--------------------------------------------------------------------------- - - * Opera : SELECT SIZE Arbitrary null write * - - --------------------------------------------------------------------------- --[ Vulnerability Summary: Date Published: 03/05/2011 Last Update: 03/05/2011 Advisory ID: TSSA-2011-02 CERT Name: CVE-2011-1824 Title: Opera : SELECT SIZE Arbitrary null write Remotely Exploitable: Yes Locally Exploitable: No Impact: Remote DoS, potentially arbitrary code execution Advisory URL: http://www.toucan-system.com/advisories/tssa-2011-02.txt --[ Introduction: Opera is a web browser having a market share of about 2,74% following http://en.wikipedia.org/wiki/Usage_share_of_web_browsers . Following the vendor, it runs on "Mac, PC and Linux computers, mobile phones and PDAs, game consoles, and other devices like the Nintendo Wii, DS, Sony Mylo, and more." --[ Synopsis: Opera up to and including version 10.60 is vulnerable to an arbitrary memory write of 0x00000000, 4byte aligned, when processing an html page featuring a SELECT tag with a very large SIZE parameter. - --[ Vulnerabilities overview: When fed with an html page featuring a very large SIZE parameter in the SELECT tag, Opera deterministically segfaults on the following instruction: Program received signal SIGSEGV, Segmentation fault. -----------------------------------------------------------------[regs] eax:00000000 ebx:786C7FF8 ecx:0000001D edx:00000008 eflags:00010206 esi:5E063FF8 edi:00368084 esp:BFE5672C ebp:BFE56738 eip:080BACEB cs:0073 ds:007B es:007B fs:0000 gs:0033 ss:007B o d I t s z a P c [0073:080BACEB]---------------------------------------------------[code] --[ Instruction: => 0x80baceb: mov DWORD PTR [ebx+edx*1],eax This instruction is an invalid write to memory. After carefull analysis, it appears that eax can only be null, which means only 0x00000000 can be written in memory. ebx is also always a multiple of 4, meaning that the invalid write is 4 byte aligned. This instruction actually happens in a routine which zeroes memory for the select tag: 0x80bacb0: push ebp 0x80bacb1: mov ebp,esp 0x80bacb3: push edi 0x80bacb4: push esi 0x80bacb5: push ebx 0x80bacb6: mov edx,DWORD PTR [ebp+0x8] ; edx is a function argument 0x80bacb9: mov esi,DWORD PTR [ebp+0xc] ; same for esi 0x80bacbc: mov edi,DWORD PTR [ebp+0x10] 0x80bacbf: mov ecx,DWORD PTR [edx+0x8] 0x80bacc2: test ecx,ecx 0x80bacc4: je 0x80bad00 0x80bacc6: cmp DWORD PTR [edx+0x1c],edi 0x80bacc9: jle 0x80bad00 0x80baccb: mov ecx,DWORD PTR [edx+0x18] 0x80bacce: mov eax,DWORD PTR [edx+0x10] 0x80bacd1: mov ebx,DWORD PTR [edx+0x8] ; ebx is computed from edx (f argument, see before) 0x80bacd4: test ecx,ecx 0x80bacd6: je 0x80bacf6 ; ecx null ? then return 0x80bacd8: shl eax,0x2 ; shift left of 2 bits on eax 0x80bacdb: xor edx,edx ; edx=0 in first iteration 0x80bacdd: imul eax,edi copyloop: 0x80bace0: add ebx,eax ; add eax to ebx 0x80bace2: lea esi,[esi+0x0] 0x80bace8: mov eax,DWORD PTR [esi+edx*1] ; use esi as an index and read 32b into eax => 0x80baceb: mov DWORD PTR [ebx+edx*1],eax ; write to memory pointed to by ebc+edx the content of eax 0x80bacee: add edx,0x4 0x80bacf1: sub ecx,0x1 0x80bacf4: jne 0x80bace8 ; if ecx != 0, goto copyloop; 0x80bacf6: xor eax,eax 0x80bacf8: pop ebx 0x80bacf9: pop esi 0x80bacfa: pop edi 0x80bacfb: pop ebp 0x80bacfc: ret The register ebx is threfor computed given the formula below: ebx=[[ebp+0x8]+0x8]+([[ebp+0x8]+0x10]<<0x2)*[ebp+0x10] A few experiments allow to simply verify the extent of memory that can be overwritten: ebx:4403BFC0 ebx:46539FE0 ebx:93B6BF9C ebx:4D125F94 ebx:941EFFA8 ebx:47E4FF98 ebx:957FDFA0 ebx:9527A000 ebx:53B91FDC ebx:94177FA0 ebx:93F51F90 ebx:94575FE0 ebx:957FDFA0 ebx:89FCFFDC ebx:94063FD8 ebx:93E60000 ebx:845E5FFC ebx:945D3FA0 ebx:456C3FBC ebx:A466BFE0 ebx:B8035F90 ebx:7032DFC0 ebx:4A813FDC ebx:4EF07FE0 ebx:5CD67FC8 --[ Mitigation: Opera users are encouraged to upgrade their web browser to the latest version of the software (11.10 at the time of writing). --[ Vulnerable versions: Vulnerable : Opera version <= 10.60 Non vulnerable : Opera version >= 10.61 --[ Disclosure timeline: * 02/08/2010: Toucan System send the Opera Team a full vulnerability report including test cases. * 03/08/2010: The Opera Team acknowledge the bug. Vendor assigns it tracker DSK-309026. Vendor identifies the problem as coming from the VEGAOpBitmap::AddLine function. Vendor silently patches the bug in version 10.61. * 05/01/2011: Toucan system reports the bug to the CERT. * 19/01/2011: The CERT grants the issue tracker VU#778396. * 21/04/2011: The CERT grants the issue CVE-2011-1824. * 3/05/2011: Public disclosure. --[ Credits: This vulnerabilitie was discovered by Jonathan Brossard from Toucan System. --[ About Toucan System: Toucan System is a French computer security company providing cutting edge research and security consulting to Fortune 500 as well as smaller companies globally, thanks to a wide range of expertise ranging from Reverse Engineering and binary analysis to cryptography and Risk Management.