Vulnerabilities > CVE-2004-0473 - Argument Injection or Modification vulnerability in Opera Browser
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
Argument injection vulnerability in Opera before 7.50 does not properly filter "-" characters that begin a hostname in a telnet URI, which allows remote attackers to insert options to the resulting command line and overwrite arbitrary files via (1) the "-f" option on Windows XP or (2) the "-n" option on Linux.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Try All Common Application Switches and Options An attacker attempts to invoke all common switches and options in the target application for the purpose of discovering weaknesses in the target. For example, in some applications, adding a --debug switch causes debugging information to be displayed, which can sometimes reveal sensitive processing or configuration information to an attacker. This attack differs from other forms of API abuse in that the attacker is blindly attempting to invoke options in the hope that one of them will work rather than specifically targeting a known option. Nonetheless, even if the attacker is familiar with the published options of a targeted application this attack method may still be fruitful as it might discover unpublicized functionality.
- Using Meta-characters in E-mail Headers to Inject Malicious Payloads This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs. Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can contain scripts, enumerations, probes, and other attacks against the user's system.
- HTTP Parameter Pollution (HPP) An attacker overrides or adds HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.
- OS Command Injection In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200405-19.NASL description The remote host is affected by the vulnerability described in GLSA-200405-19 (Opera telnet URI handler file creation/truncation vulnerability) The telnet URI handler in Opera does not check for leading last seen 2020-06-01 modified 2020-06-02 plugin id 14505 published 2004-08-30 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14505 title GLSA-200405-19 : Opera telnet URI handler file creation/truncation vulnerability code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200405-19. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(14505); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:41"); script_cve_id("CVE-2004-0473"); script_xref(name:"GLSA", value:"200405-19"); script_name(english:"GLSA-200405-19 : Opera telnet URI handler file creation/truncation vulnerability"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200405-19 (Opera telnet URI handler file creation/truncation vulnerability) The telnet URI handler in Opera does not check for leading '-' characters in the host name. Consequently, a maliciously-crafted telnet:// link may be able to pass options to the telnet program itself. One example would be the following: telnet://-nMyFile If MyFile exists in the user's home directory and the user clicking on the link has write permissions to it, the contents of the file will be overwritten with the output of the telnet trace information. If MyFile does not exist, the file will be created in the user's home directory. Impact : This exploit has two possible impacts. First, it may create new files in the user's home directory. Second, and far more serious, it may overwrite existing files that the user has write permissions to. An attacker with some knowledge of a user's home directory might be able to destroy important files stored within. Workaround : Disable the telnet URI handler from within Opera." ); # http://www.idefense.com/application/poi/display?id=104&type=vulnerabilities&flashstatus=true script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?aacb7758" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200405-19" ); script_set_attribute( attribute:"solution", value: "All Opera users are encouraged to upgrade to the latest version of the program: # emerge sync # emerge -pv '>=www-client/opera-7.50_beta1' # emerge '>=www-client/opera-7.50_beta1'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:opera"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2004/05/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-client/opera", unaffected:make_list("ge 7.50_beta1"), vulnerable:make_list("lt 7.50_beta1"))) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:qpkg_report_get()); else security_note(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "www-client/opera"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-518.NASL description iDEFENSE identified a vulnerability in the Opera web browser that could be used by remote attackers to create or truncate arbitrary files on the victims machine. The KDE team discovered that a similar vulnerability exists in KDE. A remote attacker could entice a user to open a carefully crafted telnet URI which may either create or truncate a file in the victims home directory. In KDE 3.2 and later versions the user is first explicitly asked to confirm the opening of the telnet URI. last seen 2020-06-01 modified 2020-06-02 plugin id 15355 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15355 title Debian DSA-518-1 : kdelibs - unsanitised input
References
- http://www.opera.com/linux/changelogs/750/index.dml
- http://security.gentoo.org/glsa/glsa-200405-19.xml
- http://www.securityfocus.com/bid/10341
- http://securitytracker.com/id?1010142
- http://www.idefense.com/application/poi/display?id=104&type=vulnerabilities
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16139