GreyMagic Security Advisory GM#003-OP
=====================================

By GreyMagic Software, Israel.
04 Feb 2003.

Available in HTML format at http://security.greymagic.com/adv/gm003-op/.

Topic: Phantom of the Opera.

Discovery date: 29 Jan 2003.

Affected applications:
======================

Opera 7 (final).


Introduction:
=============

Opera recently released a new version of its browser. 

Version 7 brings many long-awaited features such as proper DOM support and
an improved rendering engine. Among the useful new features Opera added a
shiny new Javascript console. The console is mainly used by developers in
order to efficiently track down exceptions in running scripts.


Discussion: 
===========

Opera's Javascript console is using three html files residing in Opera's
installation directory. The most important of them is "console.html", which
contains all the logic behind the console. 

The console lists unhandled exceptions that are thrown during the life of a
session. Javascript can throw custom exceptions using the "throw" statement
and Opera also adds its own way to create debug messages with the
"opera.postError" method. 

In order to display clickable URLs properly, Opera does some formatting on
the thrown exception message to turn them into links: 

newmsg = msg.replace( /</g, "&lt;" ).
       replace( />/g, "&gt;" ).
       replace( /https?:\/\/\S+/g, create_link ).
       replace( /file:\/\/(?:\S|(?:[ ](?=[^\n\r]*\.)))+/g, create_link );

The first two lines supposedly handle the safety of this string, so it
wouldn't contain HTML. The last two lines are meant to transform strings
that appear like URLs into actual links. Unfortunately, each of these last
two lines contains an obvious way for an attacker to inject his own
attributes to the link. By doing so, the attacker can gain access to the
file:// protocol, which, among others, have the following implications: 

* Read any file on the user's file system. 
* Read the contents of directories on the user's file system. 
* Read emails written or received by M2, Opera's mail program. 

The first vulnerable regular expression is /https?:\/\/\S+/g, it's trying to
match anything starting with "http://"; or "https://"; and keeps consuming
characters as long as they aren't whitespace. This regular expression does
not check for the existence of quotes, which are the delimiters of the
"href" attribute in the resulting link, and therefore opens up a way to add
additional attributes (spaces between attributes are not mandatory). 

The second vulnerable regular expression is /file:\/\/(?:\S|(?:[
](?=[^\n\r]*\.)))+/g, it's trying to match anything starting with "file://"
followed by a non-whitespace character or a regular space, as long as a dot
appears and no line breaks appear after it. The same mistake is made again;
quotes can be used to add additional attributes to the link. 

Being able to add arbitrary attributes to a link may seem innocent, but with
a little manipulation it leads to the execution of arbitrary script code.
The "style" attribute in most elements, for example, may contain properties
such as "background-image", which normally point to a URL. That URL can be
"javascript:[code]", which will be executed in the context of the console
(file:// protocol). 


Exploit: 
========

A simple exploit of the first regular expression: 

open("file://localhost/console.html","","");
opera.postError("http://\"style=\"background-image:url('javascript:alert(loc
ation.href)')\"");


A simple exploit of the second regular expression: 

open("file://localhost/console.html","","");
opera.postError("file://\"
style=\"background-image:url('javascript:alert(location.href)')\".");



Demonstration:
==============

We put together two proof-of-concept demonstrations: 

* Simple: Demonstrates how the poisonous debug message is being inserted. 
* GreyMagic Opera Disk Explorer: Browse your entire file system using this
explorer-like tool, which takes advantage of this vulnerability in order to
access local resources. 

They can both be found at http://security.greymagic.com/adv/gm003-op/.


Solution: 
=========

Fortunately, this vulnerability can be solved manually: 

* Edit the file "console.html", which resides in Opera's installation
directory.

* Line 52 should read: m.replace( /\\/g, "\\\\" ) + 

* Replace it with: m.replace( /\\/g, "\\\\" ).replace(/"/g,"&quot;") + 


Tested on: 
==========

Opera 7 NT4.
Opera 7 Win98.
Opera 7 Win2000.
Opera 7 WinXP.


Disclaimer: 
===========

The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind. 

GreyMagic Software is not liable for any direct or indirect damages caused
as a result of using the information or demonstrations provided in any part
of this advisory. 


Feedback: 
=========

Please mail any questions or comments to [EMAIL PROTECTED] 

- Copyright © 2003 GreyMagic Software.

Reply via email to