Vulnerabilities > CVE-2006-3198 - Integer Overflow or Wraparound vulnerability in Opera Browser
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Integer overflow in Opera 8.54 and earlier allows remote attackers to execute arbitrary code via a JPEG image with large height and width values, which causes less memory to be allocated than intended.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Forced Integer Overflow This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Nessus
NASL family Windows NASL id OPERA_900.NASL description The version of Opera installed on the remote host reportedly contains an issue that presents itself when the height and width parameters of a JPEG image are set excessively high, causing Opera to allocate insufficient memory for the image and crash as it tries to write to memory at the wrong location. In addition, it is reportedly affected by a flaw that may allow an attacker to display an SSL certificate from a trusted site on an untrusted one. last seen 2020-06-01 modified 2020-06-02 plugin id 21786 published 2006-06-30 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21786 title Opera < 9.00 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(21786); script_version("1.18"); script_cve_id("CVE-2006-3198", "CVE-2006-3331"); script_bugtraq_id(18594, 18692); script_name(english:"Opera < 9.00 Multiple Vulnerabilities"); script_summary(english:"Checks version number of Opera"); script_set_attribute(attribute:"synopsis", value: "The remote host contains a web browser that is affected by multiple issues." ); script_set_attribute(attribute:"description", value: "The version of Opera installed on the remote host reportedly contains an issue that presents itself when the height and width parameters of a JPEG image are set excessively high, causing Opera to allocate insufficient memory for the image and crash as it tries to write to memory at the wrong location. In addition, it is reportedly affected by a flaw that may allow an attacker to display an SSL certificate from a trusted site on an untrusted one." ); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/438074/30/0/threaded" ); script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20061016111151/http://www.opera.com/support/search/supsearch.dml?index=834" ); script_set_attribute(attribute:"see_also", value:"https://secuniaresearch.flexerasoftware.com/secunia_research/2006-49/advisory/" ); script_set_attribute(attribute:"solution", value: "Upgrade to Opera version 9.00 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2006/06/30"); script_set_attribute(attribute:"vuln_publication_date", value: "2006/06/22"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:opera:opera_browser"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_dependencies("opera_installed.nasl"); script_require_keys("SMB/Opera/Version_UI"); exit(0); } include("global_settings.inc"); version_ui = get_kb_item("SMB/Opera/Version_UI"); if (isnull(version_ui)) exit(0); if (version_ui =~ "^([0-8]\.|9\.00 [Bb]eta)") { if (report_verbosity) { report = string( "\n", "Opera version ", version_ui, " is currently installed on the remote host.\n" ); security_hole(port:get_kb_item("SMB/transport"), extra:report); } else security_hole(get_kb_item("SMB/transport")); }NASL family SuSE Local Security Checks NASL id SUSE_OPERA-1699.NASL description The webbrowser Opera has been upgraded to version 9.0 to add lots of new features, and to fix the following security problem : CVE-2006-3198: An integer overflow vulnerability exists in the Opera Web Browser due to the improper handling of JPEG files. If excessively large height and width values are specified in certain fields of a JPEG file, an integer overflow may cause Opera to allocate insufficient memory for the image. This will lead to a buffer overflow when the image is loaded into memory, which can be exploited to execute arbitrary code. This updates the previous version, which had a directory conflict. last seen 2020-06-01 modified 2020-06-02 plugin id 27373 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27373 title openSUSE 10 Security Update : opera (opera-1699) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update opera-1699. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(27373); script_version ("1.12"); script_cvs_date("Date: 2019/10/25 13:36:28"); script_cve_id("CVE-2006-3198"); script_name(english:"openSUSE 10 Security Update : opera (opera-1699)"); script_summary(english:"Check for the opera-1699 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "The webbrowser Opera has been upgraded to version 9.0 to add lots of new features, and to fix the following security problem : CVE-2006-3198: An integer overflow vulnerability exists in the Opera Web Browser due to the improper handling of JPEG files. If excessively large height and width values are specified in certain fields of a JPEG file, an integer overflow may cause Opera to allocate insufficient memory for the image. This will lead to a buffer overflow when the image is loaded into memory, which can be exploited to execute arbitrary code. This updates the previous version, which had a directory conflict." ); script_set_attribute(attribute:"solution", value:"Update the affected opera package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:opera"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/06/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.1", reference:"opera-9.0-1.3") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "opera"); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_0A4CD819029111DBBBF7000C6EC775D9.NASL