---------------------------------------------------------------------------------
TITLE : [Opera 7] Arbitrary File Auto-Saved Vulnerability.
-= For Whom The Remote Customizing Runs? =-
PRODUCT : Opera 7 for Windows
VERSIONS : 7.22 build 3221 (JP:build 3222)
7.21 build 3218 (JP:build 3219)
7.20 build 3144 (JP:build 3145)
7.1x
7.0x
VENDOR : Opera Software ASA (http://www.opera.com/)
SEVERITY : Critical.
An arbitrary file could be saved on Local Disk from Remote.
DISCOVERED BY : nesumin
AUTHOR : :: Operash ::
REPORTED DATE : 2003-11-20
RELEASED DATE : 2003-11-21
----------------------------------------------------------------------------------
0. PRODUCT
============
Opera for windows is a GUI based WEB Browser.
Opera Software ASA (http://www.opera.com/)
1. DESCRIPTION
================
Opera 7 has a serious Security-Hole in the auto-install function
for Skin Files and Configuration Files.
When a user goes to a malicious Web site, attackers can exploit
this Security-Hole and make an arbitrary file on arbitrary path
inside of user's Local Disk from a WEB page.
With this Security-Hole, there could be following risks;
* Infection with Virus or Trojan, etc.
* Destruction of the system.
* Leak or alteration of the local data.
2. SYSTEMS AFFECTED
=====================
7.22 build 3221 (JP:build 3222)
7.21 build 3218 (JP:build 3219)
7.20 build 3144 (JP:build 3145)
7.1x
7.0x
All of version 7.xx above has this Security-Hole.
3. EXAMINES
=============
Opera for Windows:
Opera 7.22 build 3221 (JP:build 3222)
Opera 7.21 build 3218 (JP:build 3219)
Opera 7.20 build 3144 (JP:build 3145)
Opera 7.11 build 2887
Opera 7.11 build 2880
Opera 7.10 build 2840
Opera 7.03 build 2670
Opera 7.02 build 2668
Opera 7.01 build 2651
Platform:
Windows 98SE Japanese
Windows 2000 Professional SP4 Japanese
Windows XP Professional SP1 Japanese
4. WORKAROUND
===============
Main Menu "Preferences" -> "File Types", MIME-type list;
(check-off "Hide file types opened with Opera")
application/x-opera-skin
application/x-opera-configuration-skin
application/x-opera-configuration-mouse
application/x-opera-configuration-keyboard
application/x-opera-configuration-toolbar
application/x-opera-configuration-menu
If you change the actions of all MIME types above from
"Open with Opera" to "Show download dialog" or etc,
the auto-install function will be disabled and you can avoid
this vulnerability.
If you want to re-enable the auto-install function, change the
actions of these MIME types to "Open with Opera".
5. TECHNICAL DETAILS
======================
Opera 7 has the auto-install function for Skin File, and version
7.10 or later has the same one for Configuration Files.
This auto-install function will be executed when Opera gets an
arbitrary file with MIME-types from a Remote Server;
"application/x-opera-configuration-XXXXX" or "application/x-opera
-skin".
When Opera receives a file and one of these MIME-types, whether
user accept them or not, the file will automatically be saved
with the name that was used while downloading to the directory
for Configuration Files in the User-Directory or Installed-
Directory.
But this automatically saved file's name is not sanitized enough.
Therefore, the file could be saved in any directory which can be
specified with a relative path when the file name contains the
illegal character string '..%5C'. Even though the directory is
outside of expected scope.
(This is restricted within the directory that Opera's process
can write and the existing files cannot be overwritten and deleted.)
For example, if an executable file was saved in the start-up
directory and it ran when a user reboots computer, the user would
face a risk of Virus infection or Trojan horse running inside.
Moreover, the executable file could be for destroying a computer,
deleting data or any kinds of malicious one.
In addition, this vulnerability is different from other
vulnerabilities like buffer overflow, any advanced skills
are not necessary for exploiting. So we assume this is
highly dangerous for users.
Additional Description:
Mr. S. G. Masood has reported a similar vulnerability on 12 Nov 2003
while we were researching on this vulnerability.
And it was announced that the vulnerability Mr. Masood reported has
fixed at version 7.22.
Though, what we researched has higher severity and hasn't been
fixed yet even at version 7.22 now.
6. SAMPLE CODE
================
The sample code can be found on our WEB page.
http://opera.rainyblue.org/adv/opera06-autosaved-en.php
7. TIME TABLE & VENDOR STATUS
===============================
2003-09-30 Discovered this vulnerability.
2003-11-20 Reported to vendor.
2003-11-20 Vendor said "we have already fixed it in 7.23".
2003-11-21 Released this advisory.
8. DISCLAIMER
===============
A. We cannot guarantee the accuracy of all statements in this information.
B. We do not anticipate issuing updated versions of this information
unless there is some material change in the facts.
C. And we will take no responsibility for any kinds of disadvantages by
using this information.
D. You can quote this advisory without our permission if you keep the following;
a. Do not distort this advisory's content.
b. A quoted place should be a medium on the Internet.
E. If you have any questions, please contact to us.
9. CONTACT, ETC
=================
:: Operash :: http://opera.rainyblue.org/
imagine (Operash Webmaster)
nesumin <nesumin_at_softhome.net>
Thanks to :
melorin
piso(sexy)
