From advisories@atstake.com Mon Oct 20 19:45:59 2003 From: "@stake Advisories" To: vulnwatch@vulnwatch.org Date: Mon, 20 Oct 2003 10:39:18 -0400 Subject: [VulnWatch] Opera HREF escaped server name overflow -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake, Inc. www.atstake.com Security Advisory Advisory Name: Opera HREF escaped server name overflow Release Date: 10/20/2003 Application: Opera 7.11, 7.20 Platform: Windows XP/2000 and GNU/Linux 2.4 tested, others may be vulnerable Severity: Remote code execution Authors: Jesse Burns Vendor Status: Fixed in version 7.21 CVE Candidate: CAN-2003-0870 Reference: www.atstake.com/research/advisories/2003/a102003-1.txt Overview: The Opera browser exhibits a failure when rendering HTML. Certain HREFs cause a buffer allocated on the heap to overflow. Arbitrary bytes in the heap may be overwritten. This can result in the compromise of systems running Opera. Opera's mail system seems to be vulnerable also and recovery from reading an email is somewhat difficult. An attacker can send an email containing HTML to a user running the Opera mail client and cause this overflow to occur when the HTML is rendered. An owner of a web site can craft a malicious web page containing the problematic HTML to cause an overflow on Opera clients visiting the site. Details: Rendering HREFs with certain illegally escaped server names in the URL will cause Opera to crash due to a buffer management problem. Sometimes the crash is observed immediately, sometimes when the browser is closed, presumably as the resources are being freed. The escaped URLs are of the form: Timeline: 09/29/2003 Opera contacted with details of issue 09/30/2003 Vendor responds that they have reproduced problem 10/15/2003 Vendor releases new version of program that includes a fix 10/20/2003 Advisory released Vendor Response: Opera has release a new version of the software that is available here: http://www.opera.com/download/ The change log (http://www.opera.com/windows/changelogs/721/) notes this fix as: "Fixed a crash caused by illegally escaped server name" There is no specific bulletin or warning to users that this release contains security fixes. Recommendation: Upgrade to the 7.21 version of Opera browser for your platform. Filter email to remove HTML. Run your web browser and mail client as a low privileged user. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2003-0870 Opera HREF escaped server name overflow @stake Vulnerability Reporting Policy: http://www.atstake.com/research/policy/ @stake Advisory Archive: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc @stake is currently seeking application security experts to fill several consulting positions. Applicants should have strong application development skills and be able to perform application security design reviews, code reviews, and application penetration testing. Please send resumes to jobs@atstake.com. Copyright 2003 @stake, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBP5PzZEe9kNIfAm4yEQI3gwCeNHVNXgfT7XdI8Fz9UZwA2XcD3OgAoKfJ yOy6K8ETvYS8dsdVz5bFWRoN =nA1+ -----END PGP SIGNATURE-----