Vulnerabilities > CVE-2004-1810 - Unspecified vulnerability in Opera Browser

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
opera
nessus

Summary

The Javascript engine in Opera 7.23 allows remote attackers to cause a denial of service (crash) by creating a new Array object with a large size value, then writing into that array.

Nessus

NASL familyWindows
NASL idOPERA_LARGE_JAVASCRIPT_ARRAY_VULN.NASL
descriptionThe version of Opera on the remote host is vulnerable to an issue when handling large JavaScript arrays. In particular, it is possible to crash the browser when performing various operations on Array objects with 99999999999999999999999 or 0x23000000 elements. The crash is due to a segmentation fault and may be indicative of an exploitable memory corruption vulnerability, possibly resulting in arbitrary code execution.
last seen2020-06-01
modified2020-06-02
plugin id14248
published2004-08-10
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/14248
titleOpera < 7.50 JavaScript Engine Array Handling DoS
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(14248);
 script_version("1.17");
 script_cvs_date("Date: 2018/07/16 14:09:15");

 script_cve_id("CVE-2004-1810");
 script_bugtraq_id(9869);

 script_name(english:"Opera < 7.50 JavaScript Engine Array Handling DoS");
 script_summary(english:"Determines the version of Opera.exe");

 script_set_attribute(attribute:"synopsis", value:
"An installed browser is vulnerable to a denial of service attack." );
 script_set_attribute(attribute:"description", value:
"The version of Opera on the remote host is vulnerable to an issue when
handling large JavaScript arrays. 

In particular, it is possible to crash the browser when performing
various operations on Array objects with 99999999999999999999999 or
0x23000000 elements. 

The crash is due to a segmentation fault and may be indicative of an
exploitable memory corruption vulnerability, possibly resulting in
arbitrary code execution." );
 script_set_attribute(attribute:"solution", value:"Install Opera 7.50 or later.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/10");
 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:opera:opera_browser");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows");

 script_dependencies("opera_installed.nasl");
 script_require_keys("SMB/Opera/Version");
 exit(0);
}

#

include("global_settings.inc");

version_ui = get_kb_item("SMB/Opera/Version_UI");
version = get_kb_item("SMB/Opera/Version");
if (isnull(version)) exit(0);

ver = split(version, sep:'.', keep:FALSE);
for (i=0; i<max_index(ver); i++)
  ver[i] = int(ver[i]);

if (
  ver[0] < 7 ||
  (ver[0] == 7 && ver[1] < 50)
)
{
  if (report_verbosity && version_ui)
  {
    report = string(
      "\n",
      "Opera ", version_ui, " is currently installed on the remote host.\n"
    );
    security_warning(port:get_kb_item("SMB/transport"), extra:report);
  }
  else security_warning(get_kb_item("SMB/transport"));
}