Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Browser)  >   Opera Vendors:   Opera Software
Opera Cascading Style Sheet Attribute Integer Overflow Lets Remote Users Deny Service
SecurityTracker Alert ID:  1015912
SecurityTracker URL:
CVE Reference:   CVE-2006-1834   (Links to External Site)
Updated:  Nov 27 2009
Original Entry Date:  Apr 13 2006
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8.52 and prior versions
Description:   A vulnerability was reported in Opera. A remote user can cause denial of service conditions.

A remote user can create a specially crafted cascading style sheet attribute that, when loaded by the target user, will trigger an integer overflow and cause the target user's browser to crash.

A demonstration exploit style is provided:

<STYLE type=text/css>A { FONT-FAMILY: 35000x'A' } </STYLE>

The vendor was notified on March 14, 2006.

Bernhard Mueller of SEC Consult reported this vulnerability.

Impact:   A remote user can cause the target user's browser to crash.
Solution:   The vendor has issued a fixed version (8.54, 9.0).
Vendor URL: (Links to External Site)
Cause:   Boundary error, State error
Underlying OS:  Linux (Any), UNIX (FreeBSD), UNIX (macOS/OS X), UNIX (Solaris - SunOS), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  SEC Consult SA-20060314 :: Opera Browser CSS Attribute Integer Wrap /

SEC-CONSULT Security Advisory 20060413-0
                  title: Opera Browser CSS Attribute Integer Wrap /
Buffer Overflow
                program: Opera
     vulnerable version: <= 8.52
                  found: 2006-03-01
                     by: SEC Consult /

Vulnerability overview:

Due to a signedness error in the length check in a string utility
function, a signed expansion and a subsequent call to wcsncpy, it is
possible to overwrite large portions behind the target buffer. Doing so
crashes the application. Exploitation for code execution seems hard to
due to the large amount of memory being copied, of which only a small
portion can be controlled (we didn't spend too much time on that, though).
The bug can be triggered by specifying a long value within a stylesheet

<STYLE type=text/css>A { FONT-FAMILY: 35000x'A' } </STYLE>

Vulnerability details:

The disassembly of the vulnerable function follows. Note that the signed
comparison at 0x67B8CF0D can be bypassed if arg_length > 0x7FFFFFFF.

.text:67B8CEFE ; int __stdcall POC_CALL_TO_WCSNCPY_67B8CEFE(wchar_t *,int)
.text:67B8CEFE                                         ;
.text:67B8CEFE arg_pbuf_src= dword ptr  4
.text:67B8CEFE arg_length= dword ptr  8
.text:67B8CEFE mov     eax, POC_pbuf_target
.text:67B8CF03 push    ebx
.text:67B8CF04 push    esi
.text:67B8CF05 push    edi
.text:67B8CF06 mov     edi, [esp+0Ch+arg_length]
.text:67B8CF0A mov     esi, [eax+40h]
.text:67B8CF0D cmp     edi, 4096
.text:67B8CF13 mov     ebx, ecx
.text:67B8CF15 jl      short loc_67B8CF1C              ; signedness error
.text:67B8CF17 mov     edi, 4095
.text:67B8CF1C loc_67B8CF1C:                           ; CODE XREF:
.text:67B8CF1C push    edi                             ; size_t
.text:67B8CF1D push    [esp+10h+arg_pbuf_src]          ; wchar_t *
.text:67B8CF21 push    esi                             ; wchar_t *
.text:67B8CF22 call    _wcsncpy
.text:67B8CF27 and     word ptr [esi+edi*2], 0
.text:67B8CF2C add     esp, 0Ch
.text:67B8CF2F mov     ecx, ebx
.text:67B8CF31 push    esi                             ; wchar_t *
.text:67B8CF32 call    sub_67B8CD10
.text:67B8CF37 test    ax, ax
.text:67B8CF3A jge     short loc_67B8CF48
.text:67B8CF3C mov     ecx, [ebx+5D0h]
.text:67B8CF42 call    sub_67B8C7BC
.text:67B8CF47 inc     eax
.text:67B8CF48 loc_67B8CF48:                           ; CODE XREF:
.text:67B8CF48 pop     edi
.text:67B8CF49 pop     esi
.text:67B8CF4A pop     ebx
.text:67B8CF4B retn    8

Passing a 2GB string to the application may not seem feasable at first.
However, due to another problem we found in a calling function it is
enough to inject a 32k string, which Opera sign extends to a large
negative value before it is passed to the above function.

.text:67B8AF62 loc_67B8AF62:                           ; CODE XREF:
.text:67B8AF62                 movsx   eax, [ebp+var_length_ovfl] ; here
the error occurs: short int length is sign extended
.text:67B8AF62                                         ; to a long
integer. the result is a large negative value if length
.text:67B8AF62                                         ; is negative.
.text:67B8AF66                 jmp     short loc_67B8AF5D

Vendor status:
vendor notified: 2006-03-14
vendor response: 2006-03-16
fixed: 2006-04-05

The bug has been fixed in Opera 8.54 and in current versions of Opera 9.0.


SEC Consult Unternehmensberatung GmbH
Office Vienna
Blindengasse 3
A-1080 Wien

Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office at sec-consult dot com

EOF SEC Consult Vulnerability Lab / @2005

Greetings ::: Walter B, Flo, Chris, Laura, TkE, DFA, KOMRADE


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC