Vulnerabilities > CVE-2008-5178 - Buffer Errors vulnerability in Opera 9.62
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Heap-based buffer overflow in Opera 9.62 on Windows allows remote attackers to execute arbitrary code via a long file:// URI. NOTE: this might overlap CVE-2008-5680.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| OS | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
| description | Opera 9.62 file:// Local Heap Overflow Exploit. CVE-2008-5178,CVE-2008-5680. Local exploit for windows platform |
| file | exploits/windows/local/7135.html |
| id | EDB-ID:7135 |
| last seen | 2016-02-01 |
| modified | 2008-11-17 |
| platform | windows |
| port | |
| published | 2008-11-17 |
| reporter | Guido Landi |
| source | https://www.exploit-db.com/download/7135/ |
| title | Opera 9.62 file:// Local Heap Overflow Exploit |
| type | local |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200903-30.NASL description The remote host is affected by the vulnerability described in GLSA-200903-30 (Opera: Multiple vulnerabilities) Multiple vulnerabilities were discovered in Opera: Vitaly McLain reported a heap-based buffer overflow when processing host names in file:// URLs (CVE-2008-5178). Alexios Fakos reported a vulnerability in the HTML parsing engine when processing web pages that trigger an invalid pointer calculation and heap corruption (CVE-2008-5679). Red XIII reported that certain text-area contents can be manipulated to cause a buffer overlow (CVE-2008-5680). David Bloom discovered that unspecified last seen 2020-06-01 modified 2020-06-02 plugin id 35943 published 2009-03-17 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35943 title GLSA-200903-30 : Opera: Multiple vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200903-30. # # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(35943); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:45"); script_cve_id("CVE-2008-5178", "CVE-2008-5679", "CVE-2008-5680", "CVE-2008-5681", "CVE-2008-5682", "CVE-2008-5683", "CVE-2009-0914"); script_xref(name:"GLSA", value:"200903-30"); script_name(english:"GLSA-200903-30 : Opera: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200903-30 (Opera: Multiple vulnerabilities) Multiple vulnerabilities were discovered in Opera: Vitaly McLain reported a heap-based buffer overflow when processing host names in file:// URLs (CVE-2008-5178). Alexios Fakos reported a vulnerability in the HTML parsing engine when processing web pages that trigger an invalid pointer calculation and heap corruption (CVE-2008-5679). Red XIII reported that certain text-area contents can be manipulated to cause a buffer overlow (CVE-2008-5680). David Bloom discovered that unspecified 'scripted URLs' are not blocked during the feed preview (CVE-2008-5681). Robert Swiecki of the Google Security Team reported a Cross-site scripting vulnerability (CVE-2008-5682). An unspecified vulnerability reveals random data (CVE-2008-5683). Tavis Ormandy of the Google Security Team reported a vulnerability when processing JPEG images that may corrupt memory (CVE-2009-0914). Impact : A remote attacker could entice a user to open a specially crafted JPEG image to cause a Denial of Service or execute arbitrary code, to process an overly long file:// URL or to open a specially crafted web page to execute arbitrary code. He could also read existing subscriptions and force subscriptions to arbitrary feed URLs, as well as inject arbitrary web script or HTML via built-in XSLT templates. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200903-30" ); script_set_attribute( attribute:"solution", value: "All Opera users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-client/opera-9.64'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(79, 119, 200, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:opera"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2009/03/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/03/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-client/opera", unaffected:make_list("ge 9.64"), vulnerable:make_list("lt 9.64"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Opera"); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_225BC349CE1011DDA7210030843D3802.NASL description The Opera Team reports : Manipulating certain text-area contents can cause a buffer overflow, which may be exploited to execute arbitrary code. Certain HTML constructs can cause the resulting DOM to change unexpectedly, which triggers a crash. To inject code, additional techniques will have to be employed. Exceptionally long host names in file: URLs can cause a buffer overflow, which may be exploited to execute arbitrary code. Remote Web pages cannot refer to file: URLs, so successful exploitation involves tricking users into manually opening the exploit URL, or a local file that refers to it. When Opera is previewing a news feed, some scripted URLs are not correctly blocked. These can execute scripts which are able to subscribe the user to any feed URL that the attacker chooses, and can also view the contents of any feeds that the user is subscribed to. These may contain sensitive information. Built-in XSLT templates incorrectly handle escaped content and can cause it to be treated as markup. If a site accepts content from untrusted users, which it then displays using XSLT as escaped strings, this can allow scripted markup to be injected. The scripts will then be executed in the security context of that site. last seen 2020-06-01 modified 2020-06-02 plugin id 35240 published 2008-12-21 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35240 title FreeBSD : opera -- multiple vulnerabilities (225bc349-ce10-11dd-a721-0030843d3802) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(35240); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:39"); script_cve_id("CVE-2008-5178"); script_xref(name:"Secunia", value:"32752"); script_name(english:"FreeBSD : opera -- multiple vulnerabilities (225bc349-ce10-11dd-a721-0030843d3802)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "The Opera Team reports : Manipulating certain text-area contents can cause a buffer overflow, which may be exploited to execute arbitrary code. Certain HTML constructs can cause the resulting DOM to change unexpectedly, which triggers a crash. To inject code, additional techniques will have to be employed. Exceptionally long host names in file: URLs can cause a buffer overflow, which may be exploited to execute arbitrary code. Remote Web pages cannot refer to file: URLs, so successful exploitation involves tricking users into manually opening the exploit URL, or a local file that refers to it. When Opera is previewing a news feed, some scripted URLs are not correctly blocked. These can execute scripts which are able to