Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[Opera 7/6] Long Filename Buffer Overflow Vulnerability in Download

From: nesumin <nesumin () softhome net>
Date: Wed, 12 Mar 2003 07:50:48 +0900
Hi, all.

We release the information about the vulnerability of Opera, here.
And we hope that this vulnerability be fixed by Vendor immediately.

       ___________________________________________________

-----------------------------------------------------------------
 Synopsis:       [Opera 7/6] Long Filename Buffer Overflow
                 Vulnerability in Download
 Product:        Opera for Windows
 Version:        7.02 build 2668
                 7.02 bork build 2656b
                 7.01 build 2651
                 6.05 build 1140
 Vendor:         Opera Software ASA (http://www.opera.com/)
 Risk:           High. Execute arbitrary code
 Discovered By:  imagine (Operash webmaster)
 Reported By:    nesumin <nesumin () softhome net>
 Reported Date:  2003-03-06
 Published Date: 2003-03-10
-----------------------------------------------------------------

Product :

  Opera for windows is GUI base WEB Browser.
  It has Mail, News, IM clients.

  Opera Software ASA
  http://www.opera.com/


OverView :

  Opera for Windows has the pernicious security hole.

  Opera does not check the filename's length when it downloads files.
  Therefore, if the file with "long filename" is downloaded while Opera shows
  the "Download Dialog", a buffer overflow occurs on the stack.

  It can overwrite saved RET address on the stack, and it enables to execute
  the arbitrary code.

  If the Opera user downloads the file which has long filename with
  malicious code inside, this vulnerability would allow the attacker
  to make your computer virus infected or destructed, etc.


Tested on :

  Opera
    Opera7.02 build 2668
    Opera7.02 bork build 2656b
    Opera7.01 build 2651
    Opera6.05 build 1140

    English edition and Japanese edition.

  Platform
    Windows98SE JP
    Windows2000 Pro SP3 JP
    WindowsXP Home SP1 JP


Vulnerable in tested :

  Opera7.02 build 2668
  Opera7.02 bork build 2656b
  Opera7.01 build 2651
  Opera6.05 build 1140


Unvulnerable in tested :

  Non


Vendor status :

  Already reported, 2003/03/06.
  Vendor said that this issue would be fixed in the next version due out very soon.


Details :

  * Reproduce

    Step 1. Request file.
    Step 2. Response.
    Step 3. Try to display download dialog.
    Step 4. Buffer Overflow occurs if it has long filename.


  Opera does not check the length of the name of a file to download.

  If Opera requests the file and the server returns a response,
  the "Download Dialog" will be displayed depending on the contents of
  the response or file extensions.

  Then, it writes the temporary filename for checking file-type
  into the buffer on a stack. This temporary filename is generated based on
  the temporary directory name specified with the user environment variable
  and based on the download filename.
  (The file name is changed into 16bit WIDE characters)

  Buffer overflow will occur on a stack,
  when the long file name (more than the buffer size) is specified.
  Since the length of the file name is not checked there.

  The RET address is saved on the 4 bytes area of offsets 214H from the buffer.
  The offset from the Filename or the File Extension depends on the length of
  the temporary directory name.

  Shortly, there is the temporary directory name in the top of the buffer.

  And in the process of managing overwritten RET address,
  ESP register is pointing the next RET address.

  Therefore, it is possible to execute the arbitrary code
  by overwriting the "jmp ESP" op-code address with the RET address,
  and setting the code to the next RET address.


  It could be easy to execute arbitrary malicious codes if the attacker
  specifies the filename by "Inline Frame", "Frame", "Link", "Script" or etc.

  But it's slightly difficult to execute arbitrary codes if the filename is
  specified by a Meta data such as "Content-Disposition" header or etc.
  That's because the filename will be changed into the WIDE Character with
  "System Locale".

  Although in this case, it is by no means safe because the stack corruption,
  like overwriting RET address by the buffer overflow, can't prevent.


  * Opera 7

    [Windows 2000, Windows XP]

      It has the area to which'd be referred after overwriting.
      The 4 bytes area of offset 04H from the next 4bytes area of the RET address.

    [Windows 9x]

      It has the area to which'd be referred after overwriting.
      The 4 bytes area of offset 04H from the next 4bytes area of the RET address,
      and the area after offset 2CH.
      The heap includes the same data of downloaded filename which the address
      ESP+54H points the head address.

  * Opera 6

    If the filename includes ".",
    the offset value of the RET address starts from next of last ".".

    If "Encode all addresses with UTF-8" or "Determine action by MIME type" is
    disabled, it could be difficult to execute codes because the filename will be
    changed into the WIDE Character without "URL decode".

    Although in this case, it is by no means safe because the stack corruption,
    like overwriting RET address by the buffer overflow, can't prevent.

    [Windows 2000, Windows XP]

      It has the area to which'd be referred after overwriting.
      The 4 bytes area of offset 04H from the next 4bytes area of the RET address.

    [Windows 9x]

      The offset to the RET address is 244H bytes.


  You can avoid the "Exception" by preparing a writable address value
  if the latter area of RET|4bytes|4bytes address area is referred to.


Sample Code : (attached file)

  dlfnbof.pl

  This sample is a little HTTP server which returns HTML with the exploit
  code that would run Internet Explorer using this vulnerability.
  It's made with Perl and checked on Active Perl5.6.x for Windows.

  * This source code is just a sample for checking this vulnerability.
  * We will take no responsibility for any kinds of disadvantages
    by using this code.


Special thanks :

  :: Operash ::
  [ Unofficial Opera's Bug and Security information site for Japanese people ]

  imagine (Operash webmaster)
  melorin
  piso (sexy)


Contacts, Etc :

  nesumin <nesumin () softhome net>

  We cannot guarantee the accuracy of all statements in this information,
  all of the facts have been checked to the best of our ability.
  We do not anticipate issuing updated versions of this information
  unless there is some material change in the facts.
  Should there be a significant change in the facts,
  we may update this information. And we will take no responsibility for
  any kinds of disadvantages by using this information.

       ___________________________________________________



--------------------------------------------------
nesumin <nesumin () softhome net>

Attachment: dlfnbof.pl
Description:

Attachment: gpa.c
Description:

Previous By Date Next
Previous By Thread Next

Current thread: