what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Opera RSS Hijacking

Opera RSS Hijacking
Posted Oct 28, 2009
Authored by Inferno from Secure Thoughts

Small write up called Hijacking Opera's Native Page Using Malicious RSS Payloads.

tags | advisory
SHA-256 | c291ffa51806c7d5f361262a1cb308612da9ac85545f1e4435e49c40c2a46aa1

Opera RSS Hijacking

Change Mirror Download
Hijacking Opera's Native Page using malicious RSS payloads
----------------------------------------------------------------------------
---------
For complete post (with images), please visit -
http://securethoughts.com/2009/10/hijacking-operas-native-page-using-malicio
us-rss-payloads/

Well, this one is a continuation of my previous post on Cross Site Scripting
issues relating to RSS feed readers. In that post, I mentioned Scenario (3),
but didn't discuss any details or PoC since Opera Team was actively fixing
it. This issue is now fixed in the latest security update v10.01 from Opera
Team.

In this exploit, an attacker uses a maliciously crafted RSS payload to
achieve full control over the Victim's Opera Browser. The attack works by
convincing a user to visit a RSS feed link. When the user opens the url in
Opera, there are two things that take place. The first one being Javascript
in various RSS feed entries gets executed in the context of the calling
site. This part was discussed in the previous post and can be used to
execute XSS in the context of that site. The second thing that occurs is the
untrusted rss feed content lands up in the Opera's Feed Subscription Page
(also the reason for this post). Since this is a native page, it runs in a
higher privileged zone than the internet zone (something similar to
chrome:// in Firefox and Chrome).

So, if you find a way to execute your malicious javascript in the feed
subscription page, you can essentially execute native opera functions and
ultimately use it to control the Victim's Opera browser. It looks like
Opera's Team did think about the implications of putting untrusted user
content in this page and hence only permitted a certain whitelist of html
tags. In addition, for some html tags such as "A" and "IMG", it required a
certain precondition to be met. See the code snippets captured using Opera
inbuilt debugger DragonFly (you can also use Firebug lite).

Whitelisted HTML Tags Definition - Opera Feed Subscription Page (Source -
DragonFly)
(Image)

HTML Tag Sanitizer/Filter Function - Opera Feed Subscription Page (Source -
DragonFly)
(Image)

If you had tried the simple xss attacks like <img src="x:x" onerror="some
javascript"/> or something like <a onmouseover="some javascript">link</a>,
these won't work here (hint: check out preconditions defined above). It is
important to understand what you are attacking and if read this code, you
will figure out what constitutes a valid malicious payload that will evade
this filter or sanitizer on the Opera Subscriptions Page.

So, here is an example PoC exploit code which executes the
opera.feeds.subscribeNative function to automatically register a feed in
Opera browser without user consent.
http://securethoughts.com/security/rssatomxss/opera10exploit2.atom
(Tested on Opera 10.00 Stable Build 1750)
(Image)

Thanks and Regards,
Inferno
Security Researcher
SecureThoughts.com

Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close