My OperaYou need to be logged in to post in the forums. If you do not have an account, please sign up first.
Critical Buffer Overflow Vulnerability in Opera v10.5 (unpatched)
Opera "Content-Length" Processing Buffer Overflow VulnerabilityA vulnerability has been identified in Opera, which could be exploited by remote attackers to compromise a vulnerable system. This issue is caused by a buffer overflow error when processing malformed HTTP "Content-Length:" headers, which could be exploited by remote attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a web page hosted on a malicious web server.
Criticality level: Highly critical
Solution Status: Unpatched
http://secunia.com/advisories/38820/
As I mentioned in a different thread, this is not confirmed as being exploitable, and at first glance it seems that the reporter jumped to conclusions.
Håvard Kvam Moen @ My Opera / Twitter
6. March 2010, 14:22:01 (edited)
While I expect this to be clarified in a more official manner later, it is my personal understanding that there is no real risk to Opera users at this time (although that doesn't mean that the issue shouldn't be fixed of course).
Håvard Kvam Moen @ My Opera / Twitter
5. March 2010, 13:38:29 (edited)
5. March 2010, 17:41:51 (edited)
Originally posted by haavard:
A small update: This doesn't seem to be exploitable
I wouldn't be so quick to claim that. Secuina is very reputable, and there was already a functioning Proof-Of-Concept attack posted that proved it was exploitable. That link seems to have been censored from the forums, though - Likely because it was actually WORKING and exploitable!
I think this is a real, very large problem that should not be surpressed.
There is not any working exploit in the wild and a proof of concept is just that; A proof that it can theoretically be developed and that is still not a proof that the crash can allow them to execute a useful program.
5. March 2010, 17:42:08 (edited)
Originally posted by TetraNitro:
Originally posted by haavard:
A small update: This doesn't seem to be exploitable
I wouldn't be so quick to claim that. Secuina is very reputable, and there was already a functioning Proof-Of-Concept attack posted that proved it was exploitable. That link seems to have been censored from the forums, though - Likely because it was actually WORKING and exploitable!
I think this is a real, very large problem that should not be surpressed.
Just FYI, I deleted the link to the POC, in my post. Didn't feel it right to keep it there.
If you wish I can IM it to you.
The vuln conserns both 10.00, 10.10 and 10.50.
I feel that Opera is trying 'security by obscurity' in this case.
Originally posted by TetraNitro:
That link seems to have been censored from the forums, though - Likely because it was actually WORKING and exploitable!
I think this is a real, very large problem that should not be surpressed.
What a pathetically dishonest and disgusting attack. Why on earth would Opera want to "suppress" anything?
You need to stop jumping to conclusions, and attacking Opera every time you post. As you can see, your insane conspiracy theory was an EPIC FAIL because no one from Opera removed anything. Truly pathetic.
Originally posted by erikf:
Just FYI, I deleted the link to the POC, in my post.
I feel that Opera is trying 'security by obscurity' in this case.
What kind of insane nonsense is this? Do you even know what security through obscurity means?
Evidently not.
You are just spewing nonsense.
YOU deleted the link, and then you accuse Opera of "security through obscurity"? Truly pathetic.
Discussing with you is waste of time...
'Security by obscurity' can be many things.
One of those things is denial, and you were one of the victims, you don't know about the vulnerability at all.
So yes, you just proved that 'SBO' works.
Have a nice and calm evening with safe surfing.
Originally posted by erikf:
'Security by obscurity' can be many things.
One of those things is denial, and you were one of the victims, you don't know about the vulnerability at all.
So basically, you are calling Opera employees liars. Sounds like a blatant personal attack to me!
What makes you think YOU know better than Opera employees exactly? Notice what the actual page with the exploit says?
"Exploiting this issue may allow remote attackers to execute arbitrary code in the context of the application."
MAY ALLOW. Have they shown a WORKING EXPLOIT?
No.
All they have shown is a browser crash.
So yes, you just proved that 'SBO' works.
No, you just proved that bigotry still lives on.
Also, SANS is now confirming that two exploits exist and are very real: http://isc.sans.org/diary.html?storyid=8356
Originally posted by TetraNitro:
Erikf wasn't the only one to link to the POC on this board.
Truly pathetic. First you spew out insane conspiracy theories and accuse Opera of censorship when they did nothing of the sort. Then you do not even bother to apologize for your extreme dishonesty, and instead continue to post false claims.
