Products::Security

GreyMagic Security Advisory GM#008-OP

By GreyMagic Software, Israel.
05 Aug 2004.

Topic: Location, Location, Location.

Discovery date: 19 Jul 2004.

Affected applications:

Opera 7.53 and prior on Windows, Linux and Mac.

Introduction:

On 04-Feb-2003 GreyMagic released an advisory concerning Opera's security model in v7.0. The advisory depicted several flaws in Opera's model, one of them allowed for an attacker to overwrite native and custom functions in a victim window. When the victim web-page executed such function, the attacker's code executed with the victim's privileges.

Opera tried to prevent such scenarios in Opera 7.01, by blocking write-access to objects on the victim window.

Discussion:

Unfortunately, Opera failed to block write-access to the often-used "location" object.

By overwriting methods in this object, an attacker can gain immediate script access to any web-page that uses one of these methods. This includes both web-pages in foreign domains and the victim's local file system.

The impacts of this vulnerability include:

Several methods are candidates for such attacks: assign(), replace(), valueOf() and toString(). The first two would be triggered only when the victim explicitly calls them. The latter ones would be called in many implicit cases, including:

str+=location;
decodeURI(location);
location*7;
location+"";

And many others...

In order to gain access to the "file://" protocol, and hence to the entire file-system, an attacker needs to know of an HTML file in the victim's file system that actually makes a call to a method in the location object. Such file was included in virtually all Windows Operating Systems, it is named "CiAdmin.htm" and it can be found in a very predictable path - %SystemRoot%/Help/.

Exploit:

To exploit this vulnerability an attacker can use a simple <iframe>, pointing to the victim web-page, and inject the malicious code into its window. Here's an oversimplified example:

<iframe></iframe>
<script type="text/javascript">
onload=function () {
    var oVictim=frames[0];
    oVictim.location.href="file://localhost/c:/winnt/help/ciadmin.htm";
    oVictim.location.replace=function () {
        oVictim.alert("We now have full file system access using "+location.href);
    }
}
</script>

This code demonstrates how the vulnerability works, but it is not likely to succeed in exploiting it by itself. This happens because the malicious code must be injected in the time-gap between page initiation and page script execution. This leaves a very narrow window for an attacker to inject code, but with a bit of scripting this window of opportunity can easily be found. The demonstrations below use simple brute-force and retry mechanisms to inject our code successfully.

Demonstration:

We put together two harmless proof-of-concept demonstrations:

Solution:

GreyMagic informed Opera of the vulnerability on 22-Jul-2004. A new version (7.54) was officially released on 05-Aug-2004 to address this problem.

Tested on:

Opera 7.52.
Opera 7.53.

Disclaimer:

The information in this security advisory and any of its demonstrations is provided "as is" without warranty of any kind.

Vulnerability details are provided strictly for educational and defensive purposes.

GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.

Stay informed:

Subscribe to GreyMagic's early notification email service and be informed of new vulnerabilities and updates as soon as they appear on the site.

Press here to subscribe.

Your privacy is important to us, read our Privacy Statement.

Copyright © 2008 GreyMagic Software
Hosted by VPW Systems UK - Specialist Internet Services Provider