[CVE-2011-0682] Opera 11 Integer Truncation Vulnerability [Fixed in Opera 11.01]
Par Jordi_Chancel le vendredi, janvier 7 2011, 06:59
http://www.vupen.com/english/advisories/2011/0231
http://www.vupen.com/english/advisories/2011/0189
http://www.opera.com/support/kb/view/982/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0682
Meilleurs vœux à tous !A vulnerability has been identified in Opera, which could be exploited by remote attackers to take complete control of a vulnerable system. This issue is caused by an integer truncation error within the Opera Internet Browser module "opera.dll" when handling a HTML "select" element containing an overly large number of children, which could allow remote attackers to execute arbitrary code by convincing a user to visit a specially crafted web page.
Jordi Chancel reported this vulnerability.
Pour bien commencer l'année , voici un nouveau billet traitant d'une vulnérabilité d'OPERA 11 découverte lors d'une session de Crash-tests.
Les vulnérabilités de corruption de la mémoire tampon peuvent donner lieu à une exploitation des plus critiques possible.
Cependant , certains de ces crashs nécessitent parfois un travail énorme avant de pouvoir réussir l'exécution de code arbitraire.
Ce nouveau bug donne en effet des signes évidents d'exploitabilité malgré le fait que son exploitation pourrait être assez compliquée à effectuer.
Lire la suite...
Nous pouvons remarquer que la plupart des crashs critiques se basent généralement sur du code JavaScript , cela dit d'autres formes d'exploitation sans JavaScript sont aussi envisageables.
En effet l'exploitation de cette vulnérabilité pourrait potentiellement se passer de code JavaScript (tout comme [CVE-XXXX-XXXX] Mozilla Firefox 3.6.13 Memory Corruption) du fait que l'élément visé permettant le crash est une simple balise HTML .
Il est aussi à noter que ce crash n'est possible qu'uniquement via le biais d'une interaction minime de la part de l'utilisateur (comme cliquer sur l'élément voulu).
Pour en venir à des informations plus précises , je peux déjà vous dire que le crash est de type EXCEPTION_ACCESS_VIOLATION_READ(windows)/SIGSEGV(Mac) et que l'adresse de violation est parfois aléatoire ( ce qui peut grandement compliquer l'exploitation ).
Pour conclure , malgré le fait qu'une exploitation possible serait compliquée , cette nouvelle vulnérabilité n'est pas à prendre au 2nd degré pour la simple raison que d'autres exploitations plus difficiles ont déjà été réalisées dans le passé.
Apres le partage de mon PoC avec VUPEN , un Exploit privé a été réalisé. Mise à Jour de la sévérité comme Hautement Critique.
Vidéo du crash :
PoC : http://www.alternativ-testing.fr/Research/Opera/crash/54gf47g8fdb2ntestcrash3.html
Auteur : Jordi Chancel
Commentaires
Vupen a exploité avec succès cette vulnérabilité.
Mise à jour de la sévérité comme Critique.
frere tu m'impressionne comme tjrs :d et tu me donne l'envie d’écrire "back to bug analys"
bonne chance a tes prochaine trouvaille regard
Publication du PoC basique.
frere tu m'impressionne comme tjrs !
Super performance inside this important web property. My partner and i took pleasure surfing around it all, and consequently may keep coming back frequently, on the search for something new.
Awesome issues here. I am very happy to see your post. Thanks so much and I'm looking ahead to touch you. Will you please drop me a mail?
Superior functionality via this important online site. Since i cherished checking the idea, and furthermore definitely will keep returning very often, looking out for something new.
Fine accuracy relating to this amazing web-site. My wife and i liked reviewing this, and as a consequence shall revisit oftentimes, looking to find anything most recent.
Hello there, Awesome write-up. We have an matter as well as your internet site in ie, could possibly click here? Firefox 's still the industry key plus a big area of individuals will miss a person's spectacular composing because of this problem.
I'm indicated this excellent website by using this uncle. We're will no longer convinced whether or not this submit is definitely composed through your pet when nobody else understand this kind of specific approximately my own problem. That you are unbelievable! Thank you!
I have been exploring for a bit for any high quality articles or blog posts in this sort of area . Exploring in Yahoo I at last stumbled upon this site. Reading this info So i'm happy to show that I've a very excellent uncanny feeling I discovered just what I needed. I most certainly will make certain to do not forget this web site and give it a glance on a relentless basis.
Woah this weblog is magnificent i really like reading your posts. Stay up the good work! You know, lots of persons are looking around for this information, you can help them greatly.
Hello, i think that i noticed you visited my site thus i came to go back the favor?.I am attempting to to find things to enhance my site!I assume its good enough to make use of some of your ideas!!
You actually ensure it is look very easy with your powerpoint presentation having said that i in locating this matter to become essentially an element that I do think I'd under no circumstances fully grasp. It appears also difficult and intensely broad personally. We're seeking in front in your future set up, I most certainly will seek to get the your hands on them!
Excellent weblog here! Also your web site lots up very fast! What host are you the use of? Can I am getting your associate link on your host? I wish my site loaded up as fast as yours lol
Awesome things here. I'm very satisfied to peer your article. Thanks a lot and I'm looking ahead to touch you. Will you kindly drop me a e-mail?
Wonderful goods from you, man. I have remember your stuff prior to and you are simply extremely great. I actually like what you have received here, certainly like what you're stating and the way in which in which you say it. You're making it enjoyable and you continue to take care of to keep it smart. I can't wait to learn far more from you. That is actually a tremendous site.
Fantastic items from you, man. I've remember your stuff prior to and you're simply too wonderful. I really like what you have got here, certainly like what you are stating and the way in which through which you are saying it. You make it entertaining and you still care for to keep it smart. I can't wait to learn far more from you. That is actually a terrific site.
Thanks a bunch for sharing this with all of us you really understand what you're talking about! Bookmarked. Please also discuss with my web site =). We may have a hyperlink alternate agreement between us
Excellent beat ! I wish to apprentice whilst you amend your website, how can i subscribe for a weblog site? The account aided me a acceptable deal. I have been a little bit acquainted of this your broadcast provided vivid transparent idea
Thank you for every other informative site. Where else may I am getting that kind of information written in such a perfect way? I've a project that I'm just now operating on, and I have been on the look out for such information.
We are a gaggle of volunteers and opening a brand new scheme in our community. Your website provided us with valuable info to work on. You have performed an impressive job and our entire community can be grateful to you.
Great post. I was checking constantly this weblog and I'm impressed! Extremely helpful info specially the closing section :) I deal with such info much. I was seeking this certain info for a long time. Thank you and good luck.
Pretty section of content. I simply stumbled upon your web site and in accession capital to say that I get actually enjoyed account your blog posts. Anyway I'll be subscribing in your feeds or even I achievement you get admission to persistently fast.
Woah this blog is magnificent i like studying your posts. Stay up the good paintings! You realize, many individuals are looking around for this info, you can help them greatly.