============================================
||| Security Advisory AKLINK-SA-2008-006 |||
||| CVE-2007-6521 (CVE candidate)        |||
============================================

Opera - heap-based buffer overflow
==================================

Date released: 28.05.2007
Date reported: 05.10.2007
$Revision: 1.1 $

by Alexander Klink
   Cynops GmbH
   a.klink@cynops.de
   https://www.cynops.de/advisories/CVE-2007-6521.txt
   (S/MIME signed: https://www.cynops.de/advisories/CVE-2007-6521-signed.txt)
   https://www.klink.name/security/aklink-sa-2008-006-opera-heap-overflow.txt
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6521

Vendor: Opera Software ASA
Product: Opera
Website: http://www.opera.com
Vulnerability: heap-based buffer overflow
Class: remote
Status: patched (mostly)
Severity: moderate (denial of service, possibly code execution)
Releases known to be affected: 9.23, 9.24
Releases known NOT to be affected: 9.25

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Background:

Opera is a closed-source cross-platform web browser with a market
share of about 1-2%.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Overview:

When connecting to a TLS-protected website, Opera parses the X.509
certificate including the so-called "subject alternative names".
Using a certificate with a specially crafted subject alternative name,
an attacker can trigger a heap-based buffer overflow in Opera which
leads to denial of service (application crashes) or arbitrary code
execution.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Technical details:

The heap buffer overflow apparently occurs when creating a string that
is supposed to tell the user that the server name does not match the
DNS subject alternative name in the X.509 certificate.
In the most trivial case (a DNS subject alternative name of "l" x 50000,
for example), this leads to a crash in the following code (using Opera
9.24 on Windows XP SP2):

67AB756A  |. 8B0D CC01F967  MOV ECX,DWORD PTR DS:[67F901CC]
67AB7570  |. 8B01           MOV EAX,DWORD PTR DS:[ECX]
67AB7572  |. FF50 10        CALL DWORD PTR DS:[EAX+10]

with EAX = 0x006C006C, i.e. the wchar representation of 'll'.

This basically means that an attacker can redirect the code execution
to where he wants, for example to code he placed on the stack.
Unfortunately, the DNS subject alternative names are stored as
IA5Strings in the certificate, so the addresses one can call from
are limited to 0x00??00?? (+10), which somewhat limits exploitability.
Fortunately, JavaScript heap spraying has proven to be effective
to spray to such address, from where on the exploit can continue.
Turning the above into a working and stable exploit is left as an
exercise to the interested reader :-)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Communication:

* 05.10.2007: Reported bug using Opera's bug reporting website
              (bug was not flagged as a security bug, but it was noted
              that the bug may be security relevant)
* 07.11.2007: Contacted FX for help, FX replies with verification that
              it is a heap-based buffer overflow and potentially exploitable
              because ECX (the C++ this pointer) is overwritten
* 09.11.2007: Reported the bug again using Opera's bug reporting website
              (flagged as a security bug and with more details)
* 09.11.2007: Claudio Santambrogio from Opera replies with the information
              that a fix is already available in internal versions and is
              scheduled for inclusion in the next public release which is
              due in approximately 4 to 6 weeks. Opera asks for withholding
              the advisory until then.
* 14.12.2007: Requested update on release date
* 14.12.2007: Claudio Santambrogio replies: the fix for the Desktop platform
              will be rolled out next week. Further investigation on Opera's
              side showed that other products are affected as well. Opera
              asks for withholding the advisory until those are fixed as well.
* 19.12.2007: Opera 9.25 is released with attribution in the changelog.
* 01.02.2008: Requested update on "other products"
* 13.03.2008: Requested update on "other products"
* 19.03.2008: Claudio replies asking to postpone publication until after
              week 17 or 18.
* 06.05.2008: Requested update and informed Opera that I will be talking
              about this issue at EuSecWest on May 22nd
* 06.05.2008: Claudio replies that May 21st/22nd is OK
* 06.05.2008: Agreed to publish the advisory then, again enquired as for
              what other products are affected
* 23.05.2008: Claudio replies with details on which platforms were/are
              affected with the request to withhold those details.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Solution:

Update to Opera 9.25. This has also been patched in Opera Mini at the
time of the desktop release. It is still unpatched on one particular
platform, though.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Credits:

- Alexander Klink, Cynops GmbH (discovery)
- Felix "FX" Lindner, Recurity Labs GmbH
   (for his detailed analysis of the bug and confirmation that
   it is indeed a heap buffer overflow - thanks!)


-- 
Dipl.-Math. Alexander Klink | IT-Security Engineer |    a.klink@cynops.de
 mobile: +49 (0)178 2121703 |          Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
      HRB 7833, Amtsgericht | USt-Id: DE 213094986 |     Geschäftsführer:
     Bad Homburg v. d. Höhe |                      |      Martin Bartosch