CVE-2006-1834
CVSS5.1
发布时间 :2006-04-19 12:06:00
修订时间 :2016-10-17 23:39:37
NMCOS    

[原文]Integer signedness error in Opera before 8.54 allows remote attackers to execute arbitrary code via long values in a stylesheet attribute, which pass a length check. NOTE: a sign extension problem makes the attack easier with shorter strings.


[CNNVD]Opera Web浏览器样式表属性缓冲区溢出漏洞(CNNVD-200604-297)

        Opera是一款流行的WEB浏览器,支持多种平台。
        Opera实现上存在有符号型变量处理漏洞,远程攻击者可能利用此漏洞导致客户机上的Opera程序崩溃。
        Opera在wcsncpy调用中存在有符号型变量比较错误,攻击者可以覆盖目标缓冲区后的大量内存,导致Opera崩溃。但很难利用这个漏洞执行任意代码,因为尽管拷贝了大量的内存,但只有很少的部分是可控的。
        攻击者可以通过在样式表属性中指定超长的值来触发这个漏洞。以下是有漏洞函数的反汇编。请注意如果arg_length > 0x7FFFFFFF的话,就可以绕过在0x67B8CF0D的有符号型比较。
        .text:67B8CEFE ; int __stdcall POC_CALL_TO_WCSNCPY_67B8CEFE(wchar_t *,int)
        .text:67B8CEFE POC_CALL_TO_WCSNCPY_67B8CEFE proc near ; CODE XREF:
        sub_67B4DB72+9D6 p
        .text:67B8CEFE ;
        _POC_CALL_WSCNCPY_67B8AE6E+1B4 p
        .text:67B8CEFE
        .text:67B8CEFE arg_pbuf_src= dword ptr 4.text:67B8CEFE arg_length= dword ptr 8
        .text:67B8CEFE
        .text:67B8CEFE mov eax, POC_pbuf_target
        .text:67B8CF03 push ebx
        .text:67B8CF04 push esi
        .text:67B8CF05 push edi
        .text:67B8CF06 mov edi, [esp+0Ch+arg_length]
        .text:67B8CF0A mov esi, [eax+40h]
        .text:67B8CF0D cmp edi, 4096
        .text:67B8CF13 mov ebx, ecx
        .text:67B8CF15 jl short loc_67B8CF1C ; signedness error
        .text:67B8CF17 mov edi, 4095
        .text:67B8CF1C
        .text:67B8CF1C loc_67B8CF1C: ; CODE XREF:
        POC_CALL_TO_WCSNCPY_67B8CEFE+17 j
        .text:67B8CF1C push edi ; size_t
        .text:67B8CF1D push [esp+10h+arg_pbuf_src] ; wchar_t *
        .text:67B8CF21 push esi ; wchar_t *
        .text:67B8CF22 call _wcsncpy
        .text:67B8CF27 and word ptr [esi+edi*2], 0
        .text:67B8CF2C add esp, 0Ch
        .text:67B8CF2F mov ecx, ebx
        .text:67B8CF31 push esi ; wchar_t *
        .text:67B8CF32 call sub_67B8CD10
        .text:67B8CF37 test ax, ax
        .text:67B8CF3A jge short loc_67B8CF48
        .text:67B8CF3C mov ecx, [ebx+5D0h]
        .text:67B8CF42 call sub_67B8C7BC
        .text:67B8CF47 inc eax
        .text:67B8CF48
        .text:67B8CF48 loc_67B8CF48: ; CODE XREF:
        POC_CALL_TO_WCSNCPY_67B8CEFE+3C j
        .text:67B8CF48 pop edi
        .text:67B8CF49 pop esi
        .text:67B8CF4A pop ebx
        .text:67B8CF4B retn 8
        .text:67B8CF4B POC_CALL_TO_WCSNCPY_67B8CEFE endp
        
