Critical Buffer Overflow Vulnerability in Opera v10.5 (unpatched)

Critical Buffer Overflow Vulnerability in Opera v10.5 (unpatched)

Opera "Content-Length" Processing Buffer Overflow Vulnerability

A vulnerability has been identified in Opera, which could be exploited by remote attackers to compromise a vulnerable system. This issue is caused by a buffer overflow error when processing malformed HTTP "Content-Length:" headers, which could be exploited by remote attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a web page hosted on a malicious web server.

Criticality level: Highly critical
Solution Status: Unpatched

http://secunia.com/advisories/38820/

From the article: "... Ford said Opera is in the process of pushing out an update that patches the bug."

I hope this can put this thread to rest.

For those interested in a POC for the crash

Opera 10.X Integer Overflow Cras PoC

Originally posted by jiimbo:

For those interested in a POC for the crash

Everyone knows that it crashes. What's missing is evidence of code execution.

just stay away from warez and pr0n sites and you shouldn't have anything to worry about

Originally posted by dave023:

just stay away from warez and pr0n sites and you shouldn't have anything to worry about

Haha, for the average Opera user that is 'teh internetz'

Originally posted by philharris:

Haha, for the average internet user that is 'teh internetz'

Fixed that for you

Originally posted by prd3:

Originally posted by philharris:

Haha, for the average internet user that is 'teh internetz'

Fixed that for you

Thank you although I was just assuming the average Opera user was more technically minded and ... erm ... red blooded than the norm

Originally posted by jiimbo:

For those interested in a POC for the crash

Opera 10.X Integer Overflow Cras PoC

Just a heads up to anyone trying this link: NOD32 intercepted it as a threat, and quarantined whatever happened before I was able to see it.

Don't know what to make of that (NOD preventing a crash? Not sure), but I thought I'd let people know.

Originally posted by TetraNitro:

Don't know what to make of that

I would guess it was based on the url rather than the nature of the threat - that url is possibly blacklisted for normal Nod32 users, for obvious reasons.

Originally posted by lucideer:

Originally posted by TetraNitro:

Don't know what to make of that

I would guess it was based on the url rather than the nature of the threat - that url is possibly blacklisted for normal Nod32 users, for obvious reasons.

I would agree, but the NOD message was very clear about the action taken. It didn't block HTTP access, but instead quarantined a file that was in the cache of the browser. I've seen both occur, so I don't think it was a blacklisted domain, as the HTTP module wasn't what was acting up. It labeled the threat as a PHP exploit when I looked at the log files. It might be heuristics at work, on closer examination.

Bump. Any fix at the horizon?

Originally posted by xErath:

DEP is enabled by default, you don't need to do anything about it.

On winxp afaik not enabled by default

Originally posted by HerwigF:

Seems it helps to enable DEP if supported by CPU/OS. If not... well... gonna wait for a patch.

DEP is enabled by default, you don't need to do anything about it.

But given the fact that DEP can be bypassed (both, software and hardware-enforced mode) relying on it isn't as good as it might sound.

Yes the same thing happened to me. NOD does not like it

Originally posted by TetraNitro:

but the NOD message was very clear about the action taken

Yes seems like it is blocking a file

PHP/Exploit.Opiolo.A trojan

I am reluctant to turn of NOD and test is as per usual.

Originally posted by TetraNitro:

It might be heuristics at work, on closer examination.

I turned of both heuristics and advanced heuristics under realtime protection and the file is still detected.

Originally posted by lksd:

I'm a normal user. I have visited this thread from link on Secunia advisory and I am shocked and disgusted with the attitudes shown here. I was expecting a discussion regarding this advisory because to me as to other people it seamed very convenient that this vulnerability has been reported 'now' and I'm concerned as it is reported as highly critical.



Yet instead of discussion about it I see people (dumb people) attacking Opera, arguing about PoC and validity of advisory itself. If you are sure there is no vulnerability then update status on Secunia. And one more thing, people yielding for moderator, can you imagine the monumental shit storm of the century that would began if posts begin to disappear from discussion about vulnerability?

Pretty much the only sensible person in here right now.

Opera has always been the one with the least exploits and the first to fix them. We'll get a fix soon, I wouldn't worry about it.

