Vulnerabilities > CVE-2006-1834 - Numeric Errors vulnerability in Opera Browser
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Integer signedness error in Opera before 8.54 allows remote attackers to execute arbitrary code via long values in a stylesheet attribute, which pass a length check. NOTE: a sign extension problem makes the attack easier with shorter strings.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
| description | Opera Web Browser 8.52 Stylesheet Attribute Buffer Overflow Vulnerability. CVE-2006-1834 . Dos exploit for linux platform |
| id | EDB-ID:27641 |
| last seen | 2016-02-03 |
| modified | 2006-04-13 |
| published | 2006-04-13 |
| reporter | SEC Consult |
| source | https://www.exploit-db.com/download/27641/ |
| title | Opera Web Browser 8.52 Stylesheet Attribute Buffer Overflow Vulnerability |
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_OPERA-1313.NASL description Integer signedness error in Opera before 8.54 allows remote attackers to execute arbitrary code via long values in a stylesheet attribute, which pass a length check. (CVE-2006-1834) last seen 2020-06-01 modified 2020-06-02 plugin id 27371 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27371 title openSUSE 10 Security Update : opera (opera-1313) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update opera-1313. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(27371); script_version ("1.12"); script_cvs_date("Date: 2019/10/25 13:36:28"); script_cve_id("CVE-2006-1834"); script_name(english:"openSUSE 10 Security Update : opera (opera-1313)"); script_summary(english:"Check for the opera-1313 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Integer signedness error in Opera before 8.54 allows remote attackers to execute arbitrary code via long values in a stylesheet attribute, which pass a length check. (CVE-2006-1834)" ); script_set_attribute(attribute:"solution", value:"Update the affected opera package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:opera"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/05/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.1", reference:"opera-8.54-0.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "opera"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200606-01.NASL description The remote host is affected by the vulnerability described in GLSA-200606-01 (Opera: Buffer overflow) SEC Consult has discovered a buffer overflow in the code processing style sheet attributes. It is caused by an integer signedness error in a length check followed by a call to a string function. It seems to be hard to exploit this buffer overflow to execute arbitrary code because of the very large amount memory that has to be copied. Impact : A remote attacker can entice a user to visit a web page containing a specially crafted style sheet attribute that will crash the user last seen 2020-06-01 modified 2020-06-02 plugin id 21663 published 2006-06-08 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21663 title GLSA-200606-01 : Opera: Buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200606-01. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(21663); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:43"); script_cve_id("CVE-2006-1834"); script_xref(name:"GLSA", value:"200606-01"); script_name(english:"GLSA-200606-01 : Opera: Buffer overflow"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200606-01 (Opera: Buffer overflow) SEC Consult has discovered a buffer overflow in the code processing style sheet attributes. It is caused by an integer signedness error in a length check followed by a call to a string function. It seems to be hard to exploit this buffer overflow to execute arbitrary code because of the very large amount memory that has to be copied. Impact : A remote attacker can entice a user to visit a web page containing a specially crafted style sheet attribute that will crash the user's browser and maybe lead to the execution of arbitrary code. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200606-01" ); script_set_attribute( attribute:"solution", value: "All Opera users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-client/opera-8.54'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:opera"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2006/06/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/06/08"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/04/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-client/opera", unaffected:make_list("ge 8.54"), vulnerable:make_list("lt 8.54"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Opera"); }NASL family Windows NASL id OPERA_854.NASL description The remote host is using Opera, an alternative web browser. The version of Opera installed on the remote host contains a buffer overflow that can be triggered by a long value within a stylesheet attribute. Successful exploitation can lead to a browser crash and possibly allow for the execution of arbitrary code subject to the privileges of the user running Opera. last seen 2020-06-01 modified 2020-06-02 plugin id 21221 published 2006-04-14 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21221 title Opera < 8.54 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(21221); script_version("1.16"); script_cve_id("CVE-2006-1834"); script_bugtraq_id(17513); script_name(english:"Opera < 8.54 Multiple Vulnerabilities"); script_summary(english:"Checks version number of Opera"); script_set_attribute(attribute:"synopsis", value: "The remote host contains a web browser that is prone to a buffer overflow attack." ); script_set_attribute(attribute:"description", value: "The remote host is using Opera, an alternative web browser. The version of Opera installed on the remote host contains a buffer overflow that can be triggered by a long value within a stylesheet attribute. Successful exploitation can lead to a browser crash and possibly allow for the execution of arbitrary code subject to the privileges of the user running Opera." ); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/430876/30/0/threaded" ); script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20170713152222/http://www.opera.com:80/docs/changelogs/windows/854/" ); script_set_attribute(attribute:"solution", value: "Upgrade to Opera 8.54 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2006/04/14"); script_set_attribute(attribute:"vuln_publication_date", value: "2006/04/13"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:opera:opera_browser"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_dependencies("opera_installed.nasl"); script_require_keys("SMB/Opera/Version_UI"); exit(0); } include("global_settings.inc"); version_ui = get_kb_item("SMB/Opera/Version_UI"); if (isnull(version_ui)) exit(0); if (version_ui =~ "^([0-7]\.|8\.([0-4][0-9]|5[0-3])($|[^0-9]))") { if (report_verbosity) { report = string( "\n", "Opera version ", version_ui, " is currently installed on the remote host.\n" ); security_warning(port:get_kb_item("SMB/transport"), extra:report); } else security_warning(get_kb_item("SMB/transport")); }
References
- http://lists.suse.com/archive/suse-security-announce/2006-May/0004.html
- http://marc.info/?l=full-disclosure&m=114493114031891&w=2
- http://secunia.com/advisories/20117
- http://security.gentoo.org/glsa/glsa-200606-01.xml
- http://securitytracker.com/id?1015912
- http://www.opera.com/docs/changelogs/windows/854/
- http://www.sec-consult.com/259.html
- http://www.securityfocus.com/archive/1/430876/100/0/threaded
- http://www.securityfocus.com/bid/17513
- http://www.vupen.com/english/advisories/2006/1354
- https://exchange.xforce.ibmcloud.com/vulnerabilities/25829