[NT] Phantom of the Opera (Opera Error Handling Executes Commands)

From: support@securiteam.com
Date: 02/10/03

  • Next message: support@securiteam.com: "[NT] Opera's Security Model Vulnerable to Attack" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 10 Feb 2003 15:22:13 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Phantom of the Opera (Opera Error Handling Executes Commands)
    ------------------------------------------------------------------------

    SUMMARY

    Opera recently released a new version of its browser.
    Version 7 brings many long-awaited features such as proper DOM support and
    an improved rendering engine. Among the useful new features, Opera added a
    shiny new JavaScript console. The console is mainly used by developers in
    order to efficiently track down exceptions in running scripts.

    A vulnerability in the way the exceptions are handled allows an attacker
    to cause them to execute arbitrary code in elevated privileges.

    DETAILS

    Vulnerable systems:
     * Opera version 7 on Windows operating system

    Immune systems:
     * Opera version 7.01 on Windows operating system

    Opera's JavaScript console is using three html files residing in Opera's
    installation directory. The most important of them is "console.html",
    which contains all the logic behind the console.

    The console lists unhandled exceptions that are thrown during the life of
    a session. JavaScript can throw custom exceptions using the "throw"
    statement and Opera adds its own way to create debug messages with the
    "opera.postError" method.

    In order to display clickable URLs properly, Opera does some formatting on
    the thrown exception message to turn them into links:

    newmsg = msg.replace( /</g, "<" ).
                replace( />/g, ">" ).
                replace( /https?:\/\/\S+/g, create_link ).
                replace( /file:\/\/(?:\S|(?:[ ](?=[^\n\r]*\.)))+/g,
    create_link );

    The first two lines supposedly handle the safety of this string, so it
    would not contain HTML. The last two lines are meant to transform strings
    that appear like URLs into actual links. Unfortunately, each of these last
    two lines contains an obvious way for an attacker to inject his own
    attributes to the link. By doing so, the attacker can gain access to the
    file:// protocol, which, among others, has the following implications:

     * Read any file on the user's file system.
     * Read the contents of directories on the user's file system.
     * Read emails written or received by M2, Opera's mail program.

    The first vulnerable regular expression is /https?:\/\/\S+/g, it is trying
    to match anything starting with "http://" or "https://" and keeps
    consuming characters as long as they are not whitespace. This regular
    expression does not check for the existence of quotes, which are the
    delimiters of the "href" attribute in the resulting link, and therefore
    opens up a way to add additional attributes (spaces between attributes are
    not mandatory).

    The second vulnerable regular expression is /file:\/\/(?:\S|(?:[
    ](?=[^\n\r]*\.)))+/g, it's trying to match anything starting with
    "file://" followed by a non-whitespace character or a regular space, as
    long as a dot appears and no line breaks appear after it. The same mistake
    is made again; quotes can be used to add additional attributes to the
    link.

    Being able to add arbitrary attributes to a link may seem innocent, but
    with a little manipulation, it leads to the execution of arbitrary script
    code. The "style" attribute in most elements, for example, may contain
    properties such as "background-image", which normally point to a URL. That
    URL can be "javascript:[code]", which will be executed in the context of
    the console (file:// protocol).

    Exploit:
    A simple exploit of the first regular expression:
    open("file://localhost/console.html","","");
    opera.postError("http://\"style=\"background-image:url('javascript:alert(location.href)')\"");

    A simple exploit of the second regular expression:
    open("file://localhost/console.html","","");
    opera.postError("file://\"
    style=\"background-image:url('javascript:alert(location.href)')\".");

    Demonstration:
    GreyMagic has put together two proof-of-concept demonstrations:
     * <http://security.greymagic.com/adv/gm003-op/phSimple.asp> Simple:
    Demonstrates how the poisonous debug message is being inserted.
     * <http://security.greymagic.com/adv/gm003-op/phExp.asp> GreyMagic Opera
    Disk Explorer: Browse your entire file system using this explorer-like
    tool, which takes advantage of this vulnerability in order to access local
    resources.

    Solution:
    Fortunately, this vulnerability can be solved manually:
     * Edit the file "console.html", which resides in Opera's installation
    directory.
     * Line 52 should read: m.replace( /\\/g, "\\\\" ) +
     * Replace it with: m.replace( /\\/g, "\\\\" ).replace(/"/g,""") +

    ADDITIONAL INFORMATION

    The original advisory can be found at:
     <http://security.greymagic.com/adv/gm003-op/>
    http://security.greymagic.com/adv/gm003-op/

    The information has been provided by <mailto:security@greymagic.com>
    GreyMagic Software.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages

    • Opera: Location, Location, Location
      ... Opera 7.53 and prior on Windows, ... When the victim web-page executed such ... By overwriting methods in this object, an attacker can gain immediate script ... web-pages in foreign domains and the victim's local file system. ...
      (Bugtraq)
    • B132L Loss of Heartbeat LED and Error Messages
      ... On console at startup: ... FILE SYSTEM(S) NOT PROPERLY SHUTDOWN,BEGINNING FILE SYSTEM REPAIR ... Since diagmon is started at startup do ... you think there would be diagmon log entries? ...
      (comp.sys.hp.hpux)
    • Phantom of the Opera (GM#003-OP)
      ... Available in HTML format at http://security.greymagic.com/adv/gm003-op/. ... Opera recently released a new version of its browser. ... shiny new Javascript console. ... A simple exploit of the first regular expression: ...
      (NT-Bugtraq)
    • [NT] Operas Image Handling Vulnerable to Cross Site Scripting
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Opera recently released a new version of its browser. ... A vulnerability in the way Opera handles Images allows remote attackers to ... * Read the contents of directories on the user's file system. ...
      (Securiteam)
    • Phantom of the Opera (GM#003-OP)
      ... Available in HTML format at http://security.greymagic.com/adv/gm003-op/. ... Opera recently released a new version of its browser. ... shiny new Javascript console. ... A simple exploit of the first regular expression: ...
      (Bugtraq)