Originally posted by GeeZuS:

Opera has always been the one with the least exploits and the first to fix them. We'll get a fix soon, I wouldn't worry about it.

Not the only sensible person though.

Originally posted by lucideer:

This was reported yesterday.. give them time to breathe.

On the subject of DEP, it should of course be remembered that MANY of us have motherboards which don't support it and hence it is not an option. DEP is a relatively recent development and many XP machines won't have it.

Personally I am not worried about this problem as it is most unlikely with normal browsing I would go anywhere near any sites infected with it. I also suspect it was deliberately announced around the time of 10.50's issue to harm Opera. Sadly there is a lot of negative feeling towards the browser in some quarters. Let us hope a fix comes out soon so we can move on from this hyped up distraction.

The fact is that no one has reproduced the Vulnerability.
Only a crash is reproduced.

If the Vulnerability finder just would contact Opera.
Or other people that can reproduce the Vulnerability

Originally posted by chaosDark:

I'm all in favor of opera's browser, it is a great product, but posts like this where everyone accuse the other without bringing facts to the table (again, it works for both, those supporting and those against) is something that just hurt the security process.

I think it is important to distinguish between random community members *who don't work for Opera* from Opera's own response. So far, I suppose you could find fault with Havarrd only said it didn't look exploitable, but I'm not sure what else he could back that up with? They checked it and didn't find an exploit and asked if anyone has an exploit for it...

Originally posted by jiimbo:

For those interested in a POC for the crash

Opera 10.X Integer Overflow Cras PoC

Sorry to bring this up again, but can anyone confirm (CAREFULLY, of course!) whether or not this is actually a trojan, as NOD says it is? I realize it might be unrelated to the larger discussion if someone's just taking advantage of the situation, but either way if it's a real piece of malware, I need to take a closer look at my system.

Got an email this morning from Secunia with a link to their new blog entry about this (http://secunia.com/blog/86):

Confusion about Opera vulnerability
16:55 CET on the 8th March 2010. Entry written by Carsten Eiram.

There has lately been some confusion about a vulnerability reported in
the Opera browser and rightly so based on the different statements
having been issued.

The vulnerability was reported as an integer overflow when processing
the "Content-Length" header and accompanied by a PoC that always
crashed when copying memory due to an overly large size. Based on the
provided PoC and report, it immediately seemed like the crash would
always occur and executing code would not be possible.

Before issuing a Secunia advisory, a security specialist was tasked
with thoroughly analysing the vulnerability report, cause of the crash,
and potential impact. It turned out that the vulnerability is not
caused by an integer overflow error. Instead, in certain cases when a
64-bit "Content-Length" value is interpreted as negative, the higher
32-bit value is ignored and lower 32-bit value is used to copy data. It
is, therefore, possible to manipulate the size value in a manner to
successfully corrupt memory and occasionally cause conditions where it
is possible to gain control of the execution flow.

At least one other site did, as usual, abuse the opportunity to hype
the vulnerability and refer to it as a 0-day, which is misleading as no
working exploit has been published nor is the vulnerability being
actively exploited. Instead, it was an uncoordinated (commonly termed:
"irresponsible") disclosure as the vulnerability report was published
without the reporter first informing the vendor.

Adding to the confusion, Opera Software's initial analysis of the
vulnerability concluded that it was not a vulnerability and this was
communicated on the Opera Software forum and to the media. Opera
Software also contacted Secunia, asking us to update our advisory or
alternatively that we provide them with additional information.

During the past days, we have, therefore, been working with Opera
Software and providing them with details to clarify that the threat is
not just a crash, but has code execution potential. Opera Software has
acknowledged to us that they are now handling it as a security issue
and will be issuing an advisory and fix as soon as possible.

Stay Secure,

Carsten Eiram
Chief Security Specialist

Originally posted by jp10558:

Originally posted by chaosDark:

I'm all in favor of opera's browser, it is a great product, but posts like this where everyone accuse the other without bringing facts to the table (again, it works for both, those supporting and those against) is something that just hurt the security process.

I think it is important to distinguish between random community members *who don't work for Opera* from Opera's own response. So far, I suppose you could find fault with Havarrd only said it didn't look exploitable, but I'm not sure what else he could back that up with? They checked it and didn't find an exploit and asked if anyone has an exploit for it...