Show exactly how the POC does anything apart from crashing the browser, or shut up.
Crash != vulnerability.
Also, SANS is now confirming that two exploits exist and are very real: http://isc.sans.org/diary.html?storyid=8356
WRONG. They are not confirming anything of the sorts:
"One of them seems to be a DoS resulting in a browser crash, but the other looks like it will allow full code execution."
One of them is just a crash.
The other one is just a crash, but they speculate that it LOOKS LIKE it MIGHT allow code execution. They have failed to demonstrate working code execution.
For everyone else, another site has reported the vulnerability. Just to keep the links all in one thread: http://www.vupen.com/english/advisories/2010/0529
Originally posted by TetraNitro:
Please, do tell me more, Purdi. You're quite compelling.
Put up or shut up. Demonstrate code execution, or go away.
For everyone else, another site has reported the vulnerability. Just to keep the links all in one thread: http://www.vupen.com/english/advisories/2010/0529
It's just parroting the other sites. And guess what, STILL NO WORKING EXPLOIT:
"This issue is caused by a buffer overflow error when processing malformed HTTP "Content-Length:" headers, which could be exploited by remote attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a web page hosted on a malicious web server."
Notice how there's always COULD BE, MIGHT BE, NOT SURE?
NO actual exploit.
If an actual exploit is shown, I will retract my comments.
Will you retract your blatant lies until an actual exploit is demonstrated? Will you apologize to the employees you have derided and demonized?
Originally posted by TetraNitro:
Even if you disagree with what's being said, there are certainly more constructive and polite ways to voice your opinion on this matter.
So you think it's polite to throw accusations and insane conspiracy theories at Opera, and call them liars?
I realize you feel that these issues are harmless, and that the possibility for an attack or exploit isn't worth concerning yourself over, but the fact that SANS says
Show a working exploit, or shut up. Of course security sites are going to hype crash bugs as much as possible.
Funny how you automatically attack Opera, but ignore the fact that these "security" companies have a history of hyperbole. Simple crashes are claimed to be "exploits".
So why are you blatantly and disgustingly attacking Opera and only Opera?
Also, why are you not retracting your blatant lie about SANS "confirming" any exploits? They did no such thing. How long are you going to keep lying, and then pretend like nothing happened when you are busted?
Originally posted by haavard:
A small update: This doesn't seem to be exploitable after being looked into. It might crash, but is there a proof of concept which executes code?
Then you admit there is a Buffer Overflow Vulnerability which might crash the browser...
I can't answer your question about POC for code-execution, haven't tried them.
Anyway, can anyone tell what will follow sooner or later based on this(these) vulnerabilities...
Probably will be in the next minor release.
IMO.
Originally posted by erikf:
Then you admit there is a Buffer Overflow Vulnerability which might crash the browser...
There's a difference between an actual exploit, and a normal crash bug. Just crashing the browser is not a "security vulnerability", and doesn't merit a "critical" rating.
I can't answer your question about POC for code-execution, haven't tried them.
If it isn't possible to perform code execution it's just a normal crash bug. Normal crash bugs are not critical.
You've made your point - several times - now relax, there are other threads too.
5. March 2010, 20:46:05 (edited)
By the way just fix the crush bug part, there is a high probability that the other one is killed if exist. Besides that would draw out the POC for the arbitrary code execution if it is truly exist.
http://secunia.com/advisories/product/28698/
Firefox appears to be in the same category of risk according to Secunia. 1 open Highly Critical advisory.
83% of Firefox 3.0.x's advisories were rated Highly Critical, as were 86% of Firefox 3.5.x's
The record for all of Opera 10.x's releases is: 5 total advisories, 1 open, 60% were Highly Critical.
I'd say the Opera devs are doing fine.
Originally posted by erikf:
Originally posted by haavard:
A small update: This doesn't seem to be exploitable after being looked into. It might crash, but is there a proof of concept which executes code?
Then you admit there is a Buffer Overflow Vulnerability which might crash the browser...
I can't answer your question about POC for code-execution, haven't tried them.
Anyway, can anyone tell what will follow sooner or later based on this(these) vulnerabilities...
@YtseJam:
I think I made you misunderstand my 3 sentence:
This by-now known Buffer Overflow Vulnerability, can anyone tell if/when we will have a code execution vulnerability,
if we not already have it by now. I suppose no.
