[Opera 7] Arbitrary File Delete Vulnerability

From: :: Operash :: (nesumin_at_SOFTHOME.NET)
Date: 12/12/03

  • Next message: Nick FitzGerald: "Re: IE URL obfuscation"
    Date:         Fri, 12 Dec 2003 09:39:13 +0900
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    ----------------------------------------------------------------------
    TITLE : [Opera 7] Arbitrary File Delete Vulnerability
                    -= How Dare You Delete My Important Files? =-
    PRODUCT : Opera 7 for Windows
    VERSIONS : 7.22 build 3221 (JP:build 3222)
                    7.21 build 3218 (JP:build 3219)
                    7.20 build 3144 (JP:build 3145)
                    7.1x
                    7.0x
    VENDOR : Opera Software ASA (http://www.opera.com/)
    SEVERITY : Critical.
                    An arbitrary file could be deleted on Local Disk
                    from Remote.
    DISCOVERED BY : nesumin
    AUTHOR : :: Operash ::
    REPORTED DATE : 2003-11-26
    RELEASED DATE : 2003-12-12
    ORIGINAL URL : http://opera.rainyblue.org/adv/opera07-autodel-en.php
    ----------------------------------------------------------------------

    0. PRODUCT
    ============

      Opera for windows is a GUI base WEB Browser.
      Opera Software ASA (http://www.opera.com/)

    1. DESCRIPTION
    ================

      Displaying a Download Dialog, Opera creates a temporary file.
      But this file name is not sanitized enough, so that an existing
      file can be deleted.

      Exploiting this vulnerability, an attacker can delete
      an arbitrary existing file on a local disk from remote.

      With this vulnerability, there could be following risks;

      * Destruction of the system.
      * Destruction of application data.

    2. SYSTEMS AFFECTED
    =====================

      7.22 build 3221 (JP:build 3222)
      7.21 build 3218 (JP:build 3219)
      7.20 build 3144 (JP:build 3145)
      7.1x
      7.0x

    3. SYSTEMS NOT AFFECTED
    =========================

      7.23 build 3227 (JP:build 3226)

    4. EXAMINES
    =============

      Opera for Windows:
        Opera 7.23 build 3227 (JP:build 3226)
        Opera 7.22 build 3221 (JP:build 3222)
        Opera 7.21 build 3218 (JP:build 3219)
        Opera 7.20 build 3144 (JP:build 3145)
        Opera 7.11 build 2887
        Opera 7.11 build 2880
        Opera 7.10 build 2840
        Opera 7.03 build 2670
        Opera 7.02 build 2668
        Opera 7.01 build 2651

      Platform:
        Windows 98SE Japanese
        Windows 2000 Professional SP4 Japanese
        Windows XP Professional SP1 Japanese

    5. SOLUTION
    ===============

      Upgrade to version 7.23 or later version.

    6. TECHNICAL DETAILS
    ======================

      Displaying a Download Dialog, Opera creates a temporary file
      which is based on the name used while downloading in the
      temporary directory. This temporary file is for searching
      the associated application.

      ---------------------------------------------------------------
      ex)

        Download URL:
            "http://server/path/FILENAME.ext"

        Temporary Filename:
            "c:\windows\temp\FILXXX.tmp.FILENAME.ext"

        (XXX is random string, like "01A")
      ---------------------------------------------------------------

      But this temporary file name is not sanitized enough so that
      it can possibly contain the illegal character string '..%5C'.
      The file with this string can be located on any paths on the
      same drive as the temporary file.
      If there's an already existing file with the same name on
      the path, it will be overwritten and deleted soon.

      ---------------------------------------------------------------
      ex)

        Download URL:
          http://server/path/AAAAAAAAAA%5C..%5C..%5Ccalc.exe

        Temporary Filename:
          "c:\windows\temp\AAAXXX.tmp.AAAAAAAAAA\..\..\calc.exe"

          this is... "c:\windows\calc.exe"

      ---------------------------------------------------------------

      Therefore, if a user goes to a malicious URL which makes Opera
      display the Download Dialog, his files could be deleted with
      this vulnerability.

      The conditions of deletable files;

      1. File's path can be specified with a relative path.
         from a temporary directory.
      2. File name contains '.' .
      3. Writable file within Opera process's authority.
      4. Except "Read Only" attribute on Windows 9x Kernel.
         Except "Read Only", "System" or "Hide" attributes on
         Windows NT Kernel.

    7. SAMPLE CODE
    ================

      None release.

    8. TIME TABLE & VENDOR STATUS
    ===============================

      2003-10-09 Discovered this vulnerability.
      2003-11-26 Reported to vendor.
      2003-12-12 Released this advisory.

      No reply from vendor.

    9. DISCLAIMER
    ===============

      A. We cannot guarantee the accuracy of all statements in this information.
      B. We do not anticipate issuing updated versions of this information
         unless there is some material change in the facts.
      C. And we will take no responsibility for any kinds of disadvantages by
         using this information.
      D. You can quote this advisory without our permission if you keep the following;
         a. Do not distort this advisory's content.
         b. A quoted place should be a medium on the Internet.
      E. If you have any questions, please contact to us.

    10. CONTACT, ETC
    ==================

      :: Operash :: http://opera.rainyblue.org/

      imagine (Operash Webmaster)
      nesumin <nesumin[at]softhome[dot]net>

      Thanks to :

        anima
        melorin
        piso

    -----
    Out of Office replies to list messages cause you to be unsubscribed
    automatically. Either subscribe a Public Folder, or ensure your rules are
    set to ensure list messages are filtered prior to your Out of Office reply.
    Such automatic replies are a bane to posters, and cause us to have fewer
    researchers post to NTBugtraq.
    -----


  • Next message: Nick FitzGerald: "Re: IE URL obfuscation"

    Relevant Pages

    • Re: Opera pain
      ... emacs, vi, are all about keys. ... tab menu instead. ... With Opera, i have to read the titles or small thumbnails. ... in my key macro app (on Windows it's AutoHotkey http://xahlee.org/mswin/autohotkey.html ...
      (comp.infosystems.www.authoring.html)
    • SecurityFocus Microsoft Newsletter #124
      ... Bladeenc Signed Integer Memory Corruption Vulnerability ... Opera JavaScript Console Attribute Injection Vulnerability ... Microsoft Windows 2000 NetBIOS Continuation Packets Kernel... ...
      (Focus-Microsoft)
    • Re: Next openSUSE
      ... I did not install so many OSes for fun, but because they were offered as special ... Suse would not work: no video, ... And that Windows I smashed to pieces. ... Opera zooms up to 1000%, ...
      (alt.os.linux.suse)
    • Re: Outdoorsmagic
      ... nothing anywhere in Windows folder. ... I might post the question in Opera forum. ... Ping statistics for 217.169.41.196: ... The "trailing zeros" bug Rick Damiani wrote about in RISKS 25.09 reminded me ...
      (uk.rec.walking)
    • [Opera 7] Five DoS codes on general web sites
      ... Opera for Windows is a GUI base Web browser. ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)