The Opera browser does not handle long filename extensions correctly. This will allows a malicious person to cause a DoS or execute arbitrary code with the privileges of the user. Two different attack scenarios are described below.
Credit:
The information has been provided by Jakob Balle, Secunia Research.
Vulnerable systems: Windows:
* Opera browser 7.10 build 2840
* Opera browser 7.03 build 2670
Linux:
* Opera browser 7.1.0 Beta 1 build 388
Immune systems:
* Opera browser 7.11
Scenario 1:
Make the Opera browser generate the filename extension using an unknown MIME type. If the Opera browser does not recognize the MIME type it will use its subtype as filename extension. This will make it possible to cause a stack overflow inside the 'Download Dialog'.
Example:
A) Set the following headers: Content-Type: application/AAAAA...[270]...AAAAA
Content-Disposition: attachment; filename=test
This will cause Opera to display the following 'Download Dialog': File: test.AAAAA...[270]...AAAAA
Type: application/AAAAA...[270]...AAAAA
Opens with: test.AAAAA...[270]...AAAAA
B) If the user clicks 'Save' in the 'Download Dialog' a buffer overflow will occur on the stack and the following registers will be overwritten: EIP and EBP.
However, since the registers are overwritten with the Unicode value of 'AA'(00410041) exploitation will be difficult.
Scenario 2:
Make the Opera browser download a file with a long filename extension. This can be exploited to cause a DoS on the Opera browser. It was not possible to determine whether this can be used to execute arbitrary code.
Example: Set the following headers:
Content-Type: application/pdf
Content-Disposition: attachment; filename=.AAAAA...[270]...AAAAA
Solution:
These vulnerabilities should be corrected in the latest version 7.11
