n.runs-SA-2008.010 - Opera HTML parsing Code Execution

2008-12-17T00:00:00
ID SECURITYVULNS:DOC:21036
Type securityvulns
Reporter Securityvulns
Modified 2008-12-17T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2008.010 16-Dec-2008


Vendor: Opera Software ASA, http://www.opera.com Affected Products: Opera Browser all platforms Vulnerability: HTML parsing flaw lead to remote code execution Risk: HIGH


Vendor communication:

2008/11/10 Initial notification to Opera including n.runs RFP and n.runs PGP public key 2008/11/12 Opera response and remarks to agree in general with n.runs RFP but depending on the issue the timeline for a fix might have to be longer than the one mentioned in n.runs RFP (30 days) 2008/11/12 n.runs replies and outlines following a responsible disclosure policy as long as Opera keep n.runs in the loop. n.runs send with same email a zip archive including two PoC files and detailed crash log analysis 2008/11/14 n.runs resends the last email with a download link for the PoCs because Opera's MX Server did not accept the enclosed encrypted zip archive 2008/11/14 Opera acknowledges the PoC files 2008/11/24 Opera communicates to n.runs that they identified the nature of the issue and that they are looking into a fix 2008/12/12 Opera sends n.runs a current draft of the Opera advisory and notifies new version is scheduled to be released early next week 2008/12/16 Opera releases Opera 9.63 [1] 2008/12/16 n.runs releases this advisory


Overview:

Quoting http://www.opera.com/company/: "Opera started in 1994 as a research project within Norway's largest telecom company, Telenor. Within a year, it branched out to become an independent development company named Opera Software ASA.

Today, Opera Software develops the Opera Web browser, a high-quality, multi-platform product for a wide range of platforms, operating systems and embedded Internet products - including Mac, PC and Linux computers, mobile phones and PDAs,game consoles and other devices like the Nintendo Wii and DS, Sony Mylo and more.

Opera's vision is to deliver the best Internet experience on any device. Opera's key business objective is to earn global leadership in the market for PC / desktops and embedded products. Opera's main business strategy is to provide a browser that operates across devices, platforms and operating systems, and can deliver a faster, more stable and flexible Internet experience than its competitors."

Description:

A remotely exploitable vulnerability has been found in the HTML parsing engine.

In detail, the following flaw was determined:

    • Certain HTML constructs affecting an internal heap structure. As a result of a pointer calculation, memory may be corrupted in such a way that an attacker could execute arbitrary code.

Impact

An attacker could exploit the vulnerability by constructing a specially prepared Websit. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploits this vulnerability could gain the same user rights as the logged-on user.

Solution:

Opera has issued an update to correct this vulnerability. For detailed information about the fixes follow the link in References [1] section of this document.

n.runs AG wants to highlight the fluent communication with Opera and its very quick response to validate and fix the issue.


Credit: Bugs found by Alexios Fakos of n.runs AG.


References: http://www.opera.com/support/kb/view/921/ [1]

This Advisory and Upcoming Advisories: http://www.nruns.com/security_advisory.php


Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact security@nruns.com for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages.

Copyright 2008 n.runs AG. All rights reserved. Terms of use apply.

-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.1 (Build 2523) Charset: us-ascii

wsFVAwUBSUkVgF5rjmT2uFcEAQJhNA//dB4JagGBzVTFk9jt5DlzORUm0ze1ZDpn 2V0KSnEpHO6WvvaTQ0sZSBTLeK4C9zmwPbu8LokjCZWbhdd4u72nTm4BiYow7uH9 NPyHby6LcrfgpsgS057D+F8yJUpax0/S6ijGO8UV2xGUPzwdlZAKa3cK3t4BbyfL S0RgVVhxZldcJR4TZ3+LAqFoSuBupJgY5NJHa2kbvBWOv44bhZxikNXb+Zr72g5s pJDT15i1tXAeqT5jp3wN0iEauz3DVY2e8RQY9N6mq6AVuPuC8OH7ILYOep3w932p WD4d4U3rPqwGcgvchMOJf4h/rONQg1F3oe3W8xLmC5k8SdqprW07mZ+tj3/HLWVp AQW2VKGl4QBcwnOZjo39M2CrA6SQXFJl3b796OMQm1HF6NOU/yMfJmSsxbtSMkiJ DvNDGwJOQil5OZZcSEGfX8veGCKbloLJ5KzvpqKm3tC7Im4T1QAQ6c77gg2VnUvl VfR2YOyhdQzTc/yOEaVyU05XJ225l62sCp/HPVuPZrTaCty4QUtpxknzo+AzgtsR fO1lRJcdec6md0FmBUTIC8G56qF5hXJsmZf5I+9bEo2dxGlwlr6/pA+pjY9ikHes wlCgpqqPKj/LwukFxSXFDPWeMFVq4hahPsf1UO4IHYGOXtLupiXn5Kbvy3csjY50 vmTd/uGlIyU= =opn5 -----END PGP SIGNATURE-----