Re: Opera Browser goes Crash
From: Eric Johnson (xsr@routergod.com)Date: 10/23/01
- Previous message: Timothy.Lyons@predictive.com: "Re: Opera Browser goes Crash"
- Maybe in reply to: Holmes, Ben: "Opera Browser goes Crash"
- Next in thread: http-equiv@excite.com: "Re: Opera Browser goes Crash"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 23 Oct 2001 10:28:03 -0700 Message-Id: <200110231728.f9NHS3S05277@mail9.bigmailbox.com> From: "Eric Johnson" <xsr@routergod.com> To: vuln-dev@securityfocus.com Subject: Re: Opera Browser goes Crash('binary' encoding is not supported, stored as-is) Hey all,
Yep confirmed on
Windows XP build 2600
Opera 5.12 build 932
Sun JAva Runtime Env. 1.4
regards,
xsr.
----- Original Message -----
From: "Holmes, Ben" <Ben.Holmes@getronics.com>
To: "Vuln-Dev (E-mail)" <vuln-dev@securityfocus.com>
Sent: Tuesday, October 23, 2001 4:53 AM
Subject: Opera Browser goes Crash
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I usually use Opera browser (it truly is a fast browser), and it just
closed
> when I went to a link...
>
> The link was "http://www.malware.com/hello.html"
>
> In Netscape, it is supposed to play a sound file...
>
> In I.E it just comes up and allows to view source.
>
> The source is basically a small JavaScript part (and that should work
fine),
> but the other part is a large embedded sound file.. it is in this form:
>
> '<embed src="data:audio/wav;base64,[Base 64 data of a sound file]"
> autostart=true width=0 height=0 loop=true>' tag.
>
> It didn't seem to give an error message or anything.. if it was
overflowing
> a buffer I'd usually expect that it would generate a windows error message
> when it gets random junk like this... But it just closes.. completely and
> gracefully... but it closes nevertheless..
>
> I am thinking:
>
> A> It is a configuration problem on this PC... It decodes the Base 64 (or
> goes to) but some plug in or system it uses to play the file or decode it
> that is possibly specific to this PC dies.
>
> B> The length of the embed tag is too long and overflows an internal
buffer
> and jumps right to a close (either graciously, or by super good error
> checking routines)... Or something else happens that makes windows not
> notice that a program is doing wierd_funky_things (tm)
>
> C> The "embed" tag is touchy and its implementation is bad, this doesn't
> seem the case though, because if I make the [Base 64 data of a sound file]
> part much smaller, it just does the same as IE does.
>
> If it is "B"... is it exploitable in the form:
>
> '<embed src="data:audio/wav;base64,[Nasty code][Padding][address of a jmp
> esp]" autostart=true width=0 height=0 loop=true>'
>
> or some other such thing, that would cause "Nasty Code" to be run in the
> Opera process.
>
> Does it happen on anyone else's computer that runs Opera... or is this
> little currently Opera specific DoS also "this computer" specific...
>
> - -- Benjamin Holmes
>
> E&OE. All spelling and grammatical errors are for your enjoyment and
> entertainment only and are copyright Benjamin Holmes.
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
> Comment: Pee Gee Peeeeee!
>
> iQA/AwUBO9Uv/HLvuelW5gClEQLO5wCg+K5tXdKdWAiaEBj71BiYnks964wAoJP5
> VvPSGdUiC5c8kZ8/yhA5DZ06
> =XF0I
> -----END PGP SIGNATURE-----
>
- Previous message: Timothy.Lyons@predictive.com: "Re: Opera Browser goes Crash"
- Maybe in reply to: Holmes, Ben: "Opera Browser goes Crash"
- Next in thread: http-equiv@excite.com: "Re: Opera Browser goes Crash"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