        尽管传送2GB的字符串看起来是不可能的,但由于在调用函数中的另一个漏洞,只需注入32k字符串就可扩展为很大的负值。
        .text:67B8AF62 loc_67B8AF62: ; CODE XREF:
        _POC_CALL_WSCNCPY_67B8AE6E+E2 j
        .text:67B8AF62 movsx eax, [ebp+var_length_ovfl] ; here
        the error occurs: short int length is sign extended
        .text:67B8AF62 ; to a long
        integer. the result is a large negative value if length
        .text:67B8AF62 ; is negative.
        .text:67B8AF66 jmp short loc_67B8AF5D
        

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CWE (弱点类目)

CWE-189 [数值错误]

- CPE (受影响的平台与产品)

cpe:/a:opera:opera_browser:8.53Opera Browser 8.53
cpe:/a:opera:opera_browser:4.00:beta6Opera Browser 4.00b6
cpe:/a:opera:opera_browser:5.0:beta5Opera Browser 5.0 beta 5
cpe:/a:opera:opera_browser:4.00:beta3Opera Browser 4.00b3
cpe:/a:opera:opera_browser:8.50Opera Browser 8.50
cpe:/a:opera:opera_browser:5.0:beta4Opera Browser 5.0 beta 4
cpe:/a:opera:opera_browser:3.00Opera Browser 3.00
cpe:/a:opera:opera_browser:4.00:beta5Opera Browser 4.00b5
cpe:/a:opera:opera_browser:8.52Opera Browser 8.52
cpe:/a:opera:opera_browser:8.51Opera Browser 8.51
cpe:/a:opera:opera_browser:5.0:beta8Opera Browser 5.0 beta 8
cpe:/a:opera:opera_browser:4.00:beta4Opera Browser 4.00b4
cpe:/a:opera:opera_browser:7.01Opera Browser 7.01
cpe:/a:opera:opera_browser:7.03Opera Browser 7.03
cpe:/a:opera:opera_browser:4.00:beta2Opera Browser 4.00b2
cpe:/a:opera:opera_browser:7.02Opera Browser 7.02
cpe:/a:opera:opera_browser:6.1Opera Browser 6.1
cpe:/a:opera:opera_browser:8.0:beta2Opera Browser 8.0 beta 2
cpe:/a:opera:opera_browser:6.1:beta1Opera Browser 6.1 beta 1
cpe:/a:opera:opera_browser:8.0Opera Browser 8.0
cpe:/a:opera:opera_browser:6.0:beta2Opera Browser 6.0 beta 2
cpe:/a:opera:opera_browser:6.0Opera Browser 6.0
cpe:/a:opera:opera_browser:8.0:beta1Opera Browser 8.0 beta 1
cpe:/a:opera:opera_browser:7.50:beta1Opera Browser 7.50 beta 1
cpe:/a:opera:opera_browser:6.0:tp1Opera Browser 6.0 TP 1
cpe:/a:opera:opera_browser:2.12Opera Browser 2.12
cpe:/a:opera:opera_browser:1.00Opera Browser 1.00
cpe:/a:opera:opera_browser:8.0:beta3Opera Browser 8.0 beta 3
cpe:/a:opera:opera_browser:6.0:beta1Opera Browser 6.0 beta 1
cpe:/a:opera:opera_browser:6.0:tp2Opera Browser 6.0 TP 2
cpe:/a:opera:opera_browser:6.0:tp3Opera Browser 6.0 TP 3
cpe:/a:opera:opera_browser:8.01Opera Browser 8.01
cpe:/a:opera:opera_browser:3.62:betaOpera Browser 3.62b
cpe:/a:opera:opera_browser:5.11Opera Browser 5.11
cpe:/a:opera:opera_browser:4.02Opera Browser 4.02
cpe:/a:opera:opera_browser:8.02Opera Browser 8.02
cpe:/a:opera:opera_browser:5.12Opera Browser 5.12
cpe:/a:opera:opera_browser:4.00Opera Browser 4.00
cpe:/a:opera:opera_browser:4.01Opera Browser 4.01
cpe:/a:opera:opera_browser:5.10Opera Browser 5.10
cpe:/a:opera:opera_browser:7.0:beta1_v2Opera Browser 7.0 beta 1 v2
cpe:/a:opera:opera_browser:6.05Opera Browser 6.05
cpe:/a:opera:opera_browser:3.21Opera Browser 3.21
