Opera for Windows v7.x prior to v7.23 build 3227 contains a file overwrite vulnerability which allows remote downloads to overwrite any file on the filesystem.
f4080a105f0722ecfb13159fccbb24fb407efafa0251c74c77d7beb48149e744
Last Modified: Dec 12 2003
[Opera 7] Arbitrary File Delete Vulnerability
-= How Dare You Delete My Important Files? =-
PRODUCT Opera 7 for Windows
VERSIONS 7.22 build 3221 (JP:build 3222)
7.21 build 3218 (JP:build 3219)
7.20 build 3144 (JP:build 3145)
7.1x
7.0x
VENDOR Opera Software ASA (https://www.opera.com/)
SERVERITY Critical.
An arbitrary file could be deleted on Local Disk from Remote.
DICOVERED BY nesumin
AUTHOR :: Operash ::
REPORTED DATE 2003-11-26
RELEASED DATE 2003-12-12
PRODUCT
Opera for windows is a GUI base WEB Browser.
Opera Software ASA (https://www.opera.com/)
DESCRIPTION
Displaying a Download Dialog, Opera creates a temporary file.
But this file name is not sanitized enough, so that an existing file
can be deleted.
Exploiting this vulnerability, an attacker can delete an arbitrary
existing file on a local disk from remote.
With this vulnerability, there could be following risks;
* Destruction of the system.
* Destruction of application data.
SYSTEMS AFFECTED
* 7.22 build 3221 (JP:build 3222)
* 7.21 build 3218 (JP:build 3219)
* 7.20 build 3144 (JP:build 3145)
* 7.1x
* 7.0x
SYSTEMS NOT AFFECTED
* 7.23 build 3227 (JP:build 3226)
EXAMINES
Opera for Windows
* Opera 7.23 build 3227 (JP:build 3226)
* Opera 7.22 build 3221 (JP:build 3222)
* Opera 7.21 build 3218 (JP:build 3219)
* Opera 7.20 build 3144 (JP:build 3145)
* Opera 7.11 build 2887
* Opera 7.11 build 2880
* Opera 7.10 build 2840
* Opera 7.03 build 2670
* Opera 7.02 build 2668
* Opera 7.01 build 2651
Platform
* Windows 98SE Japanese
* Windows 2000 Professional SP4 Japanese
* Windows XP Professional SP1 Japanese
SOLUTION
Upgrade to version 7.23 or later version.
TECHNICAL DETAILS
Displaying a Download Dialog, Opera creates a temporary file which is
based on the name used while downloading in the temporary
directory. This temporary file is for searching the associated
application.
ex.
Download URL:
"https://server/path/FILENAME.ext"
Temporary Filename:
"c:\windows\temp\FILXXX.tmp.FILENAME.ext"
(XXX is random string, like "01A")
But this temporary file name is not sanitized enough so that it can
possibly contain the illegal character string '..%5C'.
The file with this string can be located on any paths on the same drive
as the temporary file.
If there's an already existing file with the same name on the path, it
will be overwritten and deleted soon.
ex.
Download URL:
"https://server/path/AAAAAAAAAA%5C..%5C..%5Ccalc.exe"
Temporary Filename:
"c:\windows\temp\AAAXXX.tmp.AAAAAAAAAA\..\..\calc.exe"
this is... "c:\windows\calc.exe"
Therefore, if a user goes to a malicious URL which makes Opera display
the Download Dialog, his files could be deleted with this vulnerability.
The conditions of deletable files;
1. File's path can be specified with a relative path from a temporary
directory.
2. File name contains '.' .
3. Writable file within Opera process's authority.
4. Except "Read Only" attribute on Windows 9x Kernel.
Except "Read Only", "System" or "Hide" attributes on Windows NT
Kernel.
SAMPLE CODE
None release.
TIME TABLE & VENDOR STATUS
* 2003-10-09 Discovered this vulnerability.
* 2003-11-26 Reported to vendor.
* 2003-12-12 Published this advisory.
No reply from vendor.
DISCLAIMER
1. We cannot guarantee the accuracy of all statements in this
advisory.
2. We do not anticipate issuing updated versions of this advisory
unless there is some material change in the facts.
3. And we will take no responsibility for any kinds of
disadvantages by
using this advisory.
4. You can quote this advisory without our permission if you keep
the following;
1. Do not distort the advisory's content.
2. Quote only on the Internet media.
5. If you have any questions, please contact to us.
CONTACT, ETC
:: Operash :: https://opera.rainyblue.org/
+ imagine <imagine20xx@gmx.net> ( Webmaster )
+ nesumin <nesumin@softhome.net>
Thanks to
+ anima
+ melorin
+ piso(sexy)
Copyright © 2003 :: Operash :: All rights reserved