[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Opera Web Browser 12.11 WriteAV Vulnerability



Title    :  Opera Web Browser 12.11 WriteAV Vulnerability
Version  :  12.11 Build 1661 and 12.12
Date     :  2012-12-03
Vendor   :  http://www.opera.com/
Impact   :  High
Contact  :  coolkaveh [at] rocketmail.com
Twitter  :  @coolkaveh
tested   :  windows XP SP3
Author   :  coolkaveh
#####################################################################################################################
Opera is a web browser and Internet suite developed by Opera Software
with over 270 million users worldwide.
The browser handles common Internet-related tasks such as displaying
web sites, sending and receiving e-mail
Messages, managing contacts, chatting on IRC, downloading files via
BitTorrent, and reading web feeds. Opera is
Offered free of charge for personal computers and mobile phones.
#####################################################################################################################
Bug :
----
Heap corruption during the handling (browsing) of the gif files
context-dependent
Successful exploits can allow attackers to execute arbitrary code
----
######################################################################################################################
(f00.704): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000b0b ebx=0000000b ecx=0000100b edx=042bc048 esi=0417ffff edi=00141048
eip=67237c8b esp=0012e3d8 ebp=0000001e iopl=0         nv up ei ng nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010283
*** ERROR: Symbol file could not be found.  Defaulted to export
symbols for C:\Program Files\Opera\Opera.dll -
Opera!OpSetLaunchMan+0xb69f5:
67237c8b 880e            mov     byte ptr [esi],cl          ds:0023:0417ffff=??
0:000>!exploitable -v
eax=00000b0b ebx=0000000b ecx=0000100b edx=042bc048 esi=0417ffff edi=00141048
eip=67237c8b esp=0012e3d8 ebp=0000001e iopl=0         nv up ei ng nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010283
Opera!OpSetLaunchMan+0xb69f5:
67237c8b 880e            mov     byte ptr [esi],cl          ds:0023:0417ffff=??
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found.  Defaulted to export
symbols for ntdll.dll -
*** ERROR: Symbol file could not be found.  Defaulted to export
symbols for C:\WINDOWS\system32\WINMM.dll -
Exception Faulting Address: 0x417ffff
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Exception Hash (Major/Minor): 0x63712c74.0x0c14230f

Stack Trace:
Opera!OpSetLaunchMan+0xb69f5
Opera!OpSetLaunchMan+0xb66fc
Opera!OpSetLaunchMan+0xb644a
Opera!OpSetLaunchMan+0x38f4d
Opera!OpSetLaunchMan+0x1b7b3
Opera!OpSetLaunchMan+0x20a498
Opera!OpSetLaunchMan+0x1fb4e3
Opera!OpSetLaunchMan+0x1fb5d5
Opera!OpSetLaunchMan+0x16d0c1
ntdll!RtlRemoveVectoredExceptionHandler+0x2a2
ntdll!RtlAllocateHeap+0x117
Opera!OpSetLaunchMan+0x1503b9
ntdll!RtlRemoveVectoredExceptionHandler+0x823
ntdll!RtlFreeHeap+0x130
WINMM!timeGetTime+0x2c
Instruction Address: 0x0000000067237c8b

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at
Opera!OpSetLaunchMan+0x00000000000b69f5 (Hash=0x63712c74.0x0c14230f)

User mode write access violations that are not near NULL are exploitable.
################################################################################
Proof of concept included.
http://www5.zippyshare.com/v/97852312/file.html

cheers
coolkaveh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/