[NEWS] Opera Telnet URI Handler File Creation/Truncation Vulnerability

• Previous message: SecuriTeam: "[NT] Vulnerability in Help and Support Center Remote Code Execution (MS04-015)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 13 May 2004 14:53:22 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Opera Telnet URI Handler File Creation/Truncation Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://www.opera.com/> Opera is "a cross-platform web browser".
Exploitation of an input validation vulnerability within Opera Software
ASA.'s Opera Web Browser could allow remote attackers to create or
truncate arbitrary files.

DETAILS

Vulnerable Systems:
 * Opera version 7.23 has been confirmed vulnerable, as have a variety of
earlier versions on multiple platforms. It is suspected that all earlier
versions are also vulnerable.

Immune Systems:
 * Opera version 7.50 or newer

The problem specifically exists within the telnet URI handler. Opera does
not check for '-' at the beginning of hostname passed through the handler,
which lets options pass to the telnet program, allowing file creation or
overwriting. Under Windows XP, when telnet.exe is executed with the '-f'
option, the remainder of the argument is used as a filename for logging
the connection. Under Linux, the '-n' option creates a 'tracefile' for the
connection. These options create a file if it does not exist, or truncates
it if it does.

If a telnet: URI with the appropriate option is opened, a file will be
created in the current working directory of the Opera process if the user
has permission. In Windows, this defaults to the directory Opera was
installed in. Under Linux, the default is the user's home directory.

Examples:
Windows XP: Creates or overwrites 'Filename' in Opera directory.
telnet://-fFileName

Under Linux: Creates or overwrites 'Filename' in user's home directory.
telnet://-nFilename

Under some previous versions of Opera, it was possible to create a file
anywhere on the file system, by hex encoding an absolute path in the
filename portion of the URI.

Analysis:
In Windows, depending on the privileges, it may be possible to make Opera
unavailable by overwriting files. Under Linux it is possible to overwrite
files in the current user's home directory (e.g. .bashrc, mbox)

Some versions or configurations of Windows may not be vulnerable, due to
the absence of the '-f' command line switch.

Workarounds:
Disable the telnet URI handler from within Opera.

Click on the 'File' menu, then the 'Preferences...' item choose 'Programs
and paths' from the view on the left. Select on 'telnet' from the
Protocols box and press the delete key. Do the same with the tn3270
handler.

Vendor response:
The vulnerability has been addressed in Opera 7.50 (Windows, Mac, Linux).

Windows version downloadable from:
<http://www.opera.com/download/index.dml?opsys=Windows&platform=Windows&lng=en&ver=7.50> http://www.opera.com/download/index.dml?opsys=Windows&platform=Windows&lng=en&ver=7.50

Mac version downloadable from:
<http://www.opera.com/download/index.dml?step=3&opsys=MacOS&lng=en&platform=MacOS> http://www.opera.com/download/index.dml?step=3&opsys=MacOS&lng=en&platform=MacOS

Linux i386 version downloadable from:
<http://www.opera.com/download/index.dml?step=3&opsys=Linux%20i386&lng=en&platform=Linux%20i386> http://www.opera.com/download/index.dml?step=3&opsys=Linux%20i386&lng=en&platform=Linux%20i386

Disclosure timeline:
April 2, 2003 - Exploit acquired by iDEFENSE
April 7, 2004 - Initial vendor notification
April 7, 2004 - iDEFENSE clients notified
April 14, 2004 - Initial vendor response
May 12, 2004 - Coordinated public disclosure

ADDITIONAL INFORMATION

The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDEFENSE. The vulnerability was
discovered by Karol Wiesek and Greg MacManus.

The original article can be found at:
<http://www.idefense.com/application/poi/display?id=104&type=vulnerabilities&flashstatus=false> http://www.idefense.com/application/poi/display?id=104&type=vulnerabilities&flashstatus=false

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Vulnerability in Help and Support Center Remote Code Execution (MS04-015)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]