Opera Web Browser 12.11 WriteAV Vulnerability

2012.12.03
Credit: coolkaveh
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Title : Opera Web Browser 12.11 WriteAV Vulnerability Version : 12.11 Build 1661 and 12.12 Date : 2012-12-03 Vendor : http://www.opera.com/ Impact : High Contact : coolkaveh [at] rocketmail.com Twitter : @coolkaveh tested : windows XP SP3 Author : coolkaveh ################################################### Opera is a web browser and Internet suite developed by Opera Software with over 270 million users worldwide. The browser handles common Internet-related tasks such as displaying web sites, sending and receiving e-mail Messages, managing contacts, chatting on IRC, downloading files via BitTorrent, and reading web feeds. Opera is Offered free of charge for personal computers and mobile phones. ################################################### Bug : ---- Heap corruption during the handling of the Gif files context-dependent Successful exploits can allow attackers to execute arbitrary code ---- #################################################### (f00.704): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000b0b ebx=0000000b ecx=0000100b edx=042bc048 esi=0417ffff edi=00141048 eip=67237c8b esp=0012e3d8 ebp=0000001e iopl=0 nv up ei ng nz na po cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010283 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Opera\Opera.dll - Opera!OpSetLaunchMan+0xb69f5: 67237c8b 880e mov byte ptr [esi],cl ds:0023:0417ffff=?? 0:000>!exploitable -v eax=00000b0b ebx=0000000b ecx=0000100b edx=042bc048 esi=0417ffff edi=00141048 eip=67237c8b esp=0012e3d8 ebp=0000001e iopl=0 nv up ei ng nz na po cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010283 Opera!OpSetLaunchMan+0xb69f5: 67237c8b 880e mov byte ptr [esi],cl ds:0023:0417ffff=?? HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\WINMM.dll - Exception Faulting Address: 0x417ffff First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Write Access Violation Exception Hash (Major/Minor): 0x63712c74.0x0c14230f Stack Trace: Opera!OpSetLaunchMan+0xb69f5 Opera!OpSetLaunchMan+0xb66fc Opera!OpSetLaunchMan+0xb644a Opera!OpSetLaunchMan+0x38f4d Opera!OpSetLaunchMan+0x1b7b3 Opera!OpSetLaunchMan+0x20a498 Opera!OpSetLaunchMan+0x1fb4e3 Opera!OpSetLaunchMan+0x1fb5d5 Opera!OpSetLaunchMan+0x16d0c1 ntdll!RtlRemoveVectoredExceptionHandler+0x2a2 ntdll!RtlAllocateHeap+0x117 Opera!OpSetLaunchMan+0x1503b9 ntdll!RtlRemoveVectoredExceptionHandler+0x823 ntdll!RtlFreeHeap+0x130 WINMM!timeGetTime+0x2c Instruction Address: 0x0000000067237c8b Description: User Mode Write AV Short Description: WriteAV Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at Opera!OpSetLaunchMan+0x00000000000b69f5 (Hash=0x63712c74.0x0c14230f) User mode write access violations that are not near NULL are exploitable. ############## Proof of concept included. http://www5.zippyshare.com/v/97852312/file.html

References:

http://www5.zippyshare.com/v/97852312/file.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top