----------------------------------------------------------------------
TITLE : [Opera 7] Arbitrary File Delete Vulnerability
-= How Dare You Delete My Important Files? =-
PRODUCT : Opera 7 for Windows
VERSIONS : 7.22 build 3221 (JP:build 3222)
7.21 build 3218 (JP:build 3219)
7.20 build 3144 (JP:build 3145)
7.1x
7.0x
VENDOR : Opera Software ASA (http://www.opera.com/)
SEVERITY : Critical.
An arbitrary file could be deleted on Local Disk
from Remote.
DISCOVERED BY : nesumin
AUTHOR : :: Operash ::
REPORTED DATE : 2003-11-26
RELEASED DATE : 2003-12-12
ORIGINAL URL : http://opera.rainyblue.org/adv/opera07-autodel-en.php
----------------------------------------------------------------------
0. PRODUCT
============
Opera for windows is a GUI base WEB Browser.
Opera Software ASA (http://www.opera.com/)
1. DESCRIPTION
================
Displaying a Download Dialog, Opera creates a temporary file.
But this file name is not sanitized enough, so that an existing
file can be deleted.
Exploiting this vulnerability, an attacker can delete
an arbitrary existing file on a local disk from remote.
With this vulnerability, there could be following risks;
* Destruction of the system.
* Destruction of application data.
2. SYSTEMS AFFECTED
=====================
7.22 build 3221 (JP:build 3222)
7.21 build 3218 (JP:build 3219)
7.20 build 3144 (JP:build 3145)
7.1x
7.0x
3. SYSTEMS NOT AFFECTED
=========================
7.23 build 3227 (JP:build 3226)
4. EXAMINES
=============
Opera for Windows:
Opera 7.23 build 3227 (JP:build 3226)
Opera 7.22 build 3221 (JP:build 3222)
Opera 7.21 build 3218 (JP:build 3219)
Opera 7.20 build 3144 (JP:build 3145)
Opera 7.11 build 2887
Opera 7.11 build 2880
Opera 7.10 build 2840
Opera 7.03 build 2670
Opera 7.02 build 2668
Opera 7.01 build 2651
Platform:
Windows 98SE Japanese
Windows 2000 Professional SP4 Japanese
Windows XP Professional SP1 Japanese
5. SOLUTION
===============
Upgrade to version 7.23 or later version.
6. TECHNICAL DETAILS
======================
Displaying a Download Dialog, Opera creates a temporary file
which is based on the name used while downloading in the
temporary directory. This temporary file is for searching
the associated application.
---------------------------------------------------------------
ex)
Download URL:
"http://server/path/FILENAME.ext";
Temporary Filename:
"c:\windows\temp\FILXXX.tmp.FILENAME.ext"
(XXX is random string, like "01A")
---------------------------------------------------------------
But this temporary file name is not sanitized enough so that
it can possibly contain the illegal character string '..%5C'.
The file with this string can be located on any paths on the
same drive as the temporary file.
If there's an already existing file with the same name on
the path, it will be overwritten and deleted soon.
---------------------------------------------------------------
ex)
Download URL:
http://server/path/AAAAAAAAAA%5C..%5C..%5Ccalc.exe
Temporary Filename:
"c:\windows\temp\AAAXXX.tmp.AAAAAAAAAA\..\..\calc.exe"
this is... "c:\windows\calc.exe"
---------------------------------------------------------------
Therefore, if a user goes to a malicious URL which makes Opera
display the Download Dialog, his files could be deleted with
this vulnerability.
The conditions of deletable files;
1. File's path can be specified with a relative path.
from a temporary directory.
2. File name contains '.' .
3. Writable file within Opera process's authority.
4. Except "Read Only" attribute on Windows 9x Kernel.
Except "Read Only", "System" or "Hide" attributes on
Windows NT Kernel.
7. SAMPLE CODE
================
None release.
8. TIME TABLE & VENDOR STATUS
===============================
2003-10-09 Discovered this vulnerability.
2003-11-26 Reported to vendor.
2003-12-12 Released this advisory.
No reply from vendor.
9. DISCLAIMER
===============
A. We cannot guarantee the accuracy of all statements in this information.
B. We do not anticipate issuing updated versions of this information
unless there is some material change in the facts.
C. And we will take no responsibility for any kinds of disadvantages by
using this information.
D. You can quote this advisory without our permission if you keep the following;
a. Do not distort this advisory's content.
b. A quoted place should be a medium on the Internet.
E. If you have any questions, please contact to us.
10. CONTACT, ETC
==================
:: Operash :: http://opera.rainyblue.org/
imagine (Operash Webmaster)
nesumin <nesumin[at]softhome[dot]net>
Thanks to :
anima
melorin
piso
