============================================ ||| Security Advisory AKLINK-SA-2008-006 ||| ||| CVE-2007-6521 (CVE candidate) ||| ============================================
Date released: 28.05.2007 Date reported: 05.10.2007 $Revision: 1.1 $
by Alexander Klink Cynops GmbH email@example.com https://www.cynops.de/advisories/CVE-2007-6521.txt (S/MIME signed: https://www.cynops.de/advisories/CVE-2007-6521-signed.txt) https://www.klink.name/security/aklink-sa-2008-006-opera-heap-overflow.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6521
Vendor: Opera Software ASA Product: Opera Website: http://www.opera.com Vulnerability: heap-based buffer overflow Class: remote Status: patched (mostly) Severity: moderate (denial of service, possibly code execution) Releases known to be affected: 9.23, 9.24 Releases known NOT to be affected: 9.25
Opera is a closed-source cross-platform web browser with a market share of about 1-2%.
When connecting to a TLS-protected website, Opera parses the X.509 certificate including the so-called "subject alternative names". Using a certificate with a specially crafted subject alternative name, an attacker can trigger a heap-based buffer overflow in Opera which leads to denial of service (application crashes) or arbitrary code execution.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Technical details:
The heap buffer overflow apparently occurs when creating a string that is supposed to tell the user that the server name does not match the DNS subject alternative name in the X.509 certificate. In the most trivial case (a DNS subject alternative name of "l" x 50000, for example), this leads to a crash in the following code (using Opera 9.24 on Windows XP SP2):
67AB756A |. 8B0D CC01F967 MOV ECX,DWORD PTR DS:[67F901CC] 67AB7570 |. 8B01 MOV EAX,DWORD PTR DS:[ECX] 67AB7572 |. FF50 10 CALL DWORD PTR DS:[EAX+10]
with EAX = 0x006C006C, i.e. the wchar representation of 'll'.
Update to Opera 9.25. This has also been patched in Opera Mini at the time of the desktop release. It is still unpatched on one particular platform, though.
-- Dipl.-Math. Alexander Klink | IT-Security Engineer | firstname.lastname@example.org mobile: +49 (0)178 2121703 | Cynops GmbH | http://www.cynops.de ----------------------------+----------------------+--------------------- HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Geschäftsführer: Bad Homburg v. d. Höhe | | Martin Bartosch
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/