GreyMagic Security Advisory GM#003-OP

By GreyMagic Software, Israel.
04 Feb 2003.

Topic: Phantom of the Opera.

Discovery date: 29 Jan 2003.

Affected applications:

Opera 7 (final).

Introduction:

Opera recently released a new version of its browser.

Version 7 brings many long-awaited features such as proper DOM support and an improved rendering engine. Among the useful new features Opera added a shiny new Javascript console. The console is mainly used by developers in order to efficiently track down exceptions in running scripts.

Discussion:

Opera's Javascript console is using three html files residing in Opera's installation directory. The most important of them is "console.html", which contains all the logic behind the console.

The console lists unhandled exceptions that are thrown during a window's session. Javascript can throw custom exceptions using the "throw" statement and Opera also adds its own way to create debug messages in the console via the "opera.postError" method.

In order to display clickable URLs properly, Opera does some formatting on the thrown exception message to turn them into links:

newmsg = msg.replace( /</g, "<" ).
            replace( />/g, ">" ).
            replace( /https?:\/\/\S+/g, create_link ).
            replace( /file:\/\/(?:\S|(?:[ ](?=[^\n\r]*\.)))+/g, create_link );

The first two lines are supposed to handle the safety of this string, so it wouldn't contain HTML. The last two lines are meant to transform strings that appear like URLs into actual links. Unfortunately, each of these last two lines contains an obvious security vulnerability, allowing for an attacker to inject attributes to the link. By doing so, an attacker can gain access to the file:// protocol, which includes the following implications:

Read any file on the user's file system.
Read the contents of directories on the user's file system.
Read emails written or received by M2, Opera's mail program.

The first vulnerable regular expression is /https?:\/\/\S+/g, it's trying to match anything starting with "http://" or "https://" and keeps consuming characters as long as they aren't whitespace. This regular expression does not check for the existence of quotes, which are the delimiters of the "href" attribute in the resulting link, and therefore opens up a way to add additional attributes (spaces between attributes are not mandatory).

The second vulnerable regular expression is /file:\/\/(?:\S|(?:[ ](?=[^\n\r]*\.)))+/g, it's trying to match anything starting with "file://" followed by a non-whitespace character or a regular space, as long as a dot appears and no line breaks appear after it. The same mistake is made again; quotes can be used to add additional attributes to the link.

The ability to add any attributes to a link may seem like a harmless vulnerability, but with a little manipulation it can lead to execution of arbitrary script code. For example, the "style" attribute in most elements may contain properties such as "background-image", which normally point to a URL. That URL can be "javascript:[code]", which will be executed in the context of the console (file:// protocol).

Exploit:

A simple exploit of the first regular expression:

open("file://localhost/console.html","","");
opera.postError("http://\"style=\"background-image:url('javascript:alert(location.href)')\"");

A simple exploit of the second regular expression:

open("file://localhost/console.html","","");
opera.postError("file://\" style=\"background-image:url('javascript:alert(location.href)')\".");

Demonstration:

We put together two proof-of-concept demonstrations:

Simple: Demonstrates how the poisonous debug message is being inserted.
GreyMagic Opera Disk Explorer: Browse your entire file system using this explorer-like tool, which takes advantage of this vulnerability in order to access local resources.

Solution:

Fortunately, this vulnerability can be solved manually:

Edit the file "console.html", which resides in Opera's installation directory.
Line 52 should read: m.replace( /\\/g, "\\\\" ) +
Replace it with: m.replace( /\\/g, "\\\\" ).replace(/"/g,""") +

Tested on:

Opera 7 NT4.
Opera 7 Win98.
Opera 7 Win2000.
Opera 7 WinXP.

Disclaimer:

The information in this security advisory and any of its demonstrations is provided "as is" without warranty of any kind.

Vulnerability details are provided strictly for educational and defensive purposes.

GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.

Stay informed:

Subscribe to GreyMagic's early notification email service and be informed of new vulnerabilities and updates as soon as they appear on the site.

Press here to subscribe.

Your privacy is important to us, read our Privacy Statement.