In this post, I do the release of an issue that I discovered 362 days ago and it was reported to Opera using the SSD program (SecuriTeam Secure Disclosure), but they have decided not to fix it.
Thanks to sinn3r of metasploit.com for his heap spray method for Opera Browser (tested on v11.51 and v11.50) that uses VirtualAlloc. You can try it, setting the target to 1. I will keep both methods to avoid heap spray holes, I mean, if you are trying the exploit with default target and it lands on a hole, change to target 1 and try it again.
But, next results were taken with default target.
By the way, Opera Next was updated two days ago (r1076 -> r1085). I have not had time to get results of this release, but I confirm that it's still vulnerable and even I've seen remote code execution.
In this case, I was looking for success at first attempt, so I needed to find a method that did not use the crash-dialog, kept (by default) the config and did not use the last-visited feature (The next one maybe too paranoic):
0. In attacker: exploit ready.
1. In victim: Start Opera.exe and launch the exploit.
2. In victim: If success -> Close shellcode -> Turn off the computer.
3. In victim: If not success -> Do not restart + Do not send/Send -> Turn off the computer
4. In attacker: kill id_exploit and exploit (new random url)
5. In victim: Start the computer.
6. In victim: Go to step 1.
- Opera 12 pre-alpha -> RCE on 6/10 attempts
- Opera 11.51 -> RCE on 3/10 attempts
- Opera 11.50 -> RCE on 3/10 attempts
- Opera 11.11 -> RCE on 4/10 attempts
- Opera 11.10 -> RCE on 4/10 attempts
- Opera 11.01 -> RCE on 5/10 attempts
- Opera 11.00 -> RCE on 4/10 attempts
The exploit 0day here and here.
You can find more info:
Update (2011/10/17): I want to explain that I do not have an exact date when Opera was reported. As I've explained in my report in spanish, probably it was 10 months ago. By the way, note that they fixed the known as "frameset exploit" in May. However, all the vulnerabilities were reported together.
Update (2011/10/19): Opera has patched the vulnerability with the new version released: 11.52.
Happy (0)day, folks!