subscribe the user to any feed URL that the attacker chooses, and can also view the contents of any feeds that the user is subscribed to. These may contain sensitive information. Built-in XSLT templates incorrectly handle escaped content and can cause it to be treated as markup. If a site accepts content from untrusted users, which it then displays using XSLT as escaped strings, this can allow scripted markup to be injected. The scripts will then be executed in the security context of that site." ); # http://www.opera.com/support/kb/view/920/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?ed400860" ); # http://www.opera.com/support/kb/view/921/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?71f5e1a9" ); # http://www.opera.com/support/kb/view/922/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?8cb3b592" ); # http://www.opera.com/support/kb/view/923/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?185b4896" ); # http://www.opera.com/support/kb/view/924/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?cdbb754c" ); # https://vuxml.freebsd.org/freebsd/225bc349-ce10-11dd-a721-0030843d3802.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?64faa1d7" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-opera"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:opera"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/11/18"); script_set_attribute(attribute:"patch_publication_date", value:"2008/12/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/12/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"opera<9.63")) flag++; if (pkg_test(save_report:TRUE, pkg:"linux-opera<9.63")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Windows NASL id OPERA_963.NASL description The version of Opera installed on the remote host is earlier than 9.63 and thus reportedly affected by several issues : - It may be possible to execute arbitrary code on the remote system by manipulating certain text-area contents. (920) - It may be possible to crash the remote browser using certain HTML constructs or inject code under certain conditions. (921) - It may be possible to trigger a buffer overflow, and potentially execute arbitrary code, by tricking an user to click on a URL that contains exceptionally long host names. (922) - While previewing news feeds, Opera does not correctly block certain scripted URLs. Such scripts, if not blocked, may be able to subscribe a user to other arbitrary feeds and view contents of the feeds to which the user is currently subscribed. (923) - By displaying content using XSLT as escaped strings, it may be possible for a website to inject scripted markup. (924) - SSL server certificates are not properly validated due to an unspecified error. (CVE-2012-1251) last seen 2020-06-01 modified 2020-06-02 plugin id 35185 published 2008-12-16 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35185 title Opera < 9.63 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(35185); script_version("1.14"); script_cve_id("CVE-2008-5178", "CVE-2012-1251"); script_bugtraq_id(32323, 32864, 32891); script_name(english:"Opera < 9.63 Multiple Vulnerabilities"); script_summary(english:"Checks version number of Opera"); script_set_attribute(attribute:"synopsis", value: "The remote host contains a web browser that is affected by several issues." ); script_set_attribute(attribute:"description", value: "The version of Opera installed on the remote host is earlier than 9.63 and thus reportedly affected by several issues : - It may be possible to execute arbitrary code on the remote system by manipulating certain text-area contents. (920) - It may be possible to crash the remote browser using certain HTML constructs or inject code under certain conditions. (921) - It may be possible to trigger a buffer overflow, and potentially execute arbitrary code, by tricking an user to click on a URL that contains exceptionally long host names. (922) - While previewing news feeds, Opera does not correctly block certain scripted URLs. Such scripts, if not blocked, may be able to subscribe a user to other arbitrary feeds and view contents of the feeds to which the user is currently subscribed. (923) - By displaying content using XSLT as escaped strings, it may be possible for a website to inject scripted markup. (924) - SSL server certificates are not properly validated due to an unspecified error. (CVE-2012-1251)" ); script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20130225211806/http://www.opera.com/support/kb/view/920/" ); script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20130225215248/http://www.opera.com/support/kb/view/921/" ); script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20130225211810/http://www.opera.com/support/kb/view/922/" ); script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20130225215251/http://www.opera.com/support/kb/view/923/" ); script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20130225221045/http://www.opera.com/support/kb/view/924/" ); script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20170812134941/http://www.opera.com:80/docs/changelogs/windows/963/" ); script_set_attribute(attribute:"see_also", value:"http://jvn.jp/en/jp/JVN39707339/index.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Opera 9.63 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(119); script_set_attribute(attribute:"plugin_publication_date", value: "2008/12/16"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:opera:opera_browser"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc."); script_dependencies("opera_installed.nasl"); script_require_keys("SMB/Opera/Version"); exit(0); } include("global_settings.inc"); version_ui = get_kb_item("SMB/Opera/Version_UI"); version = get_kb_item("SMB/Opera/Version"); if (isnull(version)) exit(0); ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); if ( ver[0] < 9 || ( ver[0] == 9 && ( ver[1] < 63 ) ) ) { if (report_verbosity && version_ui) { report = string( "\n", "Opera ", version_ui, " is currently installed on the remote host.\n" ); security_hole(port:get_kb_item("SMB/transport"), extra:report); } else security_hole(get_kb_item("SMB/transport")); }
Saint
| bid | 32323 |
| description | Opera file URI buffer overflow |
| id | web_client_opera9 |
| osvdb | 49882 |
| title | opera_file_uri |
| type | client |
References
- http://archives.neohapsis.com/archives/bugtraq/2008-11/0110.html
- http://osvdb.org/49882
- http://secunia.com/advisories/32752
- http://secunia.com/advisories/34294
- http://security.gentoo.org/glsa/glsa-200903-30.xml
- http://www.opera.com/support/kb/view/922/
- http://www.securityfocus.com/bid/32323
- http://www.vupen.com/english/advisories/2008/3183
- https://exchange.xforce.ibmcloud.com/vulnerabilities/46653
- https://www.exploit-db.com/exploits/7135