I didn't found fault in Havarrd's response and that quote wasn't referring to Havarrd neither, nor I was hopping, at that moment, something to back up if there was an exploitable condition or not.

My concern was how quickly several posts discarded the advisories based on nothing more than 'what have been seen', the browser crashed, that's what everyone saw and thus (being just a crash) can't be considered a security problem, possible exploitable condition or something worthy to be treated anything different that 'just a crash' (because nobody saw anything different).

That was my concern and the quote was referring to just that.

Reading now secunia's new post, I guess my concerns weren't as misleading.

Originally posted by xErath:

DEP is enabled by default, you don't need to do anything about it.

It is but you can still go in and set to " Enable DEP for all programs on your computers "

How to Configure Memory Protection in Windows XP SP2 (same in SP3)
http://technet.microsoft.com/en-us/library/cc700810.aspx

Also People on XP SP2 should update to SP3 now as SP2 is being dropped in June

For those of you who don't read Opera Security group's blog on daily basis:
http://my.opera.com/securitygroup/blog/2010/03/09/the-malformed-content-length-header-security-issue

LINK

Secunia Blog

The Secunia Blog is used to communicate our opinions about vulnerabilities, security, ethics, and our responses to articles, research papers, and other blog entries regarding Secunia and vulnerabilities.


Confusion about Opera vulnerability
16:55 CET on the 8th March 2010. Entry written by Carsten Eiram.

There has lately been some confusion about a vulnerability reported in the Opera browser and rightly so based on the different statements having been issued.

The vulnerability was reported as an integer overflow when processing the "Content-Length" header and accompanied by a PoC that always crashed when copying memory due to an overly large size. Based on the provided PoC and report, it immediately seemed like the crash would always occur and executing code would not be possible.

Before issuing a Secunia advisory, a security specialist was tasked with thoroughly analysing the vulnerability report, cause of the crash, and potential impact. It turned out that the vulnerability is not caused by an integer overflow error. Instead, in certain cases when a 64-bit "Content-Length" value is interpreted as negative, the higher 32-bit value is ignored and lower 32-bit value is used to copy data. It is, therefore, possible to manipulate the size value in a manner to successfully corrupt memory and occasionally cause conditions where it is possible to gain control of the execution flow.

At least one other site did, as usual, abuse the opportunity to hype the vulnerability and refer to it as a 0-day, which is misleading as no working exploit has been published nor is the vulnerability being actively exploited. Instead, it was an uncoordinated (commonly termed: "irresponsible") disclosure as the vulnerability report was published without the reporter first informing the vendor.

Adding to the confusion, Opera Software's initial analysis of the vulnerability concluded that it was not a vulnerability and this was communicated on the Opera Software forum and to the media. Opera Software also contacted Secunia, asking us to update our advisory or alternatively that we provide them with additional information.

During the past days, we have, therefore, been working with Opera Software and providing them with details to clarify that the threat is not just a crash, but has code execution potential. Opera Software has acknowledged to us that they are now handling it as a security issue and will be issuing an advisory and fix as soon as possible.

Stay Secure,

Carsten Eiram
Chief Security Specialist

Originally posted by TetraNitro:

Sorry to bring this up again, but can anyone confirm (CAREFULLY, of course!) whether or not this is actually a trojan, as NOD says it is? I realize it might be unrelated to the larger discussion if someone's just taking advantage of the situation, but either way if it's a real piece of malware, I need to take a closer look at my system.

Guess it is time to fire up the old VM image. I will test with no AV then load a new snapshot then install avast then test again.

Originally posted by davews:

On the subject of DEP, it should of course be remembered that MANY of us have motherboards which don't support it and hence it is not an option. DEP is a relatively recent development and many XP machines won't have it.

Its more of a 'Does my CPU support DEP' . You might be confusing it with TPM
If Hardware DEP is not detected, then software DEP is turned on for default for critical windows programs and system files. To get a wider protection spectrum, global settings need to be turned on for all software from different vendors. As chase 4 pointed out that is the reconmended way to turn on DEP (Process is the same in all windows NT based system and Newer versions)

You can refer to this to article to check wether the desired DEP setting is being aplied.

