Opera "Content-Length" Processing Buffer Overflow Vulnerability

Opera 10.5, and possibly earlier versions, have a vulnerability in them that Secuina classifies as 'highly critical'.

This vulnerability was brought up by lightning slinger in the Opera 10.5 thread.

 

Opera 'exploit' only a crash bug

According to one of the developers it seems this is not an exploit - -
Quoting haavard from above thread link:-

 

The attitudes surrounding this particular buffer overrun are rather deplorable. It's turned into a shouting match over on the Opera forums.

I'm rather appalled that the Opera Devs themselves would say that no threat exists from a Buffer Overrun error. Am I misinterpreting this threat, or isn't this the same kind of attack that has proven time and time again that remote code execution is possible, and destroyed the credibility of IE? I'd be curious as to what Rmus would say on this matter!

A Proof of Concept PHP was linked on the Opera Forums - ESET detected it as an intrusion, even with javascript disabled, so I'd imagine that there's some kind of remote code execution going on there.

 

I haven't followed that, but certainly the sounding off among Fan Boys is the last place to find reliable information. It's like following a soap opera!

Did haavard actually say no threat exists from a Buffer Overrun error? According to the quote above by Ocky, he's referring to this specific one, not in general. No one would make such a blanket assertion.

Anyway, since you are asking for my opinion, I never bother about these things until an exploit surfaces in the wild against an unpatched product.

On the other hand, anyone worried about the potential for exploit in the wild can certainly consider using a different browser until the issue is sorted out.

Kareldjag used to post here quite a bit - he's tested many things, and I've always followed his dictum,

So, I'm never surprised when vulnerabilities (and there have been many) surface in a product such as Opera. Whether or not its "credibility" will be damaged as with IE remains to be seen.

In the early days of Firefox, the Fan Boys would run you out of town, so to speak, if you dared suggest that FF could be exploited. When vulnerabilities started to appear, their tone moderated a bit, to "Well, it will be patched soon." Now, no one even whimpers, since vulnerabilities are more common:

Known Vulnerabilities in Mozilla Products
http://www.mozilla.org/security/known-vulnerabilities/

37 advisories for FF 3.5

Search the Opera Knowledge Base for advisories.
http://www.opera.com/support/kb/

There are at least 6 referencing previous 'Overflow' vulnerabilities.

Search http://www.linuxsecurity.com/ advisories for 'buffer overflow'

Interesting comment in the Linux White Paper on 'buffer overflow':

Introduction: Buffer Overflow Vulnerabilities
http://www.linuxsecurity.com/content/view/118881/171/

Which, of course, would negate the statement by kareldjag.

----
rich

 

I suppose I'm more disturbed at the forum response than the official Opera response, which I think you're quite right in saying is nothing more than fanboy ire! But that doesn't discount the fact that I believe this buffer overrun has been used to execute remote code. Someone over on the official Opera forums linked to what they called a PoC of the buffer overrun, and a few people replied saying that their A/V scanners picked it up as a live trojan. I don't know if a crashing browser counts as a trojan, so I'd assume some other code was being executed to cause this to occur.

Anyhow, sorry to invoke your opinion in an inappropriate manner! I should have realized that before I did so. Thanks for pointing out the advice of Kareldjag, which rings particularly true in this case!

Update: It seems that Opera contacted Secuina, and after some confusion, it has been confirmed that remote code execution is possible - though the language used in their blog update about this makes it sound as if remote code execution isn't always possible. Nevertheless:

 

Good to hear.

 

In Windows world, its silly to run without full DEP, most programs now run fine with exceptions of few so one can always look for alternatives. DEP+LUA+good AV and this so called exploit is null.

 

Is it patched now? Nearly every browser has it's security problems these days ...

 

It's fixed in Opera 10.51 currently in RC due for release any day now.

 

Thank you