Overview
Two vulnerabilities were found in the Opera web browser versions up to 7.22. They are related to skin files. The first one is a directory traversal problem which allows an attacker to upload a file to an arbitrary location on the victim system. The second is a buffer overflow in skin file handling. A new version, 7.23, was released to address the issues.
Details
Opera automatically downloads skin files which have the MIME type application/x-opera-skin. They are normally placed in %USERPROFILE%\Application Data\Opera\Opera7\profile\Skin.
On November 12th S.G. Masood reported that a file of any type can be dropped to Opera’s default folders. This was fixed in Opera 7.22. After the fix, only zip files are accepted. My further research revealed that a directory traversal attack allows skin files to be uploaded to arbitrary locations on the victim system.
When a skin file is downloaded, the resulting file name is determined by the Content-disposition HTTP header, or if it isn’t supplied, the URL. In the latter case the last element of the URL is the filename which Opera uses. An attacker may however use an URL ending with hex-encoded backslashes, ie. “..%5c..%5c..%5c” to get out of Opera’s folder hierarchy. For instance, a skin file fetched from an URL like
http://server/..%5c..%5c..%5c..%5c..%5c..%5c..%5..%5c..%5ccskin.zip
would be downloaded to C:\ under a typical Windows installation.
As the browser doesn’t accept just any file after the 7.22 update, exploiting the issue becomes slightly more difficult. The file format must pass some checks to assure Opera of it being a real zip file. The file extension can be chosen arbitrarily by the attacker.
One exploit scenario is to place a zip-like file in the victim user’s Startup folder. The file extension determines how it will be opened by Windows. E.g. if the file name ends with “.bat”, it will be opened as a batch file. It’s relatively easy to create a file which passes the check as zip file but also works when opened as a batch file. Due to the zip file signature and other binary data it will produce some error messages but nevertheless command lines contained in the file will be executed. In this way an attacker can get access to the system with the privileges of the current user.
Locating the Startup folder isn’t a problem because Opera’s skin folder is below the %USREPROFILE% folder, and pointing to the startup folder with a relative path is easy.
The zip processing code also contains a buffer overflow which I found while testing the abovementioned vulnerability. If a valid zip file contains extra data after the zip data, a buffer overflow occurs. An attacker may control contents of some registers including EIP, so this buffer overflow seems exploitable, although I didn’t produce an exploit.
In order to be exploited, these vulnerabilities require the victim to visit a web page created by a malicious user. An iframe tag may be used to automatically open a skin file.
The directory traversal problem doesn’t exist on Linux because “\” isn’t a directory separator. Other versions weren’t tested. The buffer overflow can be produced on Linux, too.
According to Operash who seems to have found this independantly, some other MIME types can be also used, which of some don’t have the zip file format requirement.
Vendor status
The vendor was notified on November 12, 2003 and a new version of Opera was released on November 21st. It can be downloaded at
ftp://ftp.opera.com/pub/opera/
Opera home page: www.opera.com.
Credits
The vulnerabilities were discovered by Jouko Pynnönen, Finland.