Thread-topic: iDefense Security Advisory 10.17.06: Opera Software Opera Web BrowserURL Parsing Heap Overflow Vulnerability
> -----Original Message-----
> From:
> idlabs-advisories-bounces+vladimir.kazennov=billing.ru@idefens
> e.com
> [mailto:idlabs-advisories-bounces+vladimir.kazennov=billing.ru
> @idefense.com] On Behalf Of iDefense Labs Security Advisories
> Sent: Wednesday, October 18, 2006 12:08 AM
> To: idlabs-advisories@xxxxxxxxxxxx; vulnwatch@xxxxxxxxxxxxx;
> full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: iDefense Security Advisory 10.17.06: Opera Software
> Opera Web BrowserURL Parsing Heap Overflow Vulnerability
>
> Opera Software Opera Web Browser URL Parsing Heap Overflow
> Vulnerability
>
> iDefense Security Advisory 10.17.06
>
> Oct 17, 2006
>
> I. BACKGROUND
>
> Opera is a cross-platform web browser. More information is available
> from
>
> II. DESCRIPTION
>
> Remote exploitation of a heap overflow vulnerability within
> version 9 of
> Opera Software's Opera Web browser could allow an attacker to execute
> arbitrary code on the affected host.
>
> A flaw exists within Opera when parsing a tag that contains a URL. A
> heap buffer with a constant size of 256 bytes is allocated to
> store the
> URL, and the tag's URL is copied into this buffer without sufficient
> bounds checking of its length. The vulnerable code would look
> something
> like this in C/C++:
>
> char *local_url = malloc(256);
>
> strcpy(local_url, tag_url);
>
> This URL can be inserted into any tag, such as an iframe.
> The range of
> characters that can be used to overflow the buffer is limited.
>
> III. ANALYSIS
>
> Successful remote exploitation allows an attacker to execute arbitrary
> code with the privileges of the logged in user. A failed exploitation
> attempt may result in the browser crashing. The attacker would first
> need to construct a website containing the malicious tag and trick the
> vulnerable user into visiting the site. This would trigger the
> vulnerability and allow the code to execute with the privileges of the
> local user.
>
> The range of characters available does not make this vulnerability
> significantly more difficult to exploit. Through the use of
> JavaScript
> or large compressed image files the attacker can have nearly complete
> control of the heap.
>
> IV. DETECTION
>
> iDefense Labs has confirmed Opera versions 9.0 and 9.01 on
> both Windows
> and Linux are vulnerable. Version 8 is not vulnerable.
>
> V. WORKAROUND
>
> iDefense is currently unaware of any effective workarounds for this
> vulnerability.
>
> VI. VENDOR RESPONSE
>
> Opera has addressed this vulnerability with version 9.02 of the Opera
> Web Browser. More information can be found in Opera's advisory at
> .
>
> VII. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has
> assigned the
> name CVE-2006-4819 to this issue. This is a candidate for inclusion in
> the CVE list (), which standardizes names for
> security problems.
>
> VIII. DISCLOSURE TIMELINE
>
> 09/15/2006 Initial vendor notification
> 09/29/2006 Initial vendor response
> 10/17/2006 Coordinated public disclosure
>
> IX. CREDIT
>
> The discoverer of this vulnerability wishes to remain anonymous.
>
> Get paid for vulnerability research
>
>
> Free tools, research and upcoming events
>
>
> X. LEGAL NOTICES
>
> Copyright (c) 2006 iDefense, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than
> electronically, please
> email customerservice@xxxxxxxxxxxx for permission.
>
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available
> information. Use
> of the information constitutes acceptance for use in an AS IS
> condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any
> direct, indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.
>
>
>
> _______________________________________________
> To unsubscribe, go here:
>
>
