lunes, 10 de octubre de 2011

:::SPAS3C-SV-006:::OPERA BROWSER 10/11/12 (0-DAY) EXPLOIT

In this post, I do the release of an issue that I discovered 362 days ago and it was reported to Opera using the SSD program (SecuriTeam Secure Disclosure), but they have decided not to fix it.

Thanks to sinn3r of metasploit.com for his heap spray method for Opera Browser (tested on v11.51 and v11.50) that uses VirtualAlloc. You can try it, setting the target to 1. I will keep both methods to avoid heap spray holes, I mean, if you are trying the exploit with default target and it lands on a hole, change to target 1 and try it again.

But, next results were taken with default target.

By the way, Opera Next was updated two days ago (r1076 -> r1085). I have not had time to get results of this release, but I confirm that it's still vulnerable and even I've seen remote code execution.


Testing Method:


In this case, I was looking for success at first attempt, so I needed to find a method that did not use the crash-dialog, kept (by default) the config and did not use the last-visited feature (The next one maybe too paranoic):


0. In attacker: exploit ready.
1. In victim: Start Opera.exe and launch the exploit.
2. In victim: If success -> Close shellcode -> Turn off the computer.
3. In victim: If not success -> Do not restart + Do not send/Send -> Turn off the computer
4. In attacker: kill id_exploit and exploit (new random url)
5. In victim: Start the computer.
6. In victim: Go to step 1.


The results:

  • Opera 12 pre-alpha -> RCE on 6/10 attempts
  • Opera 11.51 -> RCE on 3/10 attempts
  • Opera 11.50 -> RCE on 3/10 attempts
  • Opera 11.11 -> RCE on 4/10 attempts
  • Opera 11.10 -> RCE on 4/10 attempts
  • Opera 11.01 -> RCE on 5/10 attempts
  • Opera 11.00 -> RCE on 4/10 attempts

The exploit 0day here and here.


You can find more info:


Update (2011/10/17): I want to explain that I do not have an exact date when Opera was reported. As I've explained in my report in spanish, probably it was 10 months ago. By the way, note that they fixed the known as "frameset exploit" in May. However, all the vulnerabilities were reported together.

Update (2011/10/19): Opera has patched the vulnerability with the new version released: 11.52.

Happy (0)day, folks!

10 comentarios:

Anónimo dijo...
Este comentario ha sido eliminado por un administrador del blog.
José A. Vázquez dijo...

yeah! comments (with and without critical) are welcome. However, without insults...

By the way, are you kidding? Police? hehe

It is just hilarious that you are thinking I will go into jail xDD

Please, if you are an Opera fanboy, go back to Opera Team and ask him why they were waiting for 6 long months and then, the issue has been fixed in less of 8 days.

They claim a problem of communication, sure? not by me.

If I am a good researcher or not, responsible or not, it's not me who should say that. But if you take a look in my posts (not this one), you will notice that I have never posted any exploit 0day and have worked with most of disclosure programs.

Finally, If you try to discredit me, at least, you must use arguments...and not come here, insulting, calling to the police? I can not stop of laugh xDD

Cheers.

MUF dijo...

How do you explain the fact that the exploit didn't work in the latest stable Opera version 6 months ago, and that you had to change it to get it working in 11.51?

That means that it's a new exploit. So your claim that they didn't fix it for 6 months seems to be a lie.

And if it isn't, why did you sit on it for 6 months instead of doing something immediately?

Your story does not match reality. Something is wrong here, and you have some explaining to do...

José A. Vázquez dijo...

@MUF, it's easy to explain and I've already did it several times:

Here: http://enred20.org/node/27 in spanish.

However some of my tweets, explain it in English and I don't mind to keep you updated :-)

That's the awesome trick that I explained them and not even tried. Note that I was talking of the old exploit and just clicking in the maximize button, the exploit worked on 11.51.

twitter.com/#!/0xde1/status/126696242838388736

And That's the so awesome change that I did to improve the exploit and what you called "new exploit":

twitter.com/#!/0xde1/status/126687659409149952

In fact, the old exploit was still working on 11.51, but just needed a new triggering method (iframe + metafresh) to avoid the user's interaction (Maximize button). That's totally the same vulnerability and the same exploit with a change on the triggering method, you know, only to avoid the user's interaction and to do an automatic triggering.

