* Name   : Opera 9.50 beta / 9.24 Remote DoS
* Type   : Remote DoS
* Credits: Gynvael Coldwind of Vexillium  &  Simey
* Impact : Low

* Short description

Opera is vulnerable to a remote DoS attack, using spacially crafted BMP
files, that causes the browser to freeze for a short amount of time
(around 4 minutes on fast computer). An attacker could create a web
page that contains multiple BMP files displayed by an <img> tag. This
would freeze the browser for N*4 minutes, where N is the number of
images (so 100 images, the browser freezez for almost 7 hours). When
frozen, the browser consumes 100% CPU power.


* Verbose description

BMP file format allows Run Length Encoding in case of 4 and 8 bit
bitmaps. The RLE used in BMP format has additional features like
skipping the decompression write pointer to end of the line (bytes 00
00), skiping to the end of bitmap (00 01), and moving the write
pointer to another line and column (00 02 XX YY).

Opera has an ultra slow implementation of the 00 02 XX YY feature.
Normalny an decompression algorithm adds XX and YY * width to the
write pointer, but Opera has implemented a much slower way, with
additional check etc. The implementation performs XX + YY * width
incrementations (each with it's own checks and other calculations).

An attacker could use this fact to create a BMP file with maximum
possible width (in Opera this would be around 32000 pixels), and
the file's data should be filled with 00 02 FF FF opcodes (see
DoS_PoC/DoS_BMP_Generator/test10.cpp for a sample generator).

One malformed bitmap freezes the browser for some time. The time
depends on CPU speed. A simple benchmark tests have been performed:

CPU TYPE/SPEED                    TIME
Intel Core 2 Quad 2.4 GhZ         over 4 minutes
Intel Celeron M 1.6 GhZ           over 20 minutes

Through this time the browser is frozen, does not react to user
commands, and does not redraw it's content.

Additionally, the attacker could create a web page that contains
multiple images (<img> tag) to freeze the browser for N*OneFreezeTime
(where N is the number of images). See DoS_PoC/RunMe.html for a simple
example (10 bitmaps used). Please note that due to Opera's bitmap
caching, each bitmap should be named differently (for example
test1.bmp, test2.bmp, and so on).


* Proof of Concept

(This DoS'es the Opera, no warning is provided ;>)
http://gynvael.vexillium.org/opera_dos/


* Disclaimer

This document and all the information it contains is provided "as is",
without any warranty. The author is not responsible for the
misuse of the information provided in this advisory. The advisory is
provided for educational purposes only.

Permission is hereby granted to redistribute this advisory, providing
that no changes are made and that the copyright notices and
disclaimers remain intact.