Originally posted by Purdi:
Originally posted by erikf:
This by-now known Buffer Overflow Vulnerability
This is a crash bug. Why do people insist on calling crash bugs "vulnerabilities"?
Because we read and learn:
Quote from Secunia: http://secunia.com/advisories/38820/
Secunia Advisory SA38820
Opera "Content-Length" Processing Buffer Overflow Vulnerability
Secunia Advisory SA38820
Release Date 2010-03-04
Popularity 4,210 views
Criticality level Highly critical
Impact System access
Where From remote
Solution Status Unpatched
Originally posted by erikf:
Because we read and learn:
You are just repeating the groundless claim that there is a vulnerability here.
Apparently you can't even read because it clearly says:
"Successful exploitation may allow execution of arbitrary code."
Again, notice the MAY? If it can't executed code, it is not a security hole.
But I already told you this, so why are you repeating claims you know are false?
Originally posted by TetraNitro:
More specifically, the nature of a "Buffer Overrun" or "Buffer Overflow" event is one in which the application in questions crashes, but code left behind in memory is run arbitrarily afterward.
Still no code execution then, I gather?
Historically buffer overrun errors have been notoriously leveraged to execute arbitrary code without user intervention. That's why people are worried about this one.
People are worried about all sorts of irrelevant crap. Show me the remote code execution, or shut up.
Originally posted by Purdi:
Originally posted by TetraNitro:
More specifically, the nature of a "Buffer Overrun" or "Buffer Overflow" event is one in which the application in questions crashes, but code left behind in memory is run arbitrarily afterward.
Still no code execution then, I gather?Historically buffer overrun errors have been notoriously leveraged to execute arbitrary code without user intervention. That's why people are worried about this one.
People are worried about all sorts of irrelevant crap. Show me the remote code execution, or shut up.
Do we have any moderators in this forum, or what? This guy has repeatedly and consistently been nothing but a screeching, hostile, belligerent troll who's main line of thinking is "I don't agree with your concerns, so you're a moron and shut up". His uninformed and venomous attitude even in the fact of appeals to reason and polite requests toward decency have been met with bile and personal attacks. He's done this in more than one instance, and it seems rude to the community at large that he should be allowed to spew his hate with the intention of disrupting conversations.
Originally posted by TetraNitro:
Do we have any moderators in this forum, or what?
Yeah, where are they? A couple of trolls have consistently been attacking and belittling Opera employees by calling them liars and claiming that they are censoring stuff.
And now these people have failed to show remote code execution, so they resort to reposting the same claims over and over again.
Latest Opera-Snapshot
Windows Vista SP2
Originally posted by Purdi:
And now these people have failed to show remote code execution, so they resort to reposting the same claims over and over again.
I will explain this as calmly as I care to: Just because remote code execution hasn't been published, that's no reason to assume that a buffer overrun is harmless. It just means that no one has yet spent the time to uncover the correct way to leverage it. It still remains a problem, even if the remote code execution proof you're crowing about isn't directly under your nose.
If there's a gaping hole in your roof, and someone tells you that your carpet is going to get wet come the rainy season, do you tell them that obviously they're wrong, because your carpet is currently dry and the skies are clear?
Another interesting note! A block feature. How exquisite. I highly recommend all other forum-goers exercise this option. Sublime.
Originally posted by TetraNitro:
Just because remote code execution hasn't been published, that's no reason to assume that a buffer overrun is harmless.
If the people with the actual source code can't find a way to exploit it, I doubt that some lame script kiddie is going to do it.
Originally posted by Purdi:
Originally posted by TetraNitro:
Just because remote code execution hasn't been published, that's no reason to assume that a buffer overrun is harmless.
If the people with the actual source code can't find a way to exploit it, I doubt that some lame script kiddie is going to do it.
There are not only script kiddies out there.
There are apparently also talented programmers who are into writing malicious code which they publish or not, depending on whether they want to use it for themselves or share it with the script kiddies.
I am not knowledgeable to say if this is exploitable or not but I would certainly feel more secure if that malformed "Content-Length" header thing that can at least crash the browser, according to haavard, was patched quite rapidly as I can't see a reason why it could not be.
Please forgive me, but this series of posts have been an awful way to handle this situation...
