GreyMagic Security Advisory GM#008-OP ===================================== By GreyMagic Software, 05 Aug 2004. Available in HTML format at http://www.greymagic.com/security/advisories/gm008-op/. Topic: Location, Location, Location. Discovery date: 19 Jul 2004. Affected applications: ====================== Opera 7.53 and prior on Windows, Linux and Mac. Introduction: ============= On 04-Feb-2003 GreyMagic released an advisory [1] concerning Opera's security model in v7.0. The advisory depicted several flaws in Opera's model, one of them allowed for an attacker to overwrite native and custom functions in a victim window. When the victim web-page executed such function, the attacker's code executed with the victim's privileges. Opera tried to prevent such scenarios in Opera 7.01, by blocking write-access to objects on the victim window. [1] http://www.greymagic.com/security/advisories/gm002-op/ Discussion: =========== Unfortunately, Opera failed to block write-access to the often-used "location" object. By overwriting methods in this object, an attacker can gain immediate script access to any web-page that uses one of these methods. This includes both web-pages in foreign domains and the victim's local file system. The impacts of this vulnerability include: * Read-access to files on the victim's file system * Read-access to lists of files and folders on the victim's file system * Read-access to emails written or received by M2, Opera's mail program * Cookie theft * URL spoofing (phishing) * Track user browsing history * Much more... Several methods are candidates for such attacks: assign(), replace(), valueOf() and toString(). The first two would be triggered only when the victim explicitly calls them. The latter ones would be called in many implicit cases, including: * str+=location; * decodeURI(location); * location*7; * location+""; And many others... In order to gain access to the "file://" protocol, and hence to the entire file-system, an attacker needs to know of an HTML file in the victim's file system that actually makes a call to a method in the location object. Such file was included in virtually all Windows Operating Systems, it is named "CiAdmin.htm" and it can be found in a very predictable path - %SystemRoot%/Help/. Exploit: ======== To exploit this vulnerability an attacker can use a simple <iframe>, pointing to the victim web-page, and inject the malicious code into its window. Here's an oversimplified example:
