[NT] Opera Arbitrary File Dropping and Execution

From: SecuriTeam (support_at_securiteam.com)
Date: 11/19/03

  • Next message: SecuriTeam: "[NT] Opera Web Browser Directory Traversal in Internal URI Protocol" 
    To: list@securiteam.com
Date: 19 Nov 2003 19:38:43 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Opera Arbitrary File Dropping and Execution
    ------------------------------------------------------------------------

    SUMMARY

    Like other browsers, Opera Web Browser supports many standard MIME types
    and also a few Opera-specific MIME types. Of the Opera-specific types, the
    implementation of the various browser skin and browser configuration MIME
    types (listed below) has a design flaw that allows the remote dropping of
    an arbitrary file with an arbitrary name and type in a known location.
    This is triggered when the victim accesses a URL. Exploitation becomes
    easier when this vulnerability is combined with the other "
    <http://www.securiteam.com/windowsntfocus/6U00H2K8UY.html> Directory
    Traversal" vulnerability described in another recent advisory.

    DETAILS

    Vulnerable systems:
     * Opera version 7.21 and prior

    Immune systems:
     * Opera version 7.22

    Impact:
    By using this flaw, an attacker may:
    1) Drop arbitrary files with arbitrary names on a victim's hard disk
    2) Run scripts with higher privileges
    3) Read the contents of the directories on a victim's hard disk.
    4) Read any file
    5) Read M2 emails (Built-in Opera mail client)

    Technical Details:
    We will consider the "application/x-opera-skin" MIME type first for the
    sake of clarity. The issues are the same for the other five flawed MIME
    types. Their specifics are mentioned in a later section below.

    1. Skinning Opera with "application/x-opera-skin":
    According to the functionality that Opera provides, a user can install a
    new skin just by clicking on a link. Opera automatically downloads and
    applies the skin without confirmation from the user. For this to work, the
    MIME type of the skin file has to be set to "application/x-opera-skin" on
    the web server. The file type of an Opera skin file is "*.zip". The Opera
    skin file specification says:
    "An Opera 7 skin file is a zipped file with extension .zip that contains a
    "skin.ini" file at root level and a bunch of images making up the skin.
    The "skin.ini" file contains the whole skin specification. All other files
    in the zip file are pointed to by the specification in "skin.ini"."

    Skins files are downloaded to "C:\Program
    Files\Opera7\profile\Skin\<filename.ext>" (if the install directory is
    "C:\Program Files\Opera7\". It is *not* necessary for a remote attacker to
    know the install path of Opera for exploitation).

    Skin files that do not have "*.zip" extensions but are valid skin files
    are automatically downloaded and applied by Opera if the correct MIME is
    set on the HTTPd. They are downloaded to the default skin file folder.
    However, these skins are not shown in the "file>preferences>skin" menu.
    Only skins with "*.zip" ext., are shown in the list.

    The security problem here is that even invalid, corrupt skin files with
    any extension (including exe, com, et al) are downloaded to the default
    skin file location. The victim doesn't necessarily have to know that he is
    downloading a skin. He just clicks a malicious link and he is given a
    harmless looking dialog box prompt saying that the skin file is
    incompatible with the current version of Opera *after the file is
    downloaded*. User may click "OK" or "CANCEL" but it has no effect on the
    download behavior. The file is still present in the skin file folder and
    it is not deleted.

    This means that an attacker can comfortably drop an arbitrary file with an
    arbitrary name & type on a victim's hard disk in a known location by
    making him access a simple, not-specially crafted URL. Using an
    exploitation method detailed elsewhere, the arbitrary file can be
    executed.

    For instance, if a victim clicks on a link http://foo.com/foobar.exe where
    the MIME type of foobar.exe is set as "application/x-opera-skin",
    foobar.exe is downloaded automatically to the skin file folder. The name
    foobar.exe is preserved. So, for a default install of Opera, the file is
    dropped in and as "C:\Program Files\Opera7\profile\Skin\foobar.exe".

    2. Other flawed MIME types:
    Other than the folder location where the file will be dropped and the file
    type associated with the MIME type, all the details are the same as the
    skin MIME detailed above for the MIME types listed below. The file type
    associated with a MIME type does not hinder the dropping of files of other
    types as shown above. It is just presented here as useful information.

    For all the MIME types below, the locations for a default install are
    given. However, a default install is not necessary for exploitation.

    i."application/x-opera-skin" - Detailed above
    ii."application/x-opera-configuration-skin" - File is dropped in
    C:\Program Files\Opera7\profile\skin.
    iii."application/x-opera-configuration-keyboard" - File is dropped in
    C:\Program Files\Opera7\profile\keyboard. The file type associated is
    "*.ini".
    iv."application/x-opera-configuration-mouse" - File is dropped in
    C:\Program Files\Opera7\profile\mouse. The file type associated is
    "*.ini".
    v."application/x-opera-configuration-menu" - File is dropped in C:\Program
    Files\Opera7\profile\menu. The file type associated is "*.ini".
    vi."application/x-opera-configuration-toolbar - File is dropped in
    C:\Program Files\Opera7\profile\toolbar. The file type associated is
    "*.ini".

    About these MIME types, Opera's documentation says:
    "If the server returns content-type
    "application/x-opera-configuration-menu" or
    "application/x-opera-configuration-keyboard" or
    "application/x-opera-configuration-mouse" and the file has the "ini"
    extension, Opera will download and install the menu, keyboard or mouse
    gestures setup directly"

    Exploit:
    According to S G Masood's investigation, files can only be dropped in the
    default folders mentioned above.

    Using directory traversal techniques to drop the file in other locations
    does not seem to be feasible.

    Although any file can be dropped on a victim's computer, the highest
    compromise that can be accomplished seems to be the running of scripts
    with higher privileges. Files other than the file types handled by Opera
    cannot be executed. This means file types like exe, bat, etc., cannot be
    executed although they may be dropped and file types like html, txt, gif,
    etc. can be executed.

    Nevertheless, the executable files dropped using this vulnerability can be
    executed by using other vulnerabilities (possibly in other software).

    This flaw can be exploited alone but, if Opera is not installed in the
    default path, a 'blind' exploit will not work. Nevertheless, when this
    flaw is combined with the Directory Traversal vulnerability (detailed in
    the advisory "Opera Web Browser Directory Traversal in Internal URI
    Protocol"), 'blind' exploitation, i.e., exploitation without knowledge of
    the install path becomes possible.

    A proof of concept exploit is attached with this advisory.

    Vendor response:
    The vendor, Opera Software, deserves special mention here. S G Masood has
    previously read about Opera Soft's promptness in resolving security
    vulnerabilities in their products. S G Masood's experience with them is
    one of the best S G Masood ever had with any vendor. S G Masood hopes they
    continue to maintain their good record even with future security issues.

    An updated version with a fix (7.22) is available from the site -
    <http://www.opera.com/download/> http://www.opera.com/download/.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:sgmasood@yahoo.com> S G
    Masood.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Opera Web Browser Directory Traversal in Internal URI Protocol"

    Relevant Pages