[NEWS] Opera HREF Escaped Server Name Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 10/20/03

  • Next message: SecuriTeam: "[EXPL] mIRC "IRC" Protocol Remote Buffer Overflow (Exploit)" 
    To: list@securiteam.com
Date: 20 Oct 2003 19:28:51 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Opera HREF Escaped Server Name Overflow
    ------------------------------------------------------------------------

    SUMMARY

    The Opera browser exhibits a failure when rendering HTML. Certain HREFs
    cause a buffer allocated on the heap to overflow. Arbitrary bytes in the
    heap may be overwritten. This can result in the compromise of systems
    running Opera. Opera's mail system seems to be vulnerable also and
    recovery from reading an email is somewhat difficult.

    An attacker can send an email containing HTML to a user running the Opera
    mail client and cause this overflow to occur when the HTML is rendered. An
    owner of a web site can craft a malicious web page containing the
    problematic HTML to cause an overflow on Opera clients visiting the site.

    DETAILS

    Vulnerable systems:
     * Opera version 7.11
     * Opera version 7.20

    Immune systems:
     * Opera version 7.21

    Rendering HREFs with certain illegally escaped server names in the URL
    will cause Opera to crash due to a buffer management problem. Sometimes
    the crash is observed immediately, sometimes when the browser is closed,
    presumably as the resources are being freed.

    The escaped URLs are of the form:
    <a href="file://server%%[many % characters]%%text" ></a>

    Vendor Response:
    Opera has release a new version of the software that is available here:
    <http://www.opera.com/download/> http://www.opera.com/download/

    The change log ( <http://www.opera.com/windows/changelogs/721/>
    http://www.opera.com/windows/changelogs/721/) notes this fix as:
    "Fixed a crash caused by illegally escaped server name"

    There is no specific bulletin or warning to users that this release
    contains security fixes.

    Recommendation:
    Upgrade to the 7.21 version of Opera browser for your platform. Filter
    email to remove HTML. Run your web browser and mail client as a low
    privileged user.

    Timeline:
    09/29/2003 Opera contacted with details of issue
    09/30/2003 Vendor responds that they have reproduced problem
    10/15/2003 Vendor releases new version of program that includes a fix
    10/20/2003 Advisory released

    ADDITIONAL INFORMATION

    The original advisory can be downloaded from:
    <http://www.atstake.com/research/advisories/2003/a102003-1.txt>
    http://www.atstake.com/research/advisories/2003/a102003-1.txt.

    The information has been provided by <mailto:advisories@atstake.com>
    @stake Advisories.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] mIRC "IRC" Protocol Remote Buffer Overflow (Exploit)"

    Relevant Pages