Originally posted by TetraNitro:

Sorry to bring this up again, but can anyone confirm (CAREFULLY, of course!) whether or not this is actually a trojan,...

Nope, it's not.

First time seeing Opera has a serious bugs that still unpatched.
this is also posted on Betanews.com today.

Originally posted by tareqf1:

First time seeing Opera has a serious bugs that still unpatched.

What do you mean "still"? All serious bugs will be unpatched for a few days while a fix is made. If this is the first time you have seen a security flaw in Opera, you haven't been around for very long.

it was an uncoordinated (commonly termed: "irresponsible") disclosure as the vulnerability report was published without the reporter first informing the vendor.

Indeed always inform the vender first

An official rapport from Opera about this issue
http://my.opera.com/securitygroup/blog/2010/03/09/the-malformed-content-length-header-security-issue

Originally posted by Krake:

Nope, it's not.

so you are calling fp?

Guess testng exploits cannot really be classified as a trojan can it?

This is not suppose to crash the browser is it? I disabled security and such and my browser didnt crash. I'm guessing system wide DEP is mitigatting it? <Nope doesnt crash under normal settings either. Must be the hardware DEP kicking in.

Your computer's processor supports hardware based-DEP

Trojans are malware related and crashes are not always related to malware

Originally posted by xErath:

DEP is enabled by default, you don't need to do anything about it.

Sorry but this is not true. By default in Windows XP, Vista and 7, DEP is enabled for Windows only, not for applications like Opera and others.

Furthermore, the CPU must support it. By far not all computers support DEP today. So relying on DEP as a protection would be absolutely dangerous.

Anyway, the Content-Length problem definitvely is a bug and has to be fixed, so why messing around?!

Originally posted by Ichann:

so you are calling fp?

You will have to ask the NOD people why the POC gets labeled as trojan.
Only reason I can think of is that they consider the code an attack vector worth to be blocked.

Originally posted by Chas4:

Trojans are malware related ...

Trojan = malware

Originally posted by Krake:

Trojan = malware

So are viruses and so is spyware

Originally posted by HerwigF:

Sorry but this is not true. By default in Windows XP, Vista and 7, DEP is enabled for Windows only, not for applications like Opera and others.

It is true because Opera explicitly enables DEP for itself, if the feature is available of course.

Originally posted by HerwigF:

Furthermore, the CPU must support it

Not necessarily. If the CPU does not support it windows falls to a software layer

Originally posted by Chas4:

Trojans are malware related and crashes are not always related to malware

Was that directed at me? If so. Yes, crashes can be caused by numerous factors. But my browser doesn't crash WHY?

Originally posted by tareqf1:

First time seeing Opera has a serious bugs that still unpatched.

Because it's the first time that a problem like that was disclosured before Opera had a chance to fix it. And also, the first information about the problem lead Opera to think it was not a secure issue.

Leo CG

Originally posted by browzer1:

Sorry .. I'm going to jump in here........ I cannot tolerate this anymore.

From TETRA ... re Purdi

"Do we have any moderators in this forum, or what? This guy has repeatedly and consistently been nothing but a screeching, hostile, belligerent troll who's main line of thinking is "I don't agree with your concerns, so you're a moron and shut up". His uninformed and venomous attitude even in the fact of appeals to reason and polite requests toward decency have been met with bile and personal attacks....... ".



Purdi or GoJoe or whoever you are ... new users come to these forums for assistance and are met with your hate and hostility.



I respectfully ask why the moderators are tolerating this?

In the same respectful mood for everyone and specially for moderators (seriously, no pun, no offense intended), I endorse you (browzer1) a big QFT and even a bigger +2000000.

(BTW, the new "nelsson -> Niqhead -> WhineWhine -> GoGoeGo -> WayOfTheBastard -> Purdi" is/will be this one:
http://my.opera.com/prd3/about/ , which seems the new account he's slowly migrating to, for the eventual ban he might suffer on "Purdi" and which BTW he seems to have been deserving for years, as it seems on the other accounts he has been using (now all banned/erased)...
)

Again, it's a bit offtopic, I know, but with ALL respect for moderators and peacful "my.opera forum" users. I REALLY want peace in this forums. Nothing more to say.