[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 579/03 - @stake Security Advisory



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 579/03 dated 21.10.03  Time: 09:55
 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Opera HREF escaped server name overflow


Detail
====== 

The Opera browser exhibits a failure when rendering HTML. Certain
HREFs cause a buffer allocated on the heap to overflow. Arbitrary
bytes in the heap may be overwritten. This can result in the
compromise of systems running Opera. Opera's mail system seems to be
vulnerable also and recovery from reading an email is somewhat
difficult.


              ESB-2003.0734 -- @stake, Inc Security Advisory
                  Opera HREF escaped server name overflow
                              21 October 2003


Product:                Opera browser (versions prior to 7.21)
Publisher:              @stake, Inc.
Impact:                 Execute Arbitrary Code/Commands
Access Required:        Remote
CVE Names:              CAN-2003-0870


                                @stake, Inc.
                              www.atstake.com

                             Security Advisory

Advisory Name: Opera HREF escaped server name overflow
 Release Date: 10/20/2003
  Application: Opera 7.11, 7.20
     Platform: Windows XP/2000 and GNU/Linux 2.4 tested, others
               may be vulnerable
     Severity: Remote code execution
      Authors: Jesse Burns <jesse@xxxxxxxxxxx>
Vendor Status: Fixed in version 7.21
CVE Candidate: CAN-2003-0870
    Reference: www.atstake.com/research/advisories/2003/a102003-1.txt


Overview:

The Opera browser exhibits a failure when rendering HTML. Certain
HREFs cause a buffer allocated on the heap to overflow. Arbitrary
bytes in the heap may be overwritten. This can result in the
compromise of systems running Opera. Opera's mail system seems to be
vulnerable also and recovery from reading an email is somewhat
difficult.

An attacker can send an email containing HTML to a user running the
Opera mail client and cause this overflow to occur when the HTML is
rendered. An owner of a web site can craft a malicious web page
containing the problematic HTML to cause an overflow on Opera
clients visiting the site.


Details:

Rendering HREFs with certain illegally escaped server names in the
URL will cause Opera to crash due to a buffer management problem.
Sometimes the crash is observed immediately, sometimes when the
browser is closed, presumably as the resources are being freed.

The escaped URLs are of the form:

<a href="file://server%%[many % characters]%%text" ></a>


Timeline:

09/29/2003 Opera contacted with details of issue
09/30/2003 Vendor responds that they have reproduced problem
10/15/2003 Vendor releases new version of program that includes a
           fix
10/20/2003 Advisory released


Vendor Response:

Opera has release a new version of the software that is available
here:

http://www.opera.com/download/

The change log (http://www.opera.com/windows/changelogs/721/) notes
this fix as:

"Fixed a crash caused by illegally escaped server name"

There is no specific bulletin or warning to users that this release
contains security fixes.


Recommendation:

Upgrade to the 7.21 version of Opera browser for your platform.

Filter email to remove HTML. Run your web browser and mail client
as a low privileged user.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

   CAN-2003-0870 Opera HREF escaped server name overflow


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

@stake is currently seeking application security experts to fill
several consulting positions.  Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing.  Please send resumes to jobs@xxxxxxxxxxxx

Copyright 2003 @stake, Inc. All rights reserved.

- - -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0



For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of atstake for the information
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBP5Tz3Ipao72zK539AQGhIgP+O99HdHnJTePB+2Nzxd7Iooz0KtGfMlTL
qBvjvjTDwxU/Hg7bMMKC7soZG2iE26gm/tI1+n9+KkRFLCe/8AUXMQltrfn7OkrJ
0U8WVWNp8eMaVA+LmNIv6C8aE//oUmPj+1F4dQJmvsSODUp/0sPFoe7vwloMddJz
A0w0EmYbQDk=
=bcUo
-----END PGP SIGNATURE-----