lunes, 10 de octubre de 2011

:::SPAS3C-SV-006:::OPERA BROWSER 10/11/12 (0-DAY) EXPLOIT

In this post, I do the release of an issue that I discovered 362 days ago and it was reported to Opera using the SSD program (SecuriTeam Secure Disclosure), but they have decided not to fix it.

Thanks to sinn3r of metasploit.com for his heap spray method for Opera Browser (tested on v11.51 and v11.50) that uses VirtualAlloc. You can try it, setting the target to 1. I will keep both methods to avoid heap spray holes, I mean, if you are trying the exploit with default target and it lands on a hole, change to target 1 and try it again.

But, next results were taken with default target.

By the way, Opera Next was updated two days ago (r1076 -> r1085). I have not had time to get results of this release, but I confirm that it's still vulnerable and even I've seen remote code execution.


Testing Method:


In this case, I was looking for success at first attempt, so I needed to find a method that did not use the crash-dialog, kept (by default) the config and did not use the last-visited feature (The next one maybe too paranoic):


0. In attacker: exploit ready.
1. In victim: Start Opera.exe and launch the exploit.
2. In victim: If success -> Close shellcode -> Turn off the computer.
3. In victim: If not success -> Do not restart + Do not send/Send -> Turn off the computer
4. In attacker: kill id_exploit and exploit (new random url)
5. In victim: Start the computer.
6. In victim: Go to step 1.


The results:

  • Opera 12 pre-alpha -> RCE on 6/10 attempts
  • Opera 11.51 -> RCE on 3/10 attempts
  • Opera 11.50 -> RCE on 3/10 attempts
  • Opera 11.11 -> RCE on 4/10 attempts
  • Opera 11.10 -> RCE on 4/10 attempts
  • Opera 11.01 -> RCE on 5/10 attempts
  • Opera 11.00 -> RCE on 4/10 attempts

The exploit 0day here and here.


You can find more info:


Update (2011/10/17): I want to explain that I do not have an exact date when Opera was reported. As I've explained in my report in spanish, probably it was 10 months ago. By the way, note that they fixed the known as "frameset exploit" in May. However, all the vulnerabilities were reported together.

Update (2011/10/19): Opera has patched the vulnerability with the new version released: 11.52.

Happy (0)day, folks!

miércoles, 5 de octubre de 2011

:::SPAS3C-SV-004:::FINAL DISCLOSURE AND RELIABILITY TESTS (SSD-1010101 / PART-II)

I have taken a while and been trying to improve this one, unsuccess. But, I would like to thank to sinn3r and the rest of metasploit members who have tried to get a more reliable exploit. The poc is unstable and the crash is variable. Also I could not lead to more stable/reliable crashes. Anyway, I cannot discard the possibility of DEP bypass. Under some versions, it could be possible (controllable EAX to pivot) but unreliable/unstable. Give me a feedback if you get a poc that improves these issues :)

So far, the final result is not as nice as I wanted. Since I could not publish my ms10-090 exploit, you know, someone discovered before I could publish :) I am glad to get released this one and probably it does not come alone.

Here goes the reliability tests (click to see correctly):

Fig. 1: Reliability table.

It is important to notice that most of versions will not work at first attempt. Although it is possible and I have seen it: The crash-dialog helps here and the table above is based on it.

Crash-dialog options:

  1. Restart-speech-dial -> close opera.exe -> open opera.exe -> go to url of exploit.
  2. Restart and reopen all tabs.
  3. Do not restart -> open opera.exe.

Tests features:

  • Master Box: Windows 7 Ultimate with SP1 (English) (fully updated)
  • VM engine: Virtual Box
  • Virtual boxes: Windows XP Professional with SP3 (English) (fully updated) x 15
  • Opera: Clean installations with configuration by default
  • Browser cache: It's not cleaned
  • Number of attempts: 100
  • Number of OS restarts: 5
  • Number of url-exploit changes: 10

Notes:

  • I have noticed that the reliability changes when the box is restart. So it is very possible that you will get another results.
  • This exploit was coded when the stable release was v10.61 At that time, my best results was got with v10.62 and v10.61 (not clean installation: v10.6-> v10.61)

Finally, the msf module here and here