window. Here's an oversimplified example: 

<iframe></iframe>
<script type="text/javascript">
onload=function () {
"+location.href);
}
</script>

This code demonstrates how the vulnerability works, but it is not likely to
succeed in exploiting it by itself. This happens because the malicious code
must be injected in the time-gap between page initiation and page script
execution. This leaves a very narrow window for an attacker to inject code,
but with a bit of scripting this window of opportunity can easily be found.
The demonstrations below use simple brute-force and retry mechanisms to
inject our code successfully. 


Demonstration:
==============

GreyMagic prepared two proof-of-concept demonstrations of this
vulnerability, they are available at
http://www.greymagic.com/security/advisories/gm008-op/.


Solution: 
=========

GreyMagic informed Opera of the vulnerability on 22-Jul-2004. A new version
(7.54) was officially released on 05-Aug-2004 to address this flaw.


Tested on: 
==========

Opera 7.52.
Opera 7.53.


Disclaimer: 
===========

The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind. 

GreyMagic Software is not liable for any direct or indirect damages caused
as a result of using the information or demonstrations provided in any part
of this advisory. 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC