exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SA-20060413-0.txt

SA-20060413-0.txt
Posted Apr 19, 2006
Authored by Bernhard Mueller | Site sec-consult.com

SEC-CONSULT Security Advisory 20060413-0 title: Opera Browser versions less than or equal to 8.52 CSS Attribute Integer Wrap and buffer overflow

tags | advisory, overflow
SHA-256 | dcd897dcb4d39d9b5637377385db693ba270ea31b7ef988a7b4ecf1ccb586ecb

SA-20060413-0.txt

Change Mirror Download
SEC-CONSULT Security Advisory 20060413-0
========================================
title: Opera Browser CSS Attribute Integer Wrap /
Buffer Overflow
program: Opera
vulnerable version: <= 8.52
homepage: www.opera.com
found: 2006-03-01
by: SEC Consult / www.sec-consult.com
=========================================


Vulnerability overview:
---------------

Due to a signedness error in the length check in a string utility
function, a signed expansion and a subsequent call to wcsncpy, it is
possible to overwrite large portions behind the target buffer. Doing so
crashes the application. Exploitation for code execution seems hard to
due to the large amount of memory being copied, of which only a small
portion can be controlled (we didn't spend too much time on that, though).
The bug can be triggered by specifying a long value within a stylesheet
attribute.

<STYLE type=text/css>A { FONT-FAMILY: 35000x'A' } </STYLE>

Vulnerability details:
---------------

The disassembly of the vulnerable function follows. Note that the signed
comparison at 0x67B8CF0D can be bypassed if arg_length > 0x7FFFFFFF.

.text:67B8CEFE ; int __stdcall POC_CALL_TO_WCSNCPY_67B8CEFE(wchar_t *,int)
.text:67B8CEFE POC_CALL_TO_WCSNCPY_67B8CEFE proc near ; CODE XREF:
sub_67B4DB72+9D6p
.text:67B8CEFE ;
_POC_CALL_WSCNCPY_67B8AE6E+1B4p
.text:67B8CEFE
.text:67B8CEFE arg_pbuf_src= dword ptr 4
.text:67B8CEFE arg_length= dword ptr 8
.text:67B8CEFE
.text:67B8CEFE mov eax, POC_pbuf_target
.text:67B8CF03 push ebx
.text:67B8CF04 push esi
.text:67B8CF05 push edi
.text:67B8CF06 mov edi, [esp+0Ch+arg_length]
.text:67B8CF0A mov esi, [eax+40h]
.text:67B8CF0D cmp edi, 4096
.text:67B8CF13 mov ebx, ecx
.text:67B8CF15 jl short loc_67B8CF1C ; signedness error
.text:67B8CF17 mov edi, 4095
.text:67B8CF1C
.text:67B8CF1C loc_67B8CF1C: ; CODE XREF:
POC_CALL_TO_WCSNCPY_67B8CEFE+17j
.text:67B8CF1C push edi ; size_t
.text:67B8CF1D push [esp+10h+arg_pbuf_src] ; wchar_t *
.text:67B8CF21 push esi ; wchar_t *
.text:67B8CF22 call _wcsncpy
.text:67B8CF27 and word ptr [esi+edi*2], 0
.text:67B8CF2C add esp, 0Ch
.text:67B8CF2F mov ecx, ebx
.text:67B8CF31 push esi ; wchar_t *
.text:67B8CF32 call sub_67B8CD10
.text:67B8CF37 test ax, ax
.text:67B8CF3A jge short loc_67B8CF48
.text:67B8CF3C mov ecx, [ebx+5D0h]
.text:67B8CF42 call sub_67B8C7BC
.text:67B8CF47 inc eax
.text:67B8CF48
.text:67B8CF48 loc_67B8CF48: ; CODE XREF:
POC_CALL_TO_WCSNCPY_67B8CEFE+3Cj
.text:67B8CF48 pop edi
.text:67B8CF49 pop esi
.text:67B8CF4A pop ebx
.text:67B8CF4B retn 8
.text:67B8CF4B POC_CALL_TO_WCSNCPY_67B8CEFE endp


Passing a 2GB string to the application may not seem feasable at first.
However, due to another problem we found in a calling function it is
enough to inject a 32k string, which Opera sign extends to a large
negative value before it is passed to the above function.


.text:67B8AF62 loc_67B8AF62: ; CODE XREF:
_POC_CALL_WSCNCPY_67B8AE6E+E2j
.text:67B8AF62 movsx eax, [ebp+var_length_ovfl] ; here
the error occurs: short int length is sign extended
.text:67B8AF62 ; to a long
integer. the result is a large negative value if length
.text:67B8AF62 ; is negative.
.text:67B8AF66 jmp short loc_67B8AF5D


Vendor status:
---------------
vendor notified: 2006-03-14
vendor response: 2006-03-16
fixed: 2006-04-05

The bug has been fixed in Opera 8.54 and in current versions of Opera 9.0.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH
Office Vienna
Blindengasse 3
A-1080 Wien
Austria

Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office at sec-consult dot com
www.sec-consult.com

EOF SEC Consult Vulnerability Lab / @2005

Greetings ::: Walter B, Flo, Chris, Laura, TkE, DFA, KOMRADE
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close