Opera "Content-Length" Processing Buffer Overflow Vulnerability

Discussion in 'other security issues & news' started by Carbonyl, Mar 4, 2010.

Thread Status:
Not open for further replies.
  1. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Opera 10.5, and possibly earlier versions, have a vulnerability in them that Secuina classifies as 'highly critical'.

    This vulnerability was brought up by lightning slinger in the Opera 10.5 thread.
     
  2. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Opera 'exploit' only a crash bug

    According to one of the developers it seems this is not an exploit - -
    Quoting haavard from above thread link:-

     
  3. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    The attitudes surrounding this particular buffer overrun are rather deplorable. It's turned into a shouting match over on the Opera forums.

    I'm rather appalled that the Opera Devs themselves would say that no threat exists from a Buffer Overrun error. Am I misinterpreting this threat, or isn't this the same kind of attack that has proven time and time again that remote code execution is possible, and destroyed the credibility of IE? I'd be curious as to what Rmus would say on this matter!

    A Proof of Concept PHP was linked on the Opera Forums - ESET detected it as an intrusion, even with javascript disabled, so I'd imagine that there's some kind of remote code execution going on there.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I haven't followed that, but certainly the sounding off among Fan Boys is the last place to find reliable information. It's like following a soap opera!

    Did haavard actually say no threat exists from a Buffer Overrun error? According to the quote above by Ocky, he's referring to this specific one, not in general. No one would make such a blanket assertion.

    Anyway, since you are asking for my opinion, I never bother about these things until an exploit surfaces in the wild against an unpatched product.

    On the other hand, anyone worried about the potential for exploit in the wild can certainly consider using a different browser until the issue is sorted out.

    Kareldjag used to post here quite a bit - he's tested many things, and I've always followed his dictum,

    So, I'm never surprised when vulnerabilities (and there have been many) surface in a product such as Opera. Whether or not its "credibility" will be damaged as with IE remains to be seen.

    In the early days of Firefox, the Fan Boys would run you out of town, so to speak, if you dared suggest that FF could be exploited. When vulnerabilities started to appear, their tone moderated a bit, to "Well, it will be patched soon." Now, no one even whimpers, since vulnerabilities are more common:

    Known Vulnerabilities in Mozilla Products
    http://www.mozilla.org/security/known-vulnerabilities/

    37 advisories for FF 3.5

    Search the Opera Knowledge Base for advisories.
    http://www.opera.com/support/kb/

    There are at least 6 referencing previous 'Overflow' vulnerabilities.

    Search http://www.linuxsecurity.com/ advisories for 'buffer overflow'

    Interesting comment in the Linux White Paper on 'buffer overflow':

    Introduction: Buffer Overflow Vulnerabilities
    http://www.linuxsecurity.com/content/view/118881/171/
    Which, of course, would negate the statement by kareldjag.

    ----
    rich
     
    Last edited: Mar 7, 2010
  5. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    I suppose I'm more disturbed at the forum response than the official Opera response, which I think you're quite right in saying is nothing more than fanboy ire! But that doesn't discount the fact that I believe this buffer overrun has been used to execute remote code. Someone over on the official Opera forums linked to what they called a PoC of the buffer overrun, and a few people replied saying that their A/V scanners picked it up as a live trojan. I don't know if a crashing browser counts as a trojan, so I'd assume some other code was being executed to cause this to occur.

    Anyhow, sorry to invoke your opinion in an inappropriate manner! I should have realized that before I did so. Thanks for pointing out the advice of Kareldjag, which rings particularly true in this case!

    Update: It seems that Opera contacted Secuina, and after some confusion, it has been confirmed that remote code execution is possible - though the language used in their blog update about this makes it sound as if remote code execution isn't always possible. Nevertheless:

     
    Last edited: Mar 8, 2010
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,854
    Good to hear.
     
  7. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    In Windows world, its silly to run without full DEP, most programs now run fine with exceptions of few so one can always look for alternatives. DEP+LUA+good AV and this so called exploit is null.
     
  8. progress

    progress Guest

    Is it patched now? :doubt: Nearly every browser has it's security problems these days ... :rolleyes:
     
  9. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,854
    It's fixed in Opera 10.51 currently in RC due for release any day now.
     
  10. progress

    progress Guest

    Thank you :)
     
Loading...
Thread Status:
Not open for further replies.