cpe:/a:opera:opera_browser:2.10Opera Browser 2.10
cpe:/a:opera:opera_browser:7.11:beta2Opera Browser 7.11 beta 2
cpe:/a:opera:opera_browser:3.60Opera Browser 3.60
cpe:/a:opera:opera_browser:7.22Opera Browser 7.22
cpe:/a:opera:opera_browser:7.10:beta1Opera Browser 7.10 beta 1
cpe:/a:opera:opera_browser:7.21Opera Browser 7.21
cpe:/a:opera:opera_browser:7.60Opera Browser 7.60
cpe:/a:opera:opera_browser:7.23Opera Browser 7.23
cpe:/a:opera:opera_browser:6.12Opera Browser 6.12
cpe:/a:opera:opera_browser:7.20Opera Browser 7.20
cpe:/a:opera:opera_browser:3.61Opera Browser 3.61
cpe:/a:opera:opera_browser:5.02Opera Browser 5.02
cpe:/a:opera:opera_browser:6.11Opera Browser 6.11
cpe:/a:opera:opera_browser:3.62Opera Browser 3.62
cpe:/a:opera:opera_browser:7.0Opera Browser 7.0
cpe:/a:opera:opera_browser:7.0:beta1Opera Browser 7.0 beta 1
cpe:/a:opera:opera_browser:7.0:beta2Opera Browser 7.0 beta 2
cpe:/a:opera:opera_browser:5.0:beta3Opera Browser 5.0 beta 3
cpe:/a:opera:opera_browser:5.0:beta2Opera Browser 5.0 beta 2
cpe:/a:opera:opera_browser:5.0Opera Browser 5.0
cpe:/a:opera:opera_browser:5.0:beta7Opera Browser 5.0 beta 7
cpe:/a:opera:opera_browser:5.0:beta6Opera Browser 5.0 beta 6
cpe:/a:opera:opera_browser:3.10Opera Browser 3.10
cpe:/a:opera:opera_browser:7.51Opera Browser 7.51
cpe:/a:opera:opera_browser:7.50Opera Browser 7.50
cpe:/a:opera:opera_browser:2.10:beta3Opera Browser 2.10b3
cpe:/a:opera:opera_browser:2.10:beta2Opera Browser 2.10b2
cpe:/a:opera:opera_browser:7.52Opera Browser 7.52
cpe:/a:opera:opera_browser:7.11Opera Browser 7.11
cpe:/a:opera:opera_browser:2.00Opera Browser 2.00
cpe:/a:opera:opera_browser:7.10Opera Browser 7.10
cpe:/a:opera:opera_browser:7.54Opera Browser 7.54
cpe:/a:opera:opera_browser:7.20:beta7Opera Browser 7.20 beta 7
cpe:/a:opera:opera_browser:3.00:betaOpera Browser 3.00b
cpe:/a:opera:opera_browser:7.54:update1Opera Browser 7.54 update 1
cpe:/a:opera:opera_browser:6.01Opera Browser 6.01
cpe:/a:opera:opera_browser:6.06Opera Browser 6.06
cpe:/a:opera:opera_browser:7.54:update2Opera Browser 7.54 update 2
cpe:/a:opera:opera_browser:7.53Opera Browser 7.53
cpe:/a:opera:opera_browser:6.04Opera Browser 6.04
cpe:/a:opera:opera_browser:3.50Opera Browser 3.50
cpe:/a:opera:opera_browser:2.10:beta1Opera Browser 2.10b1
cpe:/a:opera:opera_browser:6.02Opera Browser 6.02
cpe:/a:opera:opera_browser:6.03Opera Browser 6.03
cpe:/a:opera:opera_browser:3.51Opera Browser 3.51

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1834
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1834
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200604-297
(官方数据源) CNNVD

- 其它链接及资源

http://lists.suse.com/archive/suse-security-announce/2006-May/0004.html
(UNKNOWN)  SUSE  SUSE-SR:2006:010
http://marc.info/?l=full-disclosure&m=114493114031891&w=2
(UNKNOWN)  FULLDISC  20060413 SEC Consult SA-20060314 :: Opera Browser CSS Attribute Integer Wrap / Buffer