Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Opera's Security Model is Highly Vulnerable (GM#002-OP)

From: GreyMagic Software <security () greymagic com>
Date: Tue, 04 Feb 2003 11:04:58 "GMT"
GreyMagic Security Advisory GM#002-OP
=====================================

By GreyMagic Software, Israel.
04 Feb 2003.

Available in HTML format at http://security.greymagic.com/adv/gm002-op/.

Topic: Opera's Security Model is Highly Vulnerable.

Discovery date: 14 Nov 2002.

Affected applications:
======================

Opera 7 (final).


Introduction:
=============

Opera recently released a new version of its browser. 

Version 7 brings many long-awaited features such as proper DOM support and
an improved rendering engine. However, Opera seems to have neglected one of
the most important aspects in any browser today, its default cross-domain
security model. 


Discussion: 
===========

All browsers with Javascript support deploy a cross-domain security model,
which, in essence, attempts to prevent documents from one domain to access
other documents in different domains. 

Opera 7 deployed a fundamentally different approach to cross-domain
security, a caller-based model, rather than the origin-based model deployed
in other browsers. The vulnerability is comprised of three different flaws
in that model: 

* Functions in different domains can be accessed and executed. 

* Functions are being executed under the caller's domain credentials and not
in their originating domain. 

* It is possible to override properties and methods (both native and
user-defined) in other windows. 

The first flaw means that a window in one domain is able to execute
functions in a window that's in a different domain. This flaw in itself is
not a big threat because of the second flaw, which means that even if a
function in the victim window is executed, it is executed with the
attacker's credentials, and therefore unable to access the victim's
document. 

The second flaw means that if the attacker can get the victim to execute a
function, it will run under the victim's credentials. And because of the
first flaw, the victim will have no problems accessing a malicious function
created by the attacker. 

The third, and most devastating flaw means that the attacker is able to
trojanize native methods in the victim window with his own code and simply
wait for the victim to execute it. 

With these three flaws combined, it becomes extremely easy to exploit any
document that uses some scripting, including local resources in the file://
protocol. Being able to access local resources in Opera means that the
attacker would be able to: 

* Read any file on the user's file system. 
* Read the contents of directories on the user's file system. 
* Read emails written or received by M2, Opera's mail program. 
* And more... 


Exploit: 
========

A perfect candidate for exploitation is Opera's own Javascript console,
which arrives in the form of three separate files in Opera's installation
directory. 

The file "console.html" makes a very early call to the native method
"setInterval", which can be overridden by an attacking window. This scenario
does not require any user interaction. 

<script language="jscript">
var oWin=open("file://localhost/console.html","","");
oWin.setInterval=function () { 
    alert("Access to local resource achieved: "+oWin.location.href);
}
</script>

The "file://localhost/" URL appearing in this sample is a convenient method
provided by Opera in order to access the selected directory (Opera's home by
default). 


Demonstration:
==============

We put together two proof-of-concept demonstrations: 

* Simple: Reads cookies from a few well-known sites and demonstrates access
to a local resource. 
* GreyMagic Opera Disk Explorer: Browse your entire file system using this
explorer-like tool, which takes advantage of this vulnerability in order to
access local resources. 

They can both be found at http://security.greymagic.com/adv/gm002-op/.


Solution: 
=========

Opera was notified of a variation of this issue on 14-Nov-2002, but
appareantly failed to understand the core issues and only patched one
symptom of the problem (it was possible for foreign windows to simply set
event handlers in Beta 1). 

In the meantime, until a patch becomes available, disable Javascript by
going to: File -> Preferences -> Multimedia, and uncheck the "Enable
JavaScript" item. 


Credits:
========

Many thanks to Tom Gilder for his excellent help in researching this
vulnerability.


Tested on: 
==========

Opera 7 NT4.
Opera 7 Win98.
Opera 7 Win2000.
Opera 7 WinXP.


Disclaimer: 
===========

The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind. 

GreyMagic Software is not liable for any direct or indirect damages caused
as a result of using the information or demonstrations provided in any part
of this advisory. 


Feedback: 
=========

Please mail any questions or comments to security () greymagic com. 

- Copyright © 2003 GreyMagic Software.
Previous By Date Next
Previous By Thread Next

Current thread: