Opera 9.50 beta and prior remote DoS (freeze)

2007-12-06T00:00:00
ID SECURITYVULNS:DOC:18575
Type securityvulns
Reporter Securityvulns
Modified 2007-12-06T00:00:00

Description

  • Name : Opera 9.50 beta / 9.24 Remote DoS
  • Type : Remote DoS
  • Credits: Gynvael Coldwind of Vexillium & Simey
  • Impact : Low

  • Short description

Opera is vulnerable to a remote DoS attack, using spacially crafted BMP files, that causes the browser to freeze for a short amount of time (around 4 minutes on fast computer). An attacker could create a web page that contains multiple BMP files displayed by an <img> tag. This would freeze the browser for N*4 minutes, where N is the number of images (so 100 images, the browser freezez for almost 7 hours). When frozen, the browser consumes 100% CPU power.

  • Verbose description

BMP file format allows Run Length Encoding in case of 4 and 8 bit bitmaps. The RLE used in BMP format has additional features like skipping the decompression write pointer to end of the line (bytes 00 00), skiping to the end of bitmap (00 01), and moving the write pointer to another line and column (00 02 XX YY).

Opera has an ultra slow implementation of the 00 02 XX YY feature. Normalny an decompression algorithm adds XX and YY * width to the write pointer, but Opera has implemented a much slower way, with additional check etc. The implementation performs XX + YY * width incrementations (each with it's own checks and other calculations).

An attacker could use this fact to create a BMP file with maximum possible width (in Opera this would be around 32000 pixels), and the file's data should be filled with 00 02 FF FF opcodes (see DoS_PoC/DoS_BMP_Generator/test10.cpp for a sample generator).

One malformed bitmap freezes the browser for some time. The time depends on CPU speed. A simple benchmark tests have been performed:

CPU TYPE/SPEED TIME Intel Core 2 Quad 2.4 GhZ over 4 minutes Intel Celeron M 1.6 GhZ over 20 minutes

Through this time the browser is frozen, does not react to user commands, and does not redraw it's content.

Additionally, the attacker could create a web page that contains multiple images (<img> tag) to freeze the browser for N*OneFreezeTime (where N is the number of images). See DoS_PoC/RunMe.html for a simple example (10 bitmaps used). Please note that due to Opera's bitmap caching, each bitmap should be named differently (for example test1.bmp, test2.bmp, and so on).

  • Proof of Concept

(This DoS'es the Opera, no warning is provided ;>) http://gynvael.vexillium.org/opera_dos/

  • Disclaimer

This document and all the information it contains is provided "as is", without any warranty. The author is not responsible for the misuse of the information provided in this advisory. The advisory is provided for educational purposes only.

Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact.