Last Modified: Dec 12 2003 [Opera 7] Arbitrary File Delete Vulnerability -= How Dare You Delete My Important Files? =- PRODUCT Opera 7 for Windows VERSIONS 7.22 build 3221 (JP:build 3222) 7.21 build 3218 (JP:build 3219) 7.20 build 3144 (JP:build 3145) 7.1x 7.0x VENDOR Opera Software ASA (http://www.opera.com/) SERVERITY Critical. An arbitrary file could be deleted on Local Disk from Remote. DICOVERED BY nesumin AUTHOR :: Operash :: REPORTED DATE 2003-11-26 RELEASED DATE 2003-12-12 PRODUCT Opera for windows is a GUI base WEB Browser. Opera Software ASA (http://www.opera.com/) DESCRIPTION Displaying a Download Dialog, Opera creates a temporary file. But this file name is not sanitized enough, so that an existing file can be deleted. Exploiting this vulnerability, an attacker can delete an arbitrary existing file on a local disk from remote. With this vulnerability, there could be following risks; * Destruction of the system. * Destruction of application data. SYSTEMS AFFECTED * 7.22 build 3221 (JP:build 3222) * 7.21 build 3218 (JP:build 3219) * 7.20 build 3144 (JP:build 3145) * 7.1x * 7.0x SYSTEMS NOT AFFECTED * 7.23 build 3227 (JP:build 3226) EXAMINES Opera for Windows * Opera 7.23 build 3227 (JP:build 3226) * Opera 7.22 build 3221 (JP:build 3222) * Opera 7.21 build 3218 (JP:build 3219) * Opera 7.20 build 3144 (JP:build 3145) * Opera 7.11 build 2887 * Opera 7.11 build 2880 * Opera 7.10 build 2840 * Opera 7.03 build 2670 * Opera 7.02 build 2668 * Opera 7.01 build 2651 Platform * Windows 98SE Japanese * Windows 2000 Professional SP4 Japanese * Windows XP Professional SP1 Japanese SOLUTION Upgrade to version 7.23 or later version. TECHNICAL DETAILS Displaying a Download Dialog, Opera creates a temporary file which is based on the name used while downloading in the temporary directory. This temporary file is for searching the associated application. ex. Download URL: "http://server/path/FILENAME.ext" Temporary Filename: "c:\windows\temp\FILXXX.tmp.FILENAME.ext" (XXX is random string, like "01A") But this temporary file name is not sanitized enough so that it can possibly contain the illegal character string '..%5C'. The file with this string can be located on any paths on the same drive as the temporary file. If there's an already existing file with the same name on the path, it will be overwritten and deleted soon. ex. Download URL: "http://server/path/AAAAAAAAAA%5C..%5C..%5Ccalc.exe" Temporary Filename: "c:\windows\temp\AAAXXX.tmp.AAAAAAAAAA\..\..\calc.exe" this is... "c:\windows\calc.exe" Therefore, if a user goes to a malicious URL which makes Opera display the Download Dialog, his files could be deleted with this vulnerability. The conditions of deletable files; 1. File's path can be specified with a relative path from a temporary directory. 2. File name contains '.' . 3. Writable file within Opera process's authority. 4. Except "Read Only" attribute on Windows 9x Kernel. Except "Read Only", "System" or "Hide" attributes on Windows NT Kernel. SAMPLE CODE None release. TIME TABLE & VENDOR STATUS * 2003-10-09 Discovered this vulnerability. * 2003-11-26 Reported to vendor. * 2003-12-12 Published this advisory. No reply from vendor. DISCLAIMER 1. We cannot guarantee the accuracy of all statements in this advisory. 2. We do not anticipate issuing updated versions of this advisory unless there is some material change in the facts. 3. And we will take no responsibility for any kinds of disadvantages by using this advisory. 4. You can quote this advisory without our permission if you keep the following; 1. Do not distort the advisory's content. 2. Quote only on the Internet media. 5. If you have any questions, please contact to us. CONTACT, ETC :: Operash :: http://opera.rainyblue.org/ + imagine ( Webmaster ) + nesumin Thanks to + anima + melorin + piso(sexy) Copyright © 2003 :: Operash :: All rights reserved