Opera 9.50 beta and prior remote DoS (freeze)

2007.12.25
Risk: Low
Local: No
Remote: Yes
CWE: CWE-399


CVSS Base Score: 7.8/10
Impact Subscore: 6.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

* Name : Opera 9.50 beta / 9.24 Remote DoS * Type : Remote DoS * Credits: Gynvael Coldwind of Vexillium & Simey * Impact : Low * Short description Opera is vulnerable to a remote DoS attack, using spacially crafted BMP files, that causes the browser to freeze for a short amount of time (around 4 minutes on fast computer). An attacker could create a web page that contains multiple BMP files displayed by an <img> tag. This would freeze the browser for N*4 minutes, where N is the number of images (so 100 images, the browser freezez for almost 7 hours). When frozen, the browser consumes 100% CPU power. * Verbose description BMP file format allows Run Length Encoding in case of 4 and 8 bit bitmaps. The RLE used in BMP format has additional features like skipping the decompression write pointer to end of the line (bytes 00 00), skiping to the end of bitmap (00 01), and moving the write pointer to another line and column (00 02 XX YY). Opera has an ultra slow implementation of the 00 02 XX YY feature. Normalny an decompression algorithm adds XX and YY * width to the write pointer, but Opera has implemented a much slower way, with additional check etc. The implementation performs XX + YY * width incrementations (each with it's own checks and other calculations). An attacker could use this fact to create a BMP file with maximum possible width (in Opera this would be around 32000 pixels), and the file's data should be filled with 00 02 FF FF opcodes (see DoS_PoC/DoS_BMP_Generator/test10.cpp for a sample generator). One malformed bitmap freezes the browser for some time. The time depends on CPU speed. A simple benchmark tests have been performed: CPU TYPE/SPEED TIME Intel Core 2 Quad 2.4 GhZ over 4 minutes Intel Celeron M 1.6 GhZ over 20 minutes Through this time the browser is frozen, does not react to user commands, and does not redraw it's content. Additionally, the attacker could create a web page that contains multiple images (<img> tag) to freeze the browser for N*OneFreezeTime (where N is the number of images). See DoS_PoC/RunMe.html for a simple example (10 bitmaps used). Please note that due to Opera's bitmap caching, each bitmap should be named differently (for example test1.bmp, test2.bmp, and so on). * Proof of Concept (This DoS'es the Opera, no warning is provided ;>) http://gynvael.vexillium.org/opera_dos/ * Disclaimer This document and all the information it contains is provided "as is", without any warranty. The author is not responsible for the misuse of the information provided in this advisory. The advisory is provided for educational purposes only. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top