Re: Opera Browser goes CrashFrom: Aaron Lafferty (firstname.lastname@example.org)
- Previous message: ANdrei: "Re: Opera Browser goes Crash"
- In reply to: Holmes, Ben: "Opera Browser goes Crash"
- Next in thread: Greg Wirth: "Re: Opera Browser goes Crash"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <010801c15bd9$70407d70$9865fea9@VISHNU> From: "Aaron Lafferty" <email@example.com> To: "Holmes, Ben" <Ben.Holmes@getronics.com>, "Vuln-Dev (E-mail)" <firstname.lastname@example.org> Subject: Re: Opera Browser goes Crash Date: Tue, 23 Oct 2001 11:43:18 -0400
I can confirm this on Opera 5.11 build 904 running on windows 2000 sp2
w/ all critical fixes.
----- Original Message -----
From: "Holmes, Ben" <Ben.Holmes@getronics.com>
To: "Vuln-Dev (E-mail)" <email@example.com>
Sent: Tuesday, October 23, 2001 4:53 AM
Subject: Opera Browser goes Crash
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> I usually use Opera browser (it truly is a fast browser), and it just
> when I went to a link...
> The link was "http://www.malware.com/hello.html"
> In Netscape, it is supposed to play a sound file...
> In I.E it just comes up and allows to view source.
> but the other part is a large embedded sound file.. it is in this form:
> '<embed src="data:audio/wav;base64,[Base 64 data of a sound file]"
> autostart=true width=0 height=0 loop=true>' tag.
> It didn't seem to give an error message or anything.. if it was
> a buffer I'd usually expect that it would generate a windows error message
> when it gets random junk like this... But it just closes.. completely and
> gracefully... but it closes nevertheless..
> I am thinking:
> A> It is a configuration problem on this PC... It decodes the Base 64 (or
> goes to) but some plug in or system it uses to play the file or decode it
> that is possibly specific to this PC dies.
> B> The length of the embed tag is too long and overflows an internal
> and jumps right to a close (either graciously, or by super good error
> checking routines)... Or something else happens that makes windows not
> notice that a program is doing wierd_funky_things (tm)
> C> The "embed" tag is touchy and its implementation is bad, this doesn't
> seem the case though, because if I make the [Base 64 data of a sound file]
> part much smaller, it just does the same as IE does.
> If it is "B"... is it exploitable in the form:
> '<embed src="data:audio/wav;base64,[Nasty code][Padding][address of a jmp
> esp]" autostart=true width=0 height=0 loop=true>'
> or some other such thing, that would cause "Nasty Code" to be run in the
> Opera process.
> Does it happen on anyone else's computer that runs Opera... or is this
> little currently Opera specific DoS also "this computer" specific...
> - -- Benjamin Holmes
> E&OE. All spelling and grammatical errors are for your enjoyment and
> entertainment only and are copyright Benjamin Holmes.
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
> Comment: Pee Gee Peeeeee!
> -----END PGP SIGNATURE-----