By the way, I notified to my intermediary (SSD) and of course, they sent all the new info with pocs, exploits, etc. to Opera, just when Opera was trying to close the issue on May, 2011. But they did not want to hear.

I've yet been waiting for 5 months more, talking with my intermediary to try to open again the issue, without response.

Finally, that's another Opera vulnerability that I reported and there were not problems:

http://www.opera.com/support/kb/view/992/

Wait! There was one, they didn't give me the credits, but that's not a problem. It's just something weird to consider in my final conclusion.

I really have not any reason to harm to Opera, but they were fully wrong and I was treated so bad because I was using a disclosure program (SSD). That's my opinion and in fact, it looks so.

Cheers.

MUF dijo...

Now, you have a history of lies, and Opera has a history of excellent handling of security issues.

So when you claim that you sent them the details and they said they didn't get any details to reproduce the issue, you have no credibility whatsoever.

And the fact that you had to change the exploit speaks for itself. You say "all I had to do was change this and this and this" and the fact is that you did admit (finally) that you had to change something to reproduce it, which means that it is in fact different from what you claim to have published 6 months ago.

This lie alone takes away all your credibility.

Fact: You had to change the exploit.

Fact: Opera never received details on how to reproduce the problem.

Fact: You accused Opera of deciding to not fix it, which is a blatant lie.

Fact: You have gone out of your way to lie about Opera.

MUF dijo...

Lie: "I was treated so bad because I was using a disclosure program (SSD)"

Fact: You were asked for further details, but Opera never received anything further that could help them reproduce it.

You blame Opera for not receiving information from you, but it is YOU who are responsible for sending the correct information.

You did not send them the information they needed, and then you lied and said they got the informatio, and we are supposed to believe that they suddenly decided not to fix it?

Why would the CONSCIOUSLY decide not to fix a vulnerability when they have ALWAYS taken these things very seriously?

You can't answer that question. The reason is that you did not send them the information they needed.

You chose to NOT ensure that they got the information, and LIE about it to cover your back!

José A. Vázquez dijo...

I'm so tired of hearing the same. Btw, today is Saturday night...you really don't have anything better to do than trolling me?

FACT: I never sent nothing because I was using a disclosure program and they had to send everything. I've already said this note tons of times. I think that you would need to read about how a disclosure program (zdi, idefense, ssd, etc) works.

LIE: Opera claims that I sent the info. That's the biggest lie because SSD is which sent the info.

FACT: I've found some vulnerabilities in Mozilla Firefox, Internet Explorer, Google Chrome, Apple Safari, etc and never never published an 0day. Except in Opera.

LIE: Opera is secure xD

FACT: When the SSD program gave me permission to publish...Could I choose to send again the info to Opera directly without using an intermediary? yeah! of course. this is really my mistake. However, I thought that maybe I had to wait another 10 months (6 according to them).

LIE: I've not made any mistake in this case.

That's the end of the story if you want to know what Opera received, you will need to contact to SSD for further details.

I only can ensure what I sent to SSD.

"...Why would the CONSCIOUSLY decide not to fix a vulnerability when they have ALWAYS taken these things very seriously?..."

yeah! so seriously that they decided not to publish a security advisory for the other vulnerability, an use-after-free that never should be consider as not exploitable. Perhaps you would interest to find the another researcher, who Opera uses to compare with me and see his opinion. It's just funny and very interesting because he is not so happy with the result of his research as Opera thinks.

Cheers and good luck browsing with Opera!

Pouya dijo...

Opera is tired!
See link:
http://pouya.securitylab.ir/posts/18/

Anónimo dijo...

"Opera is tired!
See link:
http://pouya.securitylab.ir/posts/18/"


Um, that's not a vulnerability.

It shows the URL right there in the address bar!

LOL.

José A. Vázquez dijo...

yep, it's not. I didn't see any spoofing on v12.00a, just a redirect.

@Pouya, what were the versions that you tried?