[20333] in bugtraq
AGAIN: Tested on Windows 98 with 'free' Opera 5.02 Build 856a (No
daemon@ATHENA.MIT.EDU (http-equiv@excite.com)
Fri Apr 20 01:02:09 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <17965959.987663694282.JavaMail.imail@scorch.excite.com>
Date: Thu, 19 Apr 2001 00:01:30 -0700
Reply-To: http-equiv@excite.com
From: "http-equiv@excite.com" <http-equiv@excite.com>
To: BUGTRAQ@SECURITYFOCUS.COM
Thursday, 19 April, 2001
There is an interesting oddity with the 'free' Opera 5.02 Build 856a (No
Java Runtime Environment installed) on Windows 98 with downloading files. In
particular *.exe. While the array of file type associations and instructions
what to do with them is wide, the instruction set for *.exe simply does not
stick.
Normally when executing a file download, the security warning box is invoked
asking whether you wish to 'open or save' -- this is default. Also, as it
should be, the ability to uncheck-mark the security warning box is greyed
out.
However if you select open, the file association settings seem to
automatically register 'open with default application' instead of reverting
to 'show download dialog'. Naturally, thereafter any file download is
automatically opened.
Simply put:
http://opera.online.no/win/ow32enen510.exe
will (should) invoke the security warning download dialog
(screen shot: http://www.malware.com/foopera.jpg 31KB)
But because we intend to install from the trusted source, we select 'open
file' in order to install, thereafter the file association settings seem to
register themselves to always 'open with default application' for an *.exe
and naturally when we go to:
[working example: harmless *.exe automatically launched]
http://www.malware.com/fauxpera.html simply viewing the page or clicking on
the link automatically runs our *.exe
Once again: test vehicle 'free' Opera 5.02 Build 856a (No Java Runtime
Environment installed) on Windows 98
Additionally we can crash it extremely hard with simple, yet unorthodox
JavaScripting squeezed into a shockwave file:
custom create a shockwave file (*.swf), select the interactive text or
button and force into the href field:
javascript:document.location="*.xbm?<script>alert()</script> simply add <img
src="malware.xbm"> -- what happens is Opera locates the *.xbm (we use an
obscure file to ensure no others are likely to be in the cache) and views it
automatically from the cache (note: without the need for a name):
(screen shot: http://www.malware.com/bar.jpg 25KB)
and the simple alert() then tries to fire from within the cache resulting
in:
OPERA caused an invalid page fault in
module OPERA.EXE at 015f:004e2b1a.
Registers:
EAX=00fcc0f0 CS=015f EIP=004e2b1a EFLGS=00010206
EBX=017855fc SS=0167 ESP=0084e530 EBP=0084e54c
ECX=00580038 DS=0167 ESI=01f701c3 FS=0e87
EDX=00007470 ES=0167 EDI=00000000 GS=0000
Bytes at CS:EIP:
80 3e 00 74 19 56 e8 eb 6e 05 00 40 50 e8 cf 6d
Stack dump:
00000000 00fcc110 00455f8a 01f701c3 0058002c 01785c40 01ee3f90 0084e570
00455e4f 00000002 00000001 0058002c 01f701c3 00000000 00000000 017856a0
IMPORTANT NOTES:
1. Tested on Windows 98 with 'free' Opera 5.02 Build 856a (No Java Runtime
Environment installed)
2. In the 10 days from today's date since the download and installation of
the 'free' Opera 5.02 Build 856a (No Java Runtime Environment installed),
the manufacturer http://www.opera.com has since come out with a newer
version: Opera 5.10 Build 902 which doesn't appear to be affected at all.
3. There also doesn't appear to be any mention of the above findings
anywhere for 'free' Opera 5.02 Build 856a (No Java Runtime Environment
installed) on Windows 98
4. Suggest to test your version/configuration and upgrade if affected
5. This all may very well be a unique combination system configuration
problem
One More Time: Tested on Windows 98 with 'free' Opera 5.02 Build 856a (No
Java Runtime Environment installed)
---
http://www.malware.com
_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/
