From security@greymagic.com Wed Feb 5 17:03:00 2003 From: GreyMagic Software To: "vulnwatch@vulnwatch.org" Date: Tue, 04 Feb 2003 11:08:48 "GMT" Subject: [VulnWatch] Phantom of the Opera (GM#003-OP) GreyMagic Security Advisory GM#003-OP ===================================== By GreyMagic Software, Israel. 04 Feb 2003. Available in HTML format at http://security.greymagic.com/adv/gm003-op/. Topic: Phantom of the Opera. Discovery date: 29 Jan 2003. Affected applications: ====================== Opera 7 (final). Introduction: ============= Opera recently released a new version of its browser. Version 7 brings many long-awaited features such as proper DOM support and an improved rendering engine. Among the useful new features Opera added a shiny new Javascript console. The console is mainly used by developers in order to efficiently track down exceptions in running scripts. Discussion: =========== Opera's Javascript console is using three html files residing in Opera's installation directory. The most important of them is "console.html", which contains all the logic behind the console. The console lists unhandled exceptions that are thrown during the life of a session. Javascript can throw custom exceptions using the "throw" statement and Opera also adds its own way to create debug messages with the "opera.postError" method. In order to display clickable URLs properly, Opera does some formatting on the thrown exception message to turn them into links: newmsg = msg.replace( //g, ">" ).        replace( /https?:\/\/\S+/g, create_link ).        replace( /file:\/\/(?:\S|(?:[ ](?=[^\n\r]*\.)))+/g, create_link ); The first two lines supposedly handle the safety of this string, so it wouldn't contain HTML. The last two lines are meant to transform strings that appear like URLs into actual links. Unfortunately, each of these last two lines contains an obvious way for an attacker to inject his own attributes to the link. By doing so, the attacker can gain access to the file:// protocol, which, among others, have the following implications: * Read any file on the user's file system. * Read the contents of directories on the user's file system. * Read emails written or received by M2, Opera's mail program. The first vulnerable regular expression is /https?:\/\/\S+/g, it's trying to match anything starting with "http://" or "https://" and keeps consuming characters as long as they aren't whitespace. This regular expression does not check for the existence of quotes, which are the delimiters of the "href" attribute in the resulting link, and therefore opens up a way to add additional attributes (spaces between attributes are not mandatory). The second vulnerable regular expression is /file:\/\/(?:\S|(?:[ ](?=[^\n\r]*\.)))+/g, it's trying to match anything starting with "file://" followed by a non-whitespace character or a regular space, as long as a dot appears and no line breaks appear after it. The same mistake is made again; quotes can be used to add additional attributes to the link. Being able to add arbitrary attributes to a link may seem innocent, but with a little manipulation it leads to the execution of arbitrary script code. The "style" attribute in most elements, for example, may contain properties such as "background-image", which normally point to a URL. That URL can be "javascript:[code]", which will be executed in the context of the console (file:// protocol). Exploit: ======== A simple exploit of the first regular expression: open("file://localhost/console.html","",""); opera.postError("http://\"style=\"background-image:url('javascript:alert(loc ation.href)')\""); A simple exploit of the second regular expression: open("file://localhost/console.html","",""); opera.postError("file://\" style=\"background-image:url('javascript:alert(location.href)')\"."); Demonstration: ============== We put together two proof-of-concept demonstrations: * Simple: Demonstrates how the poisonous debug message is being inserted. * GreyMagic Opera Disk Explorer: Browse your entire file system using this explorer-like tool, which takes advantage of this vulnerability in order to access local resources. They can both be found at http://security.greymagic.com/adv/gm003-op/. Solution: ========= Fortunately, this vulnerability can be solved manually: * Edit the file "console.html", which resides in Opera's installation directory. * Line 52 should read: m.replace( /\\/g, "\\\\" ) + * Replace it with: m.replace( /\\/g, "\\\\" ).replace(/"/g,""") + Tested on: ========== Opera 7 NT4. Opera 7 Win98. Opera 7 Win2000. Opera 7 WinXP. Disclaimer: =========== The information in this advisory and any of its demonstrations is provided "as is" without warranty of any kind. GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. Feedback: ========= Please mail any questions or comments to security@greymagic.com. - Copyright © 2003 GreyMagic Software.