While I agree that there "seems to be no -execution code- PoC around" (because as always in security just because you haven't seen it doesn't mean it isn't somewhere) I would have expected to see a more "well, we looked into and this can't work because of blah blah blah"
So far I've seen a bunch of rants (in favor and against) about the PoC, about the vuln posts at secunia, vupen and seucurityfocus and the others, however, I haven't seen yet anything backing up the different claims.
Despite the fact that there's no 'execution code' PoC around (not that we know of at least), being an opera's user I would have liked to see something more than 'do you see an execution PoC? no? then there's no vuln'
Seriously, can someone at least answer what tha' heck is all that asm code? why is this supposedly to be a proof of the bug or why is it not?
"BUG-> 6781E0BA F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] <-- BUG"
If I had a dollar for every time that I've seen people/companies saying "there's no PoC demonstrating the vuln", "We haven't seen yet a working exploit on this so it doesn't seem to be vulnerable", "this is not a bug" and yet execution code had showed up, I could swear I'll be millionaire by now
So far the only thing saying that someone had looked into this is the response of haavard:
"A small update: This doesn't seem to be exploitable after being looked into. It might crash, but is there a proof of concept which executes code?"
Uhm.. ok, that sounds good, have anything been posted about it? could I see test cases?
As I said earlier, while I do agree that the only PoC right now floating around might demonstrate just a crash, saying that there's no vuln because there's no calc.exe being called after the browser crash is just a bad response.
So secunia is wrong? vupen is wrong? securityfocus is wrong? sans is wrong? Marcin Ressel aka ~echo is wrong? that's great, but if someone is gonna criticize those messages or a PoC or whatever for lack of evidence, then same goes for those who are saying over and over that this is just a crash, no security problem, without a single peace of evidence supporting that claim.
Don't get me wrong, I'm all in favor of opera's browser, it is a great product, but posts like this where everyone accuse the other without bringing facts to the table (again, it works for both, those supporting and those against) is something that just hurt the security process.
Regards
Originally posted by chaosDark:
Marcin Ressel aka ~echo is wrong?
Is this the douchebag who sat on this until 10.5 final was released and then released the full details without giving Opera a chance to look into it first, just because he is an attention whore?
posts like this where everyone accuse the other without bringing facts to the table (again, it works for both, those supporting and those against) is something that just hurt the security process.
Yeah, like the douchebag who made the absolute claims about a security flaw, and didn't even give the vendor a chance to look into it first, just to grab attention.
Originally posted by Purdi:
Originally posted by chaosDark:
Marcin Ressel aka ~echo is wrong?
Is this the douchebag who sat on this until 10.5 final was released and then released the full details without giving Opera a chance to look into it first, just because he is an attention whore?posts like this where everyone accuse the other without bringing facts to the table (again, it works for both, those supporting and those against) is something that just hurt the security process.
Yeah, like the douchebag who made the absolute claims about a security flaw, and didn't even give the vendor a chance to look into it first, just to grab attention.
I'm not talking about responsible disclosure and if that's good or not, that war have been discussed millions of times already without any solution and I don't intend to start another one, and I don't really care if that guy is a douchebag or not.
My interest is simple: should I be worried about this "alleged vulnerability" in my main browser?
Yes? -> why is that?
No? -> why not?
If this thread, which could be helpful in a lot of ways, is just going to continue with "because there's no PoC executing code around and [insert name here] is wrong", please avoid replay and just close the thread.
Regards
Originally posted by chaosDark:
Uhm.. ok, that sounds good, have anything been posted about it? could I see test cases?
This was reported yesterday.. give them time to breathe. Even if it's not exploitable from a security perspective, it's still a bug in the context of stability, so I would guess fixing it internally might be a slightly higher priority for devs than making prompt public posts all about how best to crash Opera.
Originally posted by chaosDark:
So secunia is wrong? vupen is wrong? securityfocus is wrong? sans is wrong? Marcin Ressel aka ~echo is wrong?
Given that neither of them have the same access to Opera's internals as Opera's employees do - Haavard is an Opera employee, and has stated that this HAS been looked into and doesn't seem exploitable after being looked into by people who actually have a full and comprehensive how Opera works internally - no matter how reliable Secunia is that's something they don't have.
5. March 2010, 23:12:05 (edited)
Originally posted by lucideer:
As reluctant as I am to enter this already volatile thread...
This was reported yesterday.. give them time to breathe. Even if it's not exploitable from a security perspective, it's still a bug in the context of stability, so I would guess fixing it internally might be a slightly higher priority for devs than making prompt public posts all about how best to crash Opera.
