|
|
|
|
| |
| Opera for "windows is a GUI base web browser". While Opera displays the Download dialog, it creates a temporary file. This file name is not sanitized thoroughly, as such, it allows an existing file to be deleted (and overwritten). |
| |
Credit:
The original advisory can be found at: http://opera.rainyblue.org/modules/cjaycontent/index.php?id=16.
The information has been provided by imagine and nesumin.
|
| |
Vulnerable systems:
* Opera version 7.22 build 3221 (JP:build 3222)
* Opera version 7.21 build 3218 (JP:build 3219)
* Opera version 7.20 build 3144 (JP:build 3145)
* Opera version 7.1x
* Opera version 7.0x
Immune systems:
* Opera version 7.23 build 3227 (JP:build 3226)
Technical details:
While Opera displays the Download dialog, it will create a temporary file that is based on the name used while downloading the file. This temporary file is used for searching for an associated application.
ex.
Download URL:
"http://server/path/FILENAME.ext"
Temporary Filename:
"c:\windows\temp\FILXXX.tmp.FILENAME.ext"
(XXX is random string, like "01A")
However, this temporary file name is not sanitized thoroughly making it possible to insert illegal characters (for example: '..%5C'). The file with such illegal characters can be placed in any path on the same drive as a temporary directory. If there is already such a file, it will be overwritten and deleted soon.
ex.
Download URL:
"http://server/path/AAAAAAAAAA%5C..%5C..%5Ccalc.exe"
Temporary Filename:
"c:\windows\temp\AAAXXX.tmp.AAAAAAAAAA\..\..\calc.exe"
this is... "c:\windows\calc.exe"
Therefore, if a user goes to a malicious site that makes Opera display the Download dialog, his files could be deleted using this vulnerability.
The conditions that allow deleting of files:
1. File's path can be specified with a relative path from the Opera's temporary directory
2. File name must contain '.'
3. The file must be writable within Opera process's privileges
4. No "Read Only" attribute under Windows 9x. No "Read Only", "System" or "Hide" attributes under Windows NT/2000
Vendor status:
* 2003-10-09 Discovered this vulnerability
* 2003-11-26 Reported to vendor
* 2003-12-12 Published this advisory
Solution:
Upgrade to version 7.23 or later version.
|
|
|
|
|
|
|
