Re: [Full-disclosure] DLL Hijacking vulnerability in Opera



It was reported on 24th August already
http://www.exploit-db.com/exploits/14732/

It takes only a few seconds to check it
http://secunia.com/advisories/41083/

Juha-Matti

MustLive [mustlive@xxxxxxxxxxxxxxxxxx] wrote:
Hello Full-Disclosure!

I want to warn you about DLL Hijacking vulnerability in Opera. As I wrote in
Saturday in my post DLL Hijacking in different browsers
(http://websecurity.com.ua/4522/), besides Mozilla Firefox (which was fixed
in version 3.6.9) there is also vulnerable such browser as Opera.

DLL Hijacking vulnerability in Opera allows to execute arbitrary code via
library dwmapi.dll. Attack will work in Opera on OS Windows. For attack
there can be used the same dwmapi.dll, as for Firefox (based on the sources
of Glafkos Charalambous).

When I informed Opera, I draw their attention as to the hole itself, as to
possibility to attack version Opera 10.62 (which released recently), where
this hole was fixed by developers.

There are possible two variants of attack:

1. Attack will work at opening in browser the file of web page (htm, html,
mht, mhtml) or other file, alongside with which there is file dwmapi.dll.

2. If file dwmapi.dll is placed at desktop or in any folder which is in
PATH, then code will work at every starting of the browser.

From second variant of attack it's clear, that in some applications (such as
Opera) it's possible to conduct DLL Hijacking attacks with other method,
then one which was mentioned in August. I.e. code will execute not only at
placing of dll-file alongside with file designed for opening in application,
but also if dll-file is placed at desktop or in any folder which is in PATH.
And code can be executed even at starting of application (as in Opera),
without opening of any files.

Vulnerable are Opera 10.61 and previous versions.

As I checked in Opera 10.62, which released at 09.09.2010, this version is
not vulnerable (to both variants of attack). Only if to place dll-file in
folder Opera or in System32, only then the code will work (so the attack can
take place on systems with FAT32 or when attacker will be having appropriate
rights on systems with NTFS).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: [Full-disclosure] DLL Hijacking vulnerability in Opera
    ... Thanks for mentioning about exploit of Nicolas Krassas for Opera. ... you'll attentively read, you'll find that besides first attack vector, ... DLL Hijacking vulnerability in Opera ...
    (Full-Disclosure)
  • [Full-disclosure] DLL Hijacking vulnerability in Opera
    ... I want to warn you about DLL Hijacking vulnerability in Opera. ... Attack will work in Opera on OS Windows. ... Attack will work at opening in browser the file of web page (htm, html, ...
    (Full-Disclosure)
  • Schwartz? I doubt it
    ... Schwartz would not have lampooned his own stash of stolen goods (House of ... Opera). ... Did you notice that Mister X omitted Handleman from his attack? ...
    (rec.music.opera)
  • Re: Best Newsgroup for Multiplayer Action games?
    ... >>will only dump those windows used by that browser and not the other. ... Opera had/has this funky feature that reloaded the pages you ... >>Only when Opera crashed hard upon visiting a site that had something ... The simple fact that it did crash (and on a site that netscape had no ...
    (comp.sys.ibm.pc.games.action)
  • Re: Opera files Antitrust suit v M$ with EU
    ... accusing it of stifling competition by tying its ... Internet Explorer Web browser to Windows, ... Opera is far from a new product. ... changed will probably be the plugin support issue getting a fix. ...
    (comp.sys.mac.advocacy)