That's a better response, "we/they will be looking into this, doesn't seem to be a vuln yet, will give report later, stay tuned...", but you have to understand how frustrating can be to see only two acceptable answers from a thread that has 40 replies already.
Edit:
Originally posted by Purdi:
Nope. It hasn't been shown to do anything but crash.
Again, it's not about what have been seen, it's about code testing, it's about risk scope if any. There have been tons of supposedly security problems that weren't problems when they were reported until someone decided to make a different payload for that same vector.
Regards
Originally posted by chaosDark:
but you have to understand how frustrating can be to see only two acceptable answers from a thread that has 40 replies already
The first thing Opera employees get when they take the time to actually respond is a bunch of violent personal attacks and accusation against them. Is it really strange if they become hesitant to touch these people even with a ten feet pole? If all you get thrown in your face when you try to be helpful is abuse, it's not exactly surprising if you just give up and move on.
Originally posted by Purdi:
The first thing Opera employees get when they take the time to actually respond is a bunch of violent personal attacks and accusation against them. Is it really strange if they become hesitant to touch these people even with a ten feet pole? If all you get thrown in your face when you try to be helpful is abuse, it's not exactly surprising if you just give up and move on.
And I completely agree with you on this, however, as I said in my post, the situation/thread was badly handled, if someone started to see personal attacks then someone could have come to say "We understand your concern and we can assure you all that we're looking into this but we won't allow personal attacks against our users so for the time being this thread is closed", but starting to object things and personal attacks with bad security related answers was a bad move, we might not agree on this but is the feeling several responses have left.
Regards
Originally posted by chaosDark:
the situation/thread was badly handled
By the trolls who constantly attack Opera employees, yes. By Opera employees, no.
if someone started to see personal attacks then someone could have come to say
Yeah. And get even more abuse. You know how it works, don't you? They would start whining even more about "censorship" and "evil Opera", and nonsense like that. They already started cooking up conspiracy theories after a USER removed a link from his own post. How do you think those rabid trolls would react if Opera closed the thread?
we won't allow personal attacks against our users
USERS weren't being attacked. A vicious gang of trolls ganged up on OPERA EMPLOYEES to attack them.
starting to object things and personal attacks with bad security related answers was a bad move
What on earth are you talking about? This sentence doesn't even make sense. What is "object things"?
Originally posted by Purdi:
Originally posted by chaosDark:
starting to object things and personal attacks with bad security related answers was a bad move
What on earth are you talking about? This sentence doesn't even make sense. What is "object things"?
Is like when you make objections about things? like when someone says "the PoC works!" and someone replays "I object to that! it's just a crash"
But nevermind, English isn't my native language so surely I said it wrong
Regarding the attacks, I hope at least "I" haven't attacked anyone (opera's employees or not), I just thought that security awareness on this matter should have been addressed in a better way.
Regards
From TETRA ... re Purdi
"Do we have any moderators in this forum, or what? This guy has repeatedly and consistently been nothing but a screeching, hostile, belligerent troll who's main line of thinking is "I don't agree with your concerns, so you're a moron and shut up". His uninformed and venomous attitude even in the fact of appeals to reason and polite requests toward decency have been met with bile and personal attacks....... ".
Purdi or GoJoe or whoever you are ... new users come to these forums for assistance and are met with your hate and hostility.
I respectfully ask why the moderators are tolerating this?
I'm a normal user. I have visited this thread from link on Secunia advisory and I am shocked and disgusted with the attitudes shown here. I was expecting a discussion regarding this advisory because to me as to other people it seamed very convenient that this vulnerability has been reported 'now' and I'm concerned as it is reported as highly critical.
Yet instead of discussion about it I see people (dumb people) attacking Opera, arguing about PoC and validity of advisory itself. If you are sure there is no vulnerability then update status on Secunia. And one more thing, people yielding for moderator, can you imagine the monumental shit storm of the century that would began if posts begin to disappear from discussion about vulnerability?
edited : ps.: Am I wrong, or Marcin has reported Secunia Advisory SA38820 before contacting Opera? (Which would be a very Media Whore like move)
You want see code execution POC , pay me and i doing 4 you
It is obliged to be in interest of opera fast repairing this bug
No matter what kind of bug it is
So, what purpose has this discussion
Showing topic replies 1 - 50 of 92.