Last Modified: Dec 12 2003

[Opera 7] Arbitrary File Delete Vulnerability
-= How Dare You Delete My Important Files? =-

   PRODUCT Opera 7 for Windows
   VERSIONS 7.22 build 3221 (JP:build 3222)
   7.21 build 3218 (JP:build 3219)
   7.20 build 3144 (JP:build 3145)
   7.1x
   7.0x
   VENDOR Opera Software ASA (http://www.opera.com/)
   SERVERITY Critical.
   An arbitrary file could be deleted on Local Disk from Remote.
   DICOVERED BY nesumin
   AUTHOR :: Operash ::
   REPORTED DATE 2003-11-26
   RELEASED DATE 2003-12-12

PRODUCT

   Opera for windows is a GUI base WEB Browser.
   Opera Software ASA (http://www.opera.com/)

DESCRIPTION

   Displaying a Download Dialog, Opera creates a temporary file.
   But this file name is not sanitized enough,  so that an existing file
   can be deleted.
   Exploiting this vulnerability,  an attacker can delete an arbitrary
   existing file on a local disk from remote.
   With this vulnerability, there could be following risks;
     * Destruction of the system.
     * Destruction of application data.

SYSTEMS AFFECTED

     * 7.22 build 3221 (JP:build 3222)
     * 7.21 build 3218 (JP:build 3219)
     * 7.20 build 3144 (JP:build 3145)
     * 7.1x
     * 7.0x

SYSTEMS NOT AFFECTED

     * 7.23 build 3227 (JP:build 3226)

EXAMINES

Opera for Windows

     * Opera 7.23 build 3227 (JP:build 3226)
     * Opera 7.22 build 3221 (JP:build 3222)
     * Opera 7.21 build 3218 (JP:build 3219)
     * Opera 7.20 build 3144 (JP:build 3145)
     * Opera 7.11 build 2887
     * Opera 7.11 build 2880
     * Opera 7.10 build 2840
     * Opera 7.03 build 2670
     * Opera 7.02 build 2668
     * Opera 7.01 build 2651

Platform

     * Windows 98SE Japanese
     * Windows 2000 Professional SP4 Japanese
     * Windows XP Professional SP1 Japanese

SOLUTION

   Upgrade to version 7.23 or later version.

TECHNICAL DETAILS

   Displaying a Download Dialog, Opera creates a temporary file which is
   based on the name used while downloading in the temporary
   directory.  This temporary file is for searching the associated
   application.
ex.
    Download URL:
      "http://server/path/FILENAME.ext"

    Temporary Filename:
      "c:\windows\temp\FILXXX.tmp.FILENAME.ext"

    (XXX is random string, like "01A")

   But this temporary file name is not sanitized enough so that it can
   possibly contain the illegal character string '..%5C'.
   The file with this string can be located on any paths on the same drive
   as the temporary file.
   If there's an already existing file with the same name on the path, it
   will be overwritten and deleted soon.
ex.
    Download URL:
      "http://server/path/AAAAAAAAAA%5C..%5C..%5Ccalc.exe"

    Temporary Filename:
      "c:\windows\temp\AAAXXX.tmp.AAAAAAAAAA\..\..\calc.exe"

      this is... "c:\windows\calc.exe"

   Therefore, if a user goes to a malicious URL which makes Opera display
   the Download Dialog, his files could be deleted with this vulnerability.
   The conditions of deletable files;
    1. File's path can be specified with a relative path from a temporary
       directory.
    2. File name contains '.' .
    3. Writable file within Opera process's authority.
    4. Except "Read Only" attribute on Windows 9x Kernel.
       Except "Read Only", "System" or "Hide" attributes on Windows NT
       Kernel.

SAMPLE CODE

   None release.

TIME TABLE & VENDOR STATUS

     * 2003-10-09 Discovered this vulnerability.
     * 2003-11-26 Reported to vendor.
     * 2003-12-12 Published this advisory.
       No reply from vendor.
       DISCLAIMER
         1. We cannot guarantee the accuracy of all statements in this
            advisory.
         2. We do not anticipate issuing updated versions of this advisory
            unless there is some material change in the facts.
         3. And we will take no responsibility for any kinds of
            disadvantages by
            using this advisory.
         4. You can quote this advisory without our permission if you keep
            the following;
              1. Do not distort the advisory's content.
              2. Quote only on the Internet media.
         5. If you have any questions, please contact to us.
       CONTACT, ETC
       :: Operash :: http://opera.rainyblue.org/
          + imagine <imagine20xx@gmx.net> ( Webmaster )
          + nesumin <nesumin@softhome.net>

Thanks to
          + anima
          + melorin
          + piso(sexy)


   Copyright © 2003  :: Operash :: All rights reserved