★阿修羅♪ 現在地 HOME > 掲示板 > IT4 > 322.html
 ★阿修羅♪
次へ 前へ
Opera関連セキュリティニュース。【Internal URI Protocol関連の脆弱性。fixされたVer7.22が出てます。小生既にVerUpしました。
http://www.asyura2.com/0311/it04/msg/322.html
投稿者 クエスチョン 日時 2003 年 11 月 14 日 23:54:53:WmYnAkBebEg4M

2003-11-14 10:49:46

Opera関連セキュリティニュース。【Internal URI Protocol関連の脆弱性。fixされたVer7.22が出てます。小生既にVerUpしました。】


> Opera ねた
>http://www.st.ryukoku.ac.jp/~kjm/security/memo/2003/11.html#20031113__Opera
>
>Opera Directory Traversal in Internal URI Protocol (Advisory)。opera:/ URL を使うと localhost 上の既知パス名の任意のファイルにたどりつける模様。Opera 7.22 で fix されている。
>
>Opera Skinned : Arbitrary File Dropping And Execution (Advisory)。 Opera がサポートする Opera 固有の MIME タイプ (例: application/x-opera-skin) を使ってファイルをダウンロードさせると、このファイルが既知パスに設置される。Opera Directory Traversal in Internal URI Protocol (Advisory) を組みあわせれば、……。 Opera 7.22 で fix されている。
>
>Opera Skinned & Opera Directory Traversal (Additional Details & a Simple Exploit)。 サンプルコード。


Opera日本語サイトのダウンロードのURL
http://jp.opera.com/download/


 なお、「OPERA 7.21 日本語版 ダウンロード開始」となっていますが、
ダウンロードボタンを押した先は「OPERA 7.22 for Windows日本語版」の
表示になっています。

 また、「 Javaオプション付き、12.6 MB」となっていますが、実際のフ
ァイルサイズは「15.7 MB (16,500,749 バイト)」でした。(^^;


なお、下記が脆弱性を説明したメーリングリストの文。


Opera Directory Traversal in Internal URI Protocol (Advisory)


Opera Web Browser Directory Traversal in Internal URI Protocol
==============================================================


I ABSTRACT:


Opera Web Browser defines an internal URI Protocol like command called
"opera:". Among other things, it is used to display documentation and help
files for the browser. It has an input validation flaw that enables directory
traversal.

This flaw is an aggravating factor when combined with other vulns. In this
case, it can be combined with the "Opera Skinned" vulnerability that has been
described in the attached file.

II VERSIONS AFFECTED:

All versions upto and inculding 7.21 that support the flawed command are
vulnerable. Version 7.22 contains the fix.

III TECHNICAL DETAILS:


NOTE: It is assumed that Opera is installed in the default location i.e.,
"c:\program files\opera7" for the purpose of this description. However, a
default install is *not* necessary for exploitation.

"Opera:" is an internal URI protocol-like command used by Opera. "Internal"
because it is not registered as a URI protocol in the Windows Registry. One of
its uses is to display documentation. For instance, to see help, "opera:/help/"
is used. This points to the "C:\Program Files\Opera7\help" directory on the
file system. The html files in this folder can be accessed through this
relative URL, like, "opera:/help/foo.html". When a local path is requested
through "opera:" in the form of a legal "opera:/help/" URL, it uses the service
of the "file://" protocol. For instance, "opera:/help/" redirects the browser
to "file://localhost/C:/Program Files/Opera7/Help/index.html".

"opera:history", "opera:plugins", "opera:cache" and "opera:drives" are other
known uses for this command. Their function is self-explanatory. "about:" is an
alias for "opera:". For instance, "about:history" translates to "opera:history".

The problem here is that though, using "../" for directory traversal in the
opera: command is not allowed and Opera responds with an "illegal address"
prompt, this can easily be bypassed using "..%5c" or "..%2f" to break out of
the /help/ directory.

For instance, using "opera:/help/..%5c..%5c..%5cwinnt/notepad.exe" downloads
"notepad.exe" from the "winnt" folder.

IV EXPLOITATION SCENARIOS & EXPLOIT:


Exploits that depend on knowing the installation path of Opera are helped by
this vulnerability. The command "opera:/help/" always points to the "directory>/help/" directory. This can be used as a reference point for exploits
because of the directory traversal. For instance, "opera:/help/..%5c" points to
the Opera Directory.

The exploit attached with the advisories uses this vulnerability for getting
the correct path of the "/profile/" folder for exploitation.

V VENDOR RESPONSE & SOLUTION:

The vendor, Opera Software, deserves special mention here. I had previously
read about Opera Soft's promptness in resolving security vulnerabilities in
their products. My experience with them is one of the best I ever had with any
vendor. I hope they continue to maintain their good record even with future
security issues.

An updated version with a fix(7.22) is available from the site -
http://www.opera.com/download/

VI. CREDIT:


S.G.Masood (sgmasood@yahoo.com)

Hyderabad,
India.

VII. DISCLAIMER:

This advisory is meant only for the dissemination of information, alerting the
general public about a security issue. Use this information at your own
discretion.

In brief, the author is not responsible for any use, misuse, abuse of this
information. Also, this information is provided "as is" without any warranty of
any kind.

*PHEW*

 次へ  前へ

IT4掲示板へ


フォローアップ:


 

 

 

 

  拍手はせず、拍手一覧を見る

★登録無しでコメント可能。今すぐ反映 通常 |動画・ツイッター等 |htmltag可(熟練者向)
タグCheck |タグに'だけを使っている場合のcheck |checkしない)(各説明

←ペンネーム新規登録ならチェック)
↓ペンネーム(2023/11/26から必須)

↓パスワード(ペンネームに必須)

(ペンネームとパスワードは初回使用で記録、次回以降にチェック。パスワードはメモすべし。)
↓画像認証
( 上画像文字を入力)
ルール確認&失敗対策
画像の URL (任意):
投稿コメント全ログ  コメント即時配信  スレ建て依頼  削除コメント確認方法
★阿修羅♪ http://www.asyura2.com/  since 1995
 題名には必ず「阿修羅さんへ」と記述してください。
掲示板,MLを含むこのサイトすべての
一切の引用、転載、リンクを許可いたします。確認メールは不要です。
引用元リンクを表示してください。