description The remote host is missing an update to the system The following package is affected: linux-opera This plugin has been deprecated since the advisory has been canceled. last seen 2016-09-26 modified 2015-12-02 plugin id 21741 published 2006-06-23 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=21741 title FreeBSD : opera -- JPEG processing integer overflow vulnerability (799) (deprecated) code #%NASL_MIN_LEVEL 999999 # @DEPRECATED@ # # This script has been deprecated as the VuXML entry has been # cancelled. # # Disabled on 2011/10/02. # # (C) Tenable Network Security # # This script contains information extracted from VuXML : # # Copyright 2003-2006 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # include("compat.inc"); if ( description ) { script_id(21741); script_version("1.12"); script_bugtraq_id(18594); script_name(english:"FreeBSD : opera -- JPEG processing integer overflow vulnerability (799) (deprecated)"); script_set_attribute(attribute:"synopsis", value: "This plugin has been deprecated."); script_set_attribute(attribute:"description", value: "The remote host is missing an update to the system The following package is affected: linux-opera This plugin has been deprecated since the advisory has been canceled."); script_set_attribute(attribute:"solution", value: "n/a"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2006/06/23"); script_cvs_date("Date: 2018/07/20 0:18:52"); script_end_attributes(); script_cve_id("CVE-2006-3198"); script_summary(english:"Check for linux-opera"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); family["english"] = "FreeBSD Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/FreeBSD/pkg_info"); exit(0); } exit(0, "This plugin has been deprecated as the associated VuXML entry has been cancelled.");NASL family SuSE Local Security Checks NASL id SUSE_OPERA-1697.NASL description The webbrowser Opera has been upgraded to version 9.0 to add lots of new features, and to fix the following security problem : CVE-2006-3198: An integer overflow vulnerability exists in the Opera Web Browser due to the improper handling of JPEG files. If excessively large height and width values are specified in certain fields of a JPEG file, an integer overflow may cause Opera to allocate insufficient memory for the image. This will lead to a buffer overflow when the image is loaded into memory, which can be exploited to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 27372 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27372 title openSUSE 10 Security Update : opera (opera-1697) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update opera-1697. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(27372); script_version ("1.12"); script_cvs_date("Date: 2019/10/25 13:36:28"); script_cve_id("CVE-2006-3198"); script_name(english:"openSUSE 10 Security Update : opera (opera-1697)"); script_summary(english:"Check for the opera-1697 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "The webbrowser Opera has been upgraded to version 9.0 to add lots of new features, and to fix the following security problem : CVE-2006-3198: An integer overflow vulnerability exists in the Opera Web Browser due to the improper handling of JPEG files. If excessively large height and width values are specified in certain fields of a JPEG file, an integer overflow may cause Opera to allocate insufficient memory for the image. This will lead to a buffer overflow when the image is loaded into memory, which can be exploited to execute arbitrary code." ); script_set_attribute(attribute:"solution", value:"Update the affected opera package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:opera"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/06/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.1", reference:"opera-9.0-1.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "opera"); }NASL family SuSE Local Security Checks NASL id SUSE_SA_2006_038.NASL description The remote host is missing the patch for the advisory SUSE-SA:2006:038 (opera). The web browser Opera has been upgraded to version 9.0 to add lots of new features, and to fix the following security problem: - CVE-2006-3198: An integer overflow vulnerability exists in the Opera Web Browser due to the improper handling of JPEG files. If excessively large height and width values are specified in certain fields of a JPEG file, an integer overflow may cause Opera to allocate insufficient memory for the image. This will lead to a buffer overflow when the image is loaded into memory, which can be exploited to execute arbitrary code. - CVE-2006-3331: Opera did not reset the SSL security bar after displaying a download dialog from an SSL-enabled website, which allows remote attackers to spoof a trusted SSL certificate from an untrusted website and facilitates phishing attacks. last seen 2019-10-28 modified 2007-02-18 plugin id 24418 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24418 title SUSE-SA:2006:038: opera
References
- http://www.vigilantminds.com/advi_detail.php?id=45
- http://www.securityfocus.com/bid/18594
- http://securitytracker.com/id?1016362
- http://secunia.com/advisories/20787
- http://www.novell.com/linux/security/advisories/2006_38_opera.html
- http://secunia.com/advisories/20897
- http://securityreason.com/securityalert/1133
- http://www.vupen.com/english/advisories/2006/2491
- https://exchange.xforce.ibmcloud.com/vulnerabilities/27318
- http://www.securityfocus.com/archive/1/438074/100/0/threaded