GreyMagic Security Advisory GM#002-OP ===================================== By GreyMagic Software, Israel. 04 Feb 2003. Available in HTML format at http://security.greymagic.com/adv/gm002-op/. Topic: Opera's Security Model is Highly Vulnerable. Discovery date: 14 Nov 2002. Affected applications: ====================== Opera 7 (final). Introduction: ============= Opera recently released a new version of its browser. Version 7 brings many long-awaited features such as proper DOM support and an improved rendering engine. However, Opera seems to have neglected one of the most important aspects in any browser today, its default cross-domain security model. Discussion: =========== All browsers with Javascript support deploy a cross-domain security model, which, in essence, attempts to prevent documents from one domain to access other documents in different domains. Opera 7 deployed a fundamentally different approach to cross-domain security, a caller-based model, rather than the origin-based model deployed in other browsers. The vulnerability is comprised of three different flaws in that model: * Functions in different domains can be accessed and executed. * Functions are being executed under the caller's domain credentials and not in their originating domain. * It is possible to override properties and methods (both native and user-defined) in other windows. The first flaw means that a window in one domain is able to execute functions in a window that's in a different domain. This flaw in itself is not a big threat because of the second flaw, which means that even if a function in the victim window is executed, it is executed with the attacker's credentials, and therefore unable to access the victim's document. The second flaw means that if the attacker can get the victim to execute a function, it will run under the victim's credentials. And because of the first flaw, the victim will have no problems accessing a malicious function created by the attacker. The third, and most devastating flaw means that the attacker is able to trojanize native methods in the victim window with his own code and simply wait for the victim to execute it. With these three flaws combined, it becomes extremely easy to exploit any document that uses some scripting, including local resources in the file:// protocol. Being able to access local resources in Opera means that the attacker would be able to: * Read any file on the user's file system. * Read the contents of directories on the user's file system. * Read emails written or received by M2, Opera's mail program. * And more... Exploit: ======== A perfect candidate for exploitation is Opera's own Javascript console, which arrives in the form of three separate files in Opera's installation directory. The file "console.html" makes a very early call to the native method "setInterval", which can be overridden by an attacking window. This scenario does not require any user interaction. <script language="jscript"> var oWin=open("file://localhost/console.html","",""); oWin.setInterval=function () { alert("Access to local resource achieved: "+oWin.location.href); } </script> The "file://localhost/" URL appearing in this sample is a convenient method provided by Opera in order to access the selected directory (Opera's home by default). Demonstration: ============== We put together two proof-of-concept demonstrations: * Simple: Reads cookies from a few well-known sites and demonstrates access to a local resource. * GreyMagic Opera Disk Explorer: Browse your entire file system using this explorer-like tool, which takes advantage of this vulnerability in order to access local resources. They can both be found at http://security.greymagic.com/adv/gm002-op/. Solution: ========= Opera was notified of a variation of this issue on 14-Nov-2002, but appareantly failed to understand the core issues and only patched one symptom of the problem (it was possible for foreign windows to simply set event handlers in Beta 1). In the meantime, until a patch becomes available, disable Javascript by going to: File -> Preferences -> Multimedia, and uncheck the "Enable JavaScript" item. Credits: ======== Many thanks to Tom Gilder for his excellent help in researching this vulnerability. Tested on: ========== Opera 7 NT4. Opera 7 Win98. Opera 7 Win2000. Opera 7 WinXP. Disclaimer: =========== The information in this advisory and any of its demonstrations is provided "as is" without warranty of any kind. GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. Feedback: ========= Please mail any questions or comments to security@greymagic.com. - Copyright © 2003 GreyMagic Software.
