ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: iDefense Security Advisory 10.17.06: Opera Software Opera Web BrowserURL Parsing Heap Overflow Vulnerability



> -----Original Message-----
> From: 
> idlabs-advisories-bounces+vladimir.kazennov=billing.ru@idefens
> e.com 
> [mailto:idlabs-advisories-bounces+vladimir.kazennov=billing.ru
> @idefense.com] On Behalf Of iDefense Labs Security Advisories
> Sent: Wednesday, October 18, 2006 12:08 AM
> To: idlabs-advisories@xxxxxxxxxxxx; vulnwatch@xxxxxxxxxxxxx; 
> full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: iDefense Security Advisory 10.17.06: Opera Software 
> Opera Web BrowserURL Parsing Heap Overflow Vulnerability
> 
> Opera Software Opera Web Browser URL Parsing Heap Overflow 
> Vulnerability
> 
> iDefense Security Advisory 10.17.06
> http://www.idefense.com/intelligence/vulnerabilities/
> Oct 17, 2006
> 
> I. BACKGROUND
> 
> Opera is a cross-platform web browser. More information is available
> from http://www.opera.com/
> 
> II. DESCRIPTION
> 
> Remote exploitation of a heap overflow vulnerability within 
> version 9 of
> Opera Software's Opera Web browser could allow an attacker to execute
> arbitrary code on the affected host.
> 
> A flaw exists within Opera when parsing a tag that contains a URL. A
> heap buffer with a constant size of 256 bytes is allocated to 
> store the
> URL, and the tag's URL is copied into this buffer without sufficient
> bounds checking of its length. The vulnerable code would look 
> something
> like this in C/C++:
> 
> char *local_url = malloc(256);
> 
> strcpy(local_url, tag_url);
> 
> This URL can be inserted into any tag, such as an iframe.  
> The range of
> characters that can be used to overflow the buffer is limited.
> 
> III. ANALYSIS
> 
> Successful remote exploitation allows an attacker to execute arbitrary
> code with the privileges of the logged in user.  A failed exploitation
> attempt may result in the browser crashing.  The attacker would first
> need to construct a website containing the malicious tag and trick the
> vulnerable user into visiting the site. This would trigger the
> vulnerability and allow the code to execute with the privileges of the
> local user.
> 
> The range of characters available does not make this vulnerability
> significantly more difficult to exploit.  Through the use of 
> JavaScript
> or large compressed image files the attacker can have nearly complete
> control of the heap.
> 
> IV. DETECTION
> 
> iDefense Labs has confirmed Opera versions 9.0 and 9.01 on 
> both Windows
> and Linux are vulnerable. Version 8 is not vulnerable.
> 
> V. WORKAROUND
> 
> iDefense is currently unaware of any effective workarounds for this
> vulnerability.
> 
> VI. VENDOR RESPONSE
> 
> Opera has addressed this vulnerability with version 9.02 of the Opera
> Web Browser.  More information can be found in Opera's advisory at
> http://www.opera.com/support/search/supsearch.dml?index=848.
> 
> VII. CVE INFORMATION
> 
> The Common Vulnerabilities and Exposures (CVE) project has 
> assigned the
> name CVE-2006-4819 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org), which standardizes names for
> security problems.
> 
> VIII. DISCLOSURE TIMELINE
> 
> 09/15/2006  Initial vendor notification
> 09/29/2006  Initial vendor response
> 10/17/2006  Coordinated public disclosure
> 
> IX. CREDIT
> 
> The discoverer of this vulnerability wishes to remain anonymous.
> 
> Get paid for vulnerability research
> http://www.idefense.com/methodology/vulnerability/vcp.php
> 
> Free tools, research and upcoming events
> http://labs.idefense.com/
> 
> X. LEGAL NOTICES
> 
> Copyright (c) 2006 iDefense, Inc.
> 
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than 
> electronically, please
> email customerservice@xxxxxxxxxxxx for permission.
> 
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available 
> information. Use
> of the information constitutes acceptance for use in an AS IS 
> condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any 
> direct, indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.
> 
> 
> 
> _______________________________________________
> To unsubscribe, go here:
> http://www.idefense.com/mailman/listinfo/idlabs-advisories
> 



 




Copyright © Lexa Software, 1996-2009.