<<< Date Index >>>     <<< Thread Index >>>

Opera Directory Traversal in Internal URI Protocol (Advisory)



 
 

__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree


Opera Web Browser Directory Traversal in Internal URI Protocol
==============================================================




I ABSTRACT:


Opera Web Browser defines an internal URI Protocol like command called 
"opera:". Among other things, it is used to display documentation and help 
files for the browser. It has an input validation flaw that enables directory 
traversal.

This flaw is an aggravating factor when combined with other vulns. In this 
case, it can be combined with the "Opera Skinned" vulnerability that has been 
described in the attached file.



II VERSIONS AFFECTED:

All versions upto and inculding 7.21 that support the flawed command are 
vulnerable. Version 7.22 contains the fix. 



III TECHNICAL DETAILS:


NOTE: It is assumed that Opera is installed in the default location i.e., 
"c:\program files\opera7" for the purpose of this description. However, a 
default install is *not* necessary for exploitation.

"Opera:" is an internal URI protocol-like command used by Opera. "Internal" 
because it is not registered as a URI protocol in the Windows Registry. One of 
its uses is to display documentation. For instance, to see help, "opera:/help/" 
is used. This points to the "C:\Program Files\Opera7\help" directory on the 
file system. The html files in this folder can be accessed through this 
relative URL, like, "opera:/help/foo.html". When a local path is requested 
through "opera:" in the form of a legal "opera:/help/" URL, it uses the service 
of the "file://" protocol. For instance, "opera:/help/" redirects the browser 
to "file://localhost/C:/Program Files/Opera7/Help/index.html".

"opera:history", "opera:plugins", "opera:cache" and "opera:drives" are other 
known uses for this command. Their function is self-explanatory. "about:" is an 
alias for "opera:". For instance, "about:history" translates to "opera:history".

The problem here is that though, using "../" for directory traversal in the 
opera: command is not allowed and Opera responds with an "illegal address" 
prompt, this can easily be bypassed using "..%5c" or "..%2f" to break out of 
the /help/ directory. 

For instance, using "opera:/help/..%5c..%5c..%5cwinnt/notepad.exe" downloads 
"notepad.exe" from the "winnt" folder.



IV EXPLOITATION SCENARIOS & EXPLOIT:


Exploits that depend on knowing the installation path of Opera are helped by 
this vulnerability. The command "opera:/help/" always points to the "<opera 
directory>/help/" directory. This can be used as a reference point for exploits 
because of the directory traversal. For instance, "opera:/help/..%5c" points to 
the Opera Directory. 

The exploit attached with the advisories uses this vulnerability for getting 
the correct path of the "<opera dir>/profile/" folder for exploitation.



V VENDOR RESPONSE & SOLUTION:

The vendor, Opera Software, deserves special mention here. I had previously 
read about Opera Soft's promptness in resolving security vulnerabilities in 
their products. My experience with them is one of the best I ever had with any 
vendor. I hope they continue to maintain their good record even with future 
security issues.

An updated version with a fix(7.22) is available from the site - 
http://www.opera.com/download/




VI. CREDIT:


S.G.Masood (sgmasood@xxxxxxxxx)

Hyderabad,
India.


VII. DISCLAIMER:

This advisory is meant only for the dissemination of information, alerting the 
general public about a security issue. Use this information at your own 
discretion.

In brief, the author is not responsible for any use, misuse, abuse of this 
information. Also, this information is provided "as is" without any warranty of 
any kind. 

*PHEW*

EOF