Re: Opera Browser goes Crash

From: Aaron Lafferty (lafferty@oar.net)
Date: 10/23/01


Message-ID: <010801c15bd9$70407d70$9865fea9@VISHNU>
From: "Aaron Lafferty" <lafferty@oar.net>
To: "Holmes, Ben" <Ben.Holmes@getronics.com>, "Vuln-Dev (E-mail)" <vuln-dev@securityfocus.com>
Subject: Re: Opera Browser goes Crash
Date: Tue, 23 Oct 2001 11:43:18 -0400

I can confirm this on Opera 5.11 build 904 running on windows 2000 sp2
w/ all critical fixes.

----- Original Message -----
From: "Holmes, Ben" <Ben.Holmes@getronics.com>
To: "Vuln-Dev (E-mail)" <vuln-dev@securityfocus.com>
Sent: Tuesday, October 23, 2001 4:53 AM
Subject: Opera Browser goes Crash

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I usually use Opera browser (it truly is a fast browser), and it just
closed
> when I went to a link...
>
> The link was "http://www.malware.com/hello.html"
>
> In Netscape, it is supposed to play a sound file...
>
> In I.E it just comes up and allows to view source.
>
> The source is basically a small JavaScript part (and that should work
fine),
> but the other part is a large embedded sound file.. it is in this form:
>
> '<embed src="data:audio/wav;base64,[Base 64 data of a sound file]"
> autostart=true width=0 height=0 loop=true>' tag.
>
> It didn't seem to give an error message or anything.. if it was
overflowing
> a buffer I'd usually expect that it would generate a windows error message
> when it gets random junk like this... But it just closes.. completely and
> gracefully... but it closes nevertheless..
>
> I am thinking:
>
> A> It is a configuration problem on this PC... It decodes the Base 64 (or
> goes to) but some plug in or system it uses to play the file or decode it
> that is possibly specific to this PC dies.
>
> B> The length of the embed tag is too long and overflows an internal
buffer
> and jumps right to a close (either graciously, or by super good error
> checking routines)... Or something else happens that makes windows not
> notice that a program is doing wierd_funky_things (tm)
>
> C> The "embed" tag is touchy and its implementation is bad, this doesn't
> seem the case though, because if I make the [Base 64 data of a sound file]
> part much smaller, it just does the same as IE does.
>
> If it is "B"... is it exploitable in the form:
>
> '<embed src="data:audio/wav;base64,[Nasty code][Padding][address of a jmp
> esp]" autostart=true width=0 height=0 loop=true>'
>
> or some other such thing, that would cause "Nasty Code" to be run in the
> Opera process.
>
> Does it happen on anyone else's computer that runs Opera... or is this
> little currently Opera specific DoS also "this computer" specific...
>
> - -- Benjamin Holmes
>
> E&OE. All spelling and grammatical errors are for your enjoyment and
> entertainment only and are copyright Benjamin Holmes.
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
> Comment: Pee Gee Peeeeee!
>
> iQA/AwUBO9Uv/HLvuelW5gClEQLO5wCg+K5tXdKdWAiaEBj71BiYnks964wAoJP5
> VvPSGdUiC5c8kZ8/yhA5DZ06
> =XF0I
> -----END PGP SIGNATURE-----
>