----------------------------------------------------------------------
TITLE         : [Opera 7] Arbitrary File Delete Vulnerability
                -= How Dare You Delete My Important Files? =-
PRODUCT       : Opera 7 for Windows
VERSIONS      : 7.22 build 3221 (JP:build 3222)
                7.21 build 3218 (JP:build 3219)
                7.20 build 3144 (JP:build 3145)
                7.1x
                7.0x
VENDOR        : Opera Software ASA (http://www.opera.com/)
SEVERITY      : Critical.
                An arbitrary file could be deleted on Local Disk
                from Remote.
DISCOVERED BY : nesumin
AUTHOR        : :: Operash ::
REPORTED DATE : 2003-11-26
RELEASED DATE : 2003-12-12
ORIGINAL URL  : http://opera.rainyblue.org/adv/opera07-autodel-en.php
----------------------------------------------------------------------

0. PRODUCT
============

  Opera for windows is a GUI base WEB Browser.
  Opera Software ASA (http://www.opera.com/)


1. DESCRIPTION
================

  Displaying a Download Dialog, Opera creates a temporary file.
  But this file name is not sanitized enough, so that an existing
  file can be deleted.

  Exploiting this vulnerability,  an attacker can delete
  an arbitrary existing file on a local disk from remote.

  With this vulnerability, there could be following risks;

  * Destruction of the system.
  * Destruction of application data.


2. SYSTEMS AFFECTED
=====================

  7.22 build 3221 (JP:build 3222)
  7.21 build 3218 (JP:build 3219)
  7.20 build 3144 (JP:build 3145)
  7.1x
  7.0x


3. SYSTEMS NOT AFFECTED
=========================

  7.23 build 3227 (JP:build 3226)


4. EXAMINES
=============

  Opera for Windows:
    Opera 7.23 build 3227 (JP:build 3226)
    Opera 7.22 build 3221 (JP:build 3222)
    Opera 7.21 build 3218 (JP:build 3219)
    Opera 7.20 build 3144 (JP:build 3145)
    Opera 7.11 build 2887
    Opera 7.11 build 2880
    Opera 7.10 build 2840
    Opera 7.03 build 2670
    Opera 7.02 build 2668
    Opera 7.01 build 2651

  Platform:
    Windows 98SE Japanese
    Windows 2000 Professional SP4 Japanese
    Windows XP Professional SP1 Japanese


5. SOLUTION
===============

  Upgrade to version 7.23 or later version.


6. TECHNICAL DETAILS
======================

  Displaying a Download Dialog,  Opera creates a temporary file
  which is based on the name used while downloading in the
  temporary directory.  This temporary file is for searching
  the associated application.

  ---------------------------------------------------------------
  ex)

    Download URL:
        "http://server/path/FILENAME.ext"

    Temporary Filename:
        "c:\windows\temp\FILXXX.tmp.FILENAME.ext"

    (XXX is random string, like "01A")
  ---------------------------------------------------------------

  But this temporary file name is not sanitized enough so that
  it can possibly contain the illegal character string '..%5C'.
  The file with this string can be located on any paths on the
  same drive as the temporary file.
  If there's an already existing file with the same name on
  the path,  it will be overwritten and deleted soon.

  ---------------------------------------------------------------
  ex)

    Download URL:
      http://server/path/AAAAAAAAAA%5C..%5C..%5Ccalc.exe

    Temporary Filename:
      "c:\windows\temp\AAAXXX.tmp.AAAAAAAAAA\..\..\calc.exe"

      this is... "c:\windows\calc.exe"

  ---------------------------------------------------------------

  Therefore, if a user goes to a malicious URL which makes Opera
  display the Download Dialog, his files could be deleted with
  this vulnerability.


  The conditions of deletable files;

  1. File's path can be specified with a relative path.
     from a temporary directory.
  2. File name contains '.' .
  3. Writable file within Opera process's authority.
  4. Except "Read Only" attribute on Windows 9x Kernel.
     Except "Read Only", "System" or "Hide" attributes on
     Windows NT Kernel.


7. SAMPLE CODE
================

  None release.


8. TIME TABLE & VENDOR STATUS
===============================

  2003-10-09 Discovered this vulnerability.
  2003-11-26 Reported to vendor.
  2003-12-12 Released this advisory.

  No reply from vendor.


9. DISCLAIMER
===============

  A. We cannot guarantee the accuracy of all statements in this information.
  B. We do not anticipate issuing updated versions of this information
     unless there is some material change in the facts.
  C. And we will take no responsibility for any kinds of disadvantages by
     using this information.
  D. You can quote this advisory without our permission if you keep the following;
     a. Do not distort this advisory's content.
     b. A quoted place should be a medium on the Internet.
  E. If you have any questions, please contact to us.


10. CONTACT, ETC
==================

  :: Operash :: http://opera.rainyblue.org/

  imagine (Operash Webmaster)
  nesumin <nesumin[at]softhome[dot]net>


  Thanks to :

    anima
    melorin
    piso