<<< Date Index >>>     <<< Thread Index >>>

[Opera 7] Arbitrary File Auto-Saved Vulnerability.



---------------------------------------------------------------------------------
TITLE          : [Opera 7] Arbitrary File Auto-Saved Vulnerability.
                 -= For Whom The Remote Customizing Runs? =-
PRODUCT        : Opera 7 for Windows
VERSIONS       : 7.22 build 3221 (JP:build 3222)
                 7.21 build 3218 (JP:build 3219)
                 7.20 build 3144 (JP:build 3145)
                 7.1x
                 7.0x
VENDOR         : Opera Software ASA (http://www.opera.com/)
SEVERITY       : Critical.
                 An arbitrary file could be saved on Local Disk from Remote.
DISCOVERED BY  : nesumin
AUTHOR         : :: Operash ::
REPORTED DATE  : 2003-11-20
RELEASED DATE  : 2003-11-21
----------------------------------------------------------------------------------

0. PRODUCT
============

  Opera for windows is a GUI based WEB Browser.
  Opera Software ASA (http://www.opera.com/)


1. DESCRIPTION
================

  Opera 7 has a serious Security-Hole in the auto-install function
  for Skin Files and Configuration Files.
  When a user goes to a malicious Web site,  attackers can exploit
  this Security-Hole and make an arbitrary file on arbitrary path
  inside of user's Local Disk from a WEB page.

  With this Security-Hole,  there could be following risks;

    * Infection with Virus or Trojan, etc.
    * Destruction of the system.
    * Leak or alteration of the local data.


2. SYSTEMS AFFECTED
=====================

  7.22 build 3221 (JP:build 3222)
  7.21 build 3218 (JP:build 3219)
  7.20 build 3144 (JP:build 3145)
  7.1x
  7.0x

  All of version 7.xx above has this Security-Hole.


3. EXAMINES
=============

  Opera for Windows:
    Opera 7.22 build 3221 (JP:build 3222)
    Opera 7.21 build 3218 (JP:build 3219)
    Opera 7.20 build 3144 (JP:build 3145)
    Opera 7.11 build 2887
    Opera 7.11 build 2880
    Opera 7.10 build 2840
    Opera 7.03 build 2670
    Opera 7.02 build 2668
    Opera 7.01 build 2651

  Platform:
    Windows 98SE Japanese
    Windows 2000 Professional SP4 Japanese
    Windows XP Professional SP1 Japanese


4. WORKAROUND
===============

  Main Menu "Preferences" -> "File Types", MIME-type list;
  (check-off "Hide file types opened with Opera")

    application/x-opera-skin
    application/x-opera-configuration-skin
    application/x-opera-configuration-mouse
    application/x-opera-configuration-keyboard
    application/x-opera-configuration-toolbar
    application/x-opera-configuration-menu

  If you change the actions of all MIME types above from
  "Open with Opera"  to  "Show download dialog"  or etc,
  the auto-install function will be disabled and you can avoid
  this vulnerability.

  If you want to re-enable the auto-install function, change the
  actions of these MIME types to  "Open with Opera".


5. TECHNICAL DETAILS
======================

  Opera 7 has the auto-install function for Skin File, and version
  7.10 or later has the same one for Configuration Files.
  This auto-install function will be executed when Opera gets an
  arbitrary file with MIME-types from a Remote Server;
  "application/x-opera-configuration-XXXXX" or "application/x-opera
  -skin".
  When Opera receives a file and one of these MIME-types,  whether
  user accept them or not,  the file will automatically be saved
  with the name that was used while downloading to the directory
  for Configuration Files in the User-Directory or Installed-
  Directory.
  But this automatically saved file's name is not sanitized enough.
  Therefore, the file could be saved in any directory which can be
  specified with a relative path when the file name contains the
  illegal character string '..%5C'.  Even though the directory is
  outside of expected scope.
  (This is restricted within the directory that Opera's process
  can write and the existing files cannot be overwritten and deleted.)

  For example, if an executable file was saved in the start-up
  directory and it ran when a user reboots computer, the user would
  face a risk of Virus infection or Trojan horse running inside.
  Moreover, the executable file could be for destroying a computer,
  deleting data or any kinds of malicious one.

  In addition, this vulnerability is different from other
  vulnerabilities like buffer overflow, any advanced skills
  are not necessary for exploiting.  So we assume this is
  highly dangerous for users.


  Additional Description:

  Mr. S. G. Masood has reported a similar vulnerability on 12 Nov 2003
  while we were researching on this vulnerability. 
  And it was announced that the vulnerability Mr. Masood reported has
  fixed at version 7.22.
  Though, what we researched has higher severity and hasn't been
  fixed yet even at version 7.22 now.


6. SAMPLE CODE
================

  The sample code can be found on our WEB page.
  
  http://opera.rainyblue.org/adv/opera06-autosaved-en.php


7. TIME TABLE & VENDOR STATUS
===============================

  2003-09-30 Discovered this vulnerability.
  2003-11-20 Reported to vendor.
  2003-11-20 Vendor said "we have already fixed it in 7.23".
  2003-11-21 Released this advisory.


8. DISCLAIMER
===============

  A. We cannot guarantee the accuracy of all statements in this information.
  B. We do not anticipate issuing updated versions of this information
     unless there is some material change in the facts.
  C. And we will take no responsibility for any kinds of disadvantages by
     using this information.
  D. You can quote this advisory without our permission if you keep the 
following;
     a. Do not distort this advisory's content.
     b. A quoted place should be a medium on the Internet.
  E. If you have any questions, please contact to us.


9. CONTACT, ETC
=================

  :: Operash :: http://opera.rainyblue.org/

  imagine (Operash Webmaster)
  nesumin <nesumin_at_softhome.net>


  Thanks to :

    melorin
    piso(sexy)