Opera: Location, Location, Location

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Opera: Location, Location, Location
From: GreyMagic Software <security@xxxxxxxxxxxxx>
Date: Thu, 5 Aug 2004 13:16:52 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

GreyMagic Security Advisory GM#008-OP
=====================================

By GreyMagic Software, 05 Aug 2004.

Available in HTML format at
http://www.greymagic.com/security/advisories/gm008-op/.

Topic: Location, Location, Location.

Discovery date: 19 Jul 2004.

Affected applications:
======================

Opera 7.53 and prior on Windows, Linux and Mac. 


Introduction:
=============

On 04-Feb-2003 GreyMagic released an advisory [1] concerning Opera's
security model in v7.0. The advisory depicted several flaws in Opera's
model, one of them allowed for an attacker to overwrite native and custom
functions in a victim window. When the victim web-page executed such
function, the attacker's code executed with the victim's privileges. 

Opera tried to prevent such scenarios in Opera 7.01, by blocking
write-access to objects on the victim window. 

[1] http://www.greymagic.com/security/advisories/gm002-op/

Discussion: 
===========

Unfortunately, Opera failed to block write-access to the often-used
"location" object. 

By overwriting methods in this object, an attacker can gain immediate script
access to any web-page that uses one of these methods. This includes both
web-pages in foreign domains and the victim's local file system. 

The impacts of this vulnerability include: 

* Read-access to files on the victim's file system 
* Read-access to lists of files and folders on the victim's file system 
* Read-access to emails written or received by M2, Opera's mail program 
* Cookie theft 
* URL spoofing (phishing) 
* Track user browsing history 
* Much more... 

Several methods are candidates for such attacks: assign(), replace(),
valueOf() and toString(). The first two would be triggered only when the
victim explicitly calls them. The latter ones would be called in many
implicit cases, including: 

* str+=location;
* decodeURI(location);
* location*7;
* location+"";

And many others... 

In order to gain access to the "file://" protocol, and hence to the entire
file-system, an attacker needs to know of an HTML file in the victim's file
system that actually makes a call to a method in the location object. Such
file was included in virtually all Windows Operating Systems, it is named
"CiAdmin.htm" and it can be found in a very predictable path -
%SystemRoot%/Help/. 


Exploit: 
========

To exploit this vulnerability an attacker can use a simple <iframe>,
pointing to the victim web-page, and inject the malicious code into its
window. Here's an oversimplified example:

Prev by Date: TSLSA-2004-0040 - libpng
Next by Date: International DNS compromise?
Previous by thread: TSLSA-2004-0040 - libpng
Next by thread: [SECURITY] [DSA 536-1] New libpng, libpng3 packages fix multiple vulnerabilities
Index(es):
- Date
- Thread