Vulnerability Development mailing list archives
Re: Opera Browser goes Crash
From: "Aaron Lafferty" <lafferty () oar net>
Date: Tue, 23 Oct 2001 11:43:18 -0400
I can confirm this on Opera 5.11 build 904 running on windows 2000 sp2 w/ all critical fixes. ----- Original Message ----- From: "Holmes, Ben" <Ben.Holmes () getronics com> To: "Vuln-Dev (E-mail)" <vuln-dev () securityfocus com> Sent: Tuesday, October 23, 2001 4:53 AM Subject: Opera Browser goes Crash
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I usually use Opera browser (it truly is a fast browser), and it just
closed
when I went to a link... The link was "http://www.malware.com/hello.html" In Netscape, it is supposed to play a sound file... In I.E it just comes up and allows to view source. The source is basically a small JavaScript part (and that should work
fine),
but the other part is a large embedded sound file.. it is in this form: '<embed src="data:audio/wav;base64,[Base 64 data of a sound file]" autostart=true width=0 height=0 loop=true>' tag. It didn't seem to give an error message or anything.. if it was
overflowing
a buffer I'd usually expect that it would generate a windows error message when it gets random junk like this... But it just closes.. completely and gracefully... but it closes nevertheless.. I am thinking: A> It is a configuration problem on this PC... It decodes the Base 64 (or goes to) but some plug in or system it uses to play the file or decode it that is possibly specific to this PC dies. B> The length of the embed tag is too long and overflows an internal
buffer
and jumps right to a close (either graciously, or by super good error checking routines)... Or something else happens that makes windows not notice that a program is doing wierd_funky_things (tm) C> The "embed" tag is touchy and its implementation is bad, this doesn't seem the case though, because if I make the [Base 64 data of a sound file] part much smaller, it just does the same as IE does. If it is "B"... is it exploitable in the form: '<embed src="data:audio/wav;base64,[Nasty code][Padding][address of a jmp esp]" autostart=true width=0 height=0 loop=true>' or some other such thing, that would cause "Nasty Code" to be run in the Opera process. Does it happen on anyone else's computer that runs Opera... or is this little currently Opera specific DoS also "this computer" specific... - -- Benjamin Holmes E&OE. All spelling and grammatical errors are for your enjoyment and entertainment only and are copyright Benjamin Holmes. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> Comment: Pee Gee Peeeeee! iQA/AwUBO9Uv/HLvuelW5gClEQLO5wCg+K5tXdKdWAiaEBj71BiYnks964wAoJP5 VvPSGdUiC5c8kZ8/yhA5DZ06 =XF0I -----END PGP SIGNATURE-----
Current thread:
- Opera Browser goes Crash Holmes, Ben (Oct 23)
- Re: Opera Browser goes Crash ANdrei (Oct 23)
- Re: Opera Browser goes Crash Aaron Lafferty (Oct 23)
- Message not available
- Re: Opera Browser goes Crash Greg Wirth (Oct 23)
- Re: Opera Browser goes Crash titurel (Oct 23)
- Re: Opera Browser goes Crash Greg Wirth (Oct 23)
- Re: Opera Browser goes Crash Gnuthad (Oct 26)
- Re: Opera Browser goes Crash Greg Wirth (Oct 23)
- Re: Opera Browser goes Crash Zen (Oct 23)
- Re: Opera Browser goes Crash Martin Sunnerdahl (Oct 23)
- Re: Opera Browser goes Crash David Worth (Oct 23)
- RE: Opera Browser goes Crash Jason Waldhelm (Oct 23)
- Re: Opera Browser goes Crash Sephiroth (Oct 24)
- Re: Opera Browser goes Crash Chip Mefford (Oct 24)