[NT] Opera's Image Handling Vulnerable to Cross Site Scripting

From: support@securiteam.com
Date: 02/10/03

  • Next message: support@securiteam.com: "[NT] Opera Username Buffer Overflow Vulnerability" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 10 Feb 2003 15:31:22 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Opera's Image Handling Vulnerable to Cross Site Scripting
    ------------------------------------------------------------------------

    SUMMARY

    Opera recently released a new version of its browser.

    Opera 7, just like any other browser, supports a considerable amount of
    image formats. Images are normally embedded in HTML documents but they can
    also be accessed directly via the browser.

    A vulnerability in the way Opera handles Images allows remote attackers to
    cause Opera to execute arbitrary commands.

    DETAILS

    Vulnerable systems:
     * Opera 7 under the Windows operating system

    Immune systems:
     * Opera 7.01 under the Windows operating system

    By examining the HTML Opera produces when it displays a single image, it
    becomes obvious that Opera does not bother to do any formatting on the
    provided URL. Luckily, though, Opera automatically encodes most characters
    in the URL, so access to other domains via this flaw becomes impossible.

    However, URLs to local files (file:// protocol) do not get encoded and
    therefore cannot evade the very basic form of XSS:
    file://path/to/image.jpg?">Arbitrary HTML here.

    Moreover, to make this even more comfortable for attackers, Opera provided
    an easy way to refer to its own installation directory -
    file://localhost/. Therefore, instead of searching for default images in
    the OS, an attacker can simply refer to file://localhost/images/file.gif,
    one of the few images Opera ships by default, and enjoy the following
    abilities:
     * Read any file on the user's file system.
     * Read the contents of directories on the user's file system.
     * Read emails written or received by M2, Opera's mail program.
     * And more...

    Note: the same applies to embeddable media, such as SWF.

    Exploit:
    open("file://localhost/images/file.gif?\"><
    script>alert(location.href);</script>","","");

    Demonstration:
    GreyMagic has put together two proof-of-concept demonstrations:
     * <http://security.greymagic.com/adv/gm004-op/oiSimple.asp> Simple:
    Demonstrates how a single local image can be exploited.
     * <http://security.greymagic.com/adv/gm004-op/oiExp.asp> GreyMagic Opera
    Disk Explorer: Browse your entire file system using this explorer-like
    tool, which takes advantage of this vulnerability in order to access local
    resources.

    Solution:
    Until a patch becomes available, disable JavaScript by going to: File ->
    Preferences -> Multimedia, and uncheck the "Enable JavaScript" item.

    ADDITIONAL INFORMATION

    The original advisory can be found at:
     <http://security.greymagic.com/adv/gm004-op/>
    http://security.greymagic.com/adv/gm004-op/

    The information has been provided by <mailto:security@greymagic.com>
    GreyMagic Software.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages

    • [NT] Phantom of the Opera (Opera Error Handling Executes Commands)
      ... Opera recently released a new version of its browser. ... shiny new JavaScript console. ... A vulnerability in the way the exceptions are handled allows an attacker ... * Read the contents of directories on the user's file system. ...
      (Securiteam)
    • Opera: Location, Location, Location
      ... Opera 7.53 and prior on Windows, ... When the victim web-page executed such ... By overwriting methods in this object, an attacker can gain immediate script ... web-pages in foreign domains and the victim's local file system. ...
      (Bugtraq)
    • Re: Opera 10 on ubuntu save hangs
      ... I assume you have made good, relevant bug reports for these crashers? ... BY WILL spoiled the design of Opera. ... Opera frequently crashes. ... Opera intentionally corrupts the file system. ...
      (alt.os.linux.suse)
    • RE: Opera 7 vulnerabilities
      ... new Opera 7 beta release and found two major security vulnerabilities. ... they allow full read access to a victim's file system (including ... both directories and files) and scripting access to any domain. ...
      (Bugtraq)
    • [EXPL] Opera JPEG Processing Heap Corruption Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Opera JPEG Processing Heap Corruption Vulnerabilities ... - ntdll.RtlAllocateHeapDHT vulnerability ... 74E5D7E0 mov edi, eax ...
      (Securiteam)