[Full-disclosure] Opera - heap based buffer overflow (CVE-2007-6521)

Type securityvulns
Reporter Securityvulns
Modified 2008-05-30T00:00:00


============================================ ||| Security Advisory AKLINK-SA-2008-006 ||| ||| CVE-2007-6521 (CVE candidate) ||| ============================================

Opera - heap-based buffer overflow

Date released: 28.05.2007 Date reported: 05.10.2007 $Revision: 1.1 $

by Alexander Klink Cynops GmbH a.klink@cynops.de https://www.cynops.de/advisories/CVE-2007-6521.txt (S/MIME signed: https://www.cynops.de/advisories/CVE-2007-6521-signed.txt) https://www.klink.name/security/aklink-sa-2008-006-opera-heap-overflow.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6521

Vendor: Opera Software ASA Product: Opera Website: http://www.opera.com Vulnerability: heap-based buffer overflow Class: remote Status: patched (mostly) Severity: moderate (denial of service, possibly code execution) Releases known to be affected: 9.23, 9.24 Releases known NOT to be affected: 9.25

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Background:

Opera is a closed-source cross-platform web browser with a market share of about 1-2%.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Overview:

When connecting to a TLS-protected website, Opera parses the X.509 certificate including the so-called "subject alternative names". Using a certificate with a specially crafted subject alternative name, an attacker can trigger a heap-based buffer overflow in Opera which leads to denial of service (application crashes) or arbitrary code execution.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Technical details:

The heap buffer overflow apparently occurs when creating a string that is supposed to tell the user that the server name does not match the DNS subject alternative name in the X.509 certificate. In the most trivial case (a DNS subject alternative name of "l" x 50000, for example), this leads to a crash in the following code (using Opera 9.24 on Windows XP SP2):

67AB756A |. 8B0D CC01F967 MOV ECX,DWORD PTR DS:[67F901CC] 67AB7570 |. 8B01 MOV EAX,DWORD PTR DS:[ECX] 67AB7572 |. FF50 10 CALL DWORD PTR DS:[EAX+10]

with EAX = 0x006C006C, i.e. the wchar representation of 'll'.

This basically means that an attacker can redirect the code execution to where he wants, for example to code he placed on the stack. Unfortunately, the DNS subject alternative names are stored as IA5Strings in the certificate, so the addresses one can call from are limited to 0x00??00?? (+10), which somewhat limits exploitability. Fortunately, JavaScript heap spraying has proven to be effective to spray to such address, from where on the exploit can continue. Turning the above into a working and stable exploit is left as an exercise to the interested reader :-)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Communication:

  • 05.10.2007: Reported bug using Opera's bug reporting website (bug was not flagged as a security bug, but it was noted that the bug may be security relevant)
  • 07.11.2007: Contacted FX for help, FX replies with verification that it is a heap-based buffer overflow and potentially exploitable because ECX (the C++ this pointer) is overwritten
  • 09.11.2007: Reported the bug again using Opera's bug reporting website (flagged as a security bug and with more details)
  • 09.11.2007: Claudio Santambrogio from Opera replies with the information that a fix is already available in internal versions and is scheduled for inclusion in the next public release which is due in approximately 4 to 6 weeks. Opera asks for withholding the advisory until then.
  • 14.12.2007: Requested update on release date
  • 14.12.2007: Claudio Santambrogio replies: the fix for the Desktop platform will be rolled out next week. Further investigation on Opera's side showed that other products are affected as well. Opera asks for withholding the advisory until those are fixed as well.
  • 19.12.2007: Opera 9.25 is released with attribution in the changelog.
  • 01.02.2008: Requested update on "other products"
  • 13.03.2008: Requested update on "other products"
  • 19.03.2008: Claudio replies asking to postpone publication until after week 17 or 18.
  • 06.05.2008: Requested update and informed Opera that I will be talking about this issue at EuSecWest on May 22nd
  • 06.05.2008: Claudio replies that May 21st/22nd is OK
  • 06.05.2008: Agreed to publish the advisory then, again enquired as for what other products are affected
  • 23.05.2008: Claudio replies with details on which platforms were/are affected with the request to withhold those details.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Solution:

Update to Opera 9.25. This has also been patched in Opera Mini at the time of the desktop release. It is still unpatched on one particular platform, though.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Credits:

  • Alexander Klink, Cynops GmbH (discovery)
  • Felix "FX" Lindner, Recurity Labs GmbH (for his detailed analysis of the bug and confirmation that it is indeed a heap buffer overflow - thanks!)

-- Dipl.-Math. Alexander Klink | IT-Security Engineer | a.klink@cynops.de mobile: +49 (0)178 2121703 | Cynops GmbH | http://www.cynops.de ----------------------------+----------------------+--------------------- HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Geschäftsführer: Bad Homburg v. d. Höhe | | Martin Bartosch

Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/