Recently, a data package to exploit Opera has been released on the Internet. If users open this data package (via a website) with Opera version 10.50 or earlier, the browser will be crashed.
Figure 1 – Data package released on the Internet.
When Opera browser receives a data package, it will use Content-length field to identify the length of html tag at the end of the package, then copy and display this tag. In Opera.dll module, the number in Content-Length field is stored in 64 bits- variable. Here, it will check if the 4 higher bytes (considered as a signed number) is negative or not. If it is not negative, the program will copy the html tag with its actual length, and no problem occurs. Otherwise, the program will use 4 lower bytes of that number (considered as an unsigned number) to copy the html tag to a 20000h buffer. Therefore, if we push to Content-length field a 64 bit- number with 4 higher bytes from 80000000h to FFFFFFFFh and 4 lower bytes which is big enough, for example FFFFFFFDh, the browser will be crashed. Look at the OnlyDebug in Figure 2, we can see the comparison. If DWORD PTR SS:[EBP-4] < 0, the program will run the code at Opera_1.676C8375 which carries the value FFFFFFFDh to EDI, then push it to ECX, causing a buffer to overflow.
Figure 2-The piece of code checks if the 4 higher bytes is negative or not.
Perform the complete Opera’s execution process under OllyDbg’s supervision. The vulnerability is found in Opera_1 module – actually, it is the module Opera.dll, causing array to overflow. Looking at the Figure 3, it can be seen that the program manages to copy a large amount of data – FFFFFFFDh byte from 6D74683C to 00000000 by REP MOVS operation. This will cause the program to crash.
Figure 3- The operation causes program to crash.
This vulnerability is just found in Opera version 10.50 and earlier. In Opera 10.51, it has been fixed. So users can download Opera 10.51 at: http://www.opera.com/browser/
Analyst: Le Minh Tuan