exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Atstake Security Advisory 03-10-20.1

Atstake Security Advisory 03-10-20.1
Posted Oct 21, 2003
Authored by Atstake, Jesse Burns | Site atstake.com

Atstake Security Advisory A102003-1 - Opera v7.20 and below contains a heap overflow when parsing HREFs with illegally escaped server names, allowing remote code execution via email or malicious web page. Fix available here. Tested against Windows XP and Linux.

tags | remote, web, overflow, code execution
systems | linux, windows
SHA-256 | 47be7130d5351ee1e6a51c87a74d5a02b3e5f28749ce4d47d3f097a00a9f49bd

Atstake Security Advisory 03-10-20.1

Change Mirror Download

@stake, Inc.
www.atstake.com

Security Advisory

Advisory Name: Opera HREF Escaped Server Name Overflow
Release Date: 10/20/2003
Application: Opera 7.11, 7.20
Platform: Windows XP/2000 and GNU/Linux 2.4 tested, others
may be vulnerable
Severity: Remote code execution
Authors: Jesse Burns <jesse@atstake.com>
Vendor Status: Fixed in version 7.21
CVE Candidate: CAN-2003-0870
Reference: www.atstake.com/research/advisories/2003/a102003-1.txt


Overview:

The Opera browser exhibits a failure when rendering HTML. Certain
HREFs cause a buffer allocated on the heap to overflow. Arbitrary
bytes in the heap may be overwritten. This can result in the
compromise of systems running Opera. Opera's mail system seems to be
vulnerable also and recovery from reading an email is somewhat
difficult.

An attacker can send an email containing HTML to a user running the
Opera mail client and cause this overflow to occur when the HTML is
rendered. An owner of a web site can craft a malicious web page
containing the problematic HTML to cause an overflow on Opera
clients visiting the site.


Details:

Rendering HREFs with certain illegally escaped server names in the
URL will cause Opera to crash due to a buffer management problem.
Sometimes the crash is observed immediately, sometimes when the
browser is closed, presumably as the resources are being freed.

The escaped URLs are of the form:

<a href="file://server%%[many % characters]%%text" ></a>


Timeline:

09/29/2003 Opera contacted with details of issue
09/30/2003 Vendor responds that they have reproduced problem
10/15/2003 Vendor releases new version of program that includes a
fix
10/20/2003 Advisory released


Vendor Response:

Opera has release a new version of the software that is available
here:

http://www.opera.com/download/

The change log (http://www.opera.com/windows/changelogs/721/) notes
this fix as:

"Fixed a crash caused by illegally escaped server name"

There is no specific bulletin or warning to users that this release
contains security fixes.


Recommendation:

Upgrade to the 7.21 version of Opera browser for your platform.

Filter email to remove HTML. Run your web browser and mail client
as a low privileged user.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

CAN-2003-0870 Opera HREF escaped server name overflow


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

@stake is currently seeking application security experts to fill
several consulting positions. Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing. Please send resumes to jobs@atstake.com.

Copyright 2003 @stake, Inc. All rights reserved.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close