Opera: Location, Location, Location
GreyMagic Security Advisory GM#008-OP
=====================================
By GreyMagic Software, 05 Aug 2004.
Available in HTML format at
http://www.greymagic.com/security/advisories/gm008-op/.
Topic: Location, Location, Location.
Discovery date: 19 Jul 2004.
Affected applications:
======================
Opera 7.53 and prior on Windows, Linux and Mac.
Introduction:
=============
On 04-Feb-2003 GreyMagic released an advisory [1] concerning Opera's
security model in v7.0. The advisory depicted several flaws in Opera's
model, one of them allowed for an attacker to overwrite native and custom
functions in a victim window. When the victim web-page executed such
function, the attacker's code executed with the victim's privileges.
Opera tried to prevent such scenarios in Opera 7.01, by blocking
write-access to objects on the victim window.
[1] http://www.greymagic.com/security/advisories/gm002-op/
Discussion:
===========
Unfortunately, Opera failed to block write-access to the often-used
"location" object.
By overwriting methods in this object, an attacker can gain immediate script
access to any web-page that uses one of these methods. This includes both
web-pages in foreign domains and the victim's local file system.
The impacts of this vulnerability include:
* Read-access to files on the victim's file system
* Read-access to lists of files and folders on the victim's file system
* Read-access to emails written or received by M2, Opera's mail program
* Cookie theft
* URL spoofing (phishing)
* Track user browsing history
* Much more...
Several methods are candidates for such attacks: assign(), replace(),
valueOf() and toString(). The first two would be triggered only when the
victim explicitly calls them. The latter ones would be called in many
implicit cases, including:
* str+=location;
* decodeURI(location);
* location*7;
* location+"";
And many others...
In order to gain access to the "file://" protocol, and hence to the entire
file-system, an attacker needs to know of an HTML file in the victim's file
system that actually makes a call to a method in the location object. Such
file was included in virtually all Windows Operating Systems, it is named
"CiAdmin.htm" and it can be found in a very predictable path -
%SystemRoot%/Help/.
Exploit:
========
To exploit this vulnerability an attacker can use a simple <iframe>,
pointing to the victim web-page, and inject the malicious code into its
window. Here's an oversimplified example: