[NEWS] - Opera vulnerabilità Web Browser Bitmap File RLE Remote Denial Of Service

[Chill-Out]

Il popolare browser web Opera è incline ad una vulnerabilità di tipo Denial Of Service Vulnerability. Sfruttare con successo questa vulnerabilità consentirebbe ad un utente malintenzionato di impedire all'applicazione di non rispondere negando all'utente legittimo ulteriori servizi.

Bugtraq ID: 26721
Class:Failure to Handle Exceptional Conditions
CVE:
Remote: Yes
Local: No
Published: Dec 05 2007 12:00AM
Updated: Dec 06 2007 04:42AM
Credit: Gynvael Coldwind of Vexillium and Simey is credited with the discovery of this vulnerability.
Vulnerable: Opera Software Opera Web Browser 9.50 beta
Opera Software Opera Web Browser 9.24

Soluzione: al momento non sono disponibili patch

Fonte: SecurityFocus
Link alla notizia in lingua inglese: http://www.securityfocus.com/bid/26721/info

[c.m.g]

grazie per l'info

[sampei.nihira]

Apperò.
Anche la 9.50 !!
Sarà patchata entro brevissimo tempo,spero !!
Sarei curioso di sapere che in quale rating di rischio la classifica Secunia.
Basta attendere e vedere.

[xcdegasp]

link test:
http://gynvael.vexillium.org/opera_dos/

non vi danneggia nulla

Codice:

Opera is vulnerable to a remote DoS attack, using spacially crafted BMP

files, that causes the browser to freeze for a short amount of time

(around 4 minutes on fast computer). An attacker could create a web

page that contains multiple BMP files displayed by an <img> tag. This

would freeze the browser for N*4 minutes, where N is the number of

images (so 100 images, the browser freezez for almost 7 hours). When

frozen, the browser consumes 100% CPU power.

* Verbose description

BMP file format allows Run Length Encoding in case of 4 and 8 bit

bitmaps. The RLE used in BMP format has additional features like

skipping the decompression write pointer to end of the line (bytes 00

00), skiping to the end of bitmap (00 01), and moving the write

pointer to another line and column (00 02 XX YY).

Opera has an ultra slow implementation of the 00 02 XX YY feature.

Normalny an decompression algorithm adds XX and YY * width to the

write pointer, but Opera has implemented a much slower way, with

additional check etc. The implementation performs XX + YY * width

incrementations (each with it's own checks and other calculations).

An attacker could use this fact to create a BMP file with maximum

possible width (in Opera this would be around 32000 pixels), and

the file's data should be filled with 00 02 FF FF opcodes (see

DoS_PoC/DoS_BMP_Generator/test10.cpp for a sample generator).

One malformed bitmap freezes the browser for some time. The time

depends on CPU speed. A simple benchmark tests have been performed:

CPU TYPE/SPEED TIME

Intel Core 2 Quad 2.4 GhZ over 4 minutes

Intel Celeron M 1.6 GhZ over 20 minutes

Through this time the browser is frozen, does not react to user

commands, and does not redraw it's content.

Additionally, the attacker could create a web page that contains

multiple images (<img> tag) to freeze the browser for N*OneFreezeTime

(where N is the number of images). See DoS_PoC/RunMe.html for a simple

example (10 bitmaps used). Please note that due to Opera's bitmap

caching, each bitmap should be named differently (for example

test1.bmp, test2.bmp, and so on).

* Proof of Concept

(This DoS'es the Opera, no warning is provided ;>)

http://gynvael.vexillium.org/opera_dos/

by -> http://www.securityfocus.com/archive/1/484605

[kbl]

provato ora con una versione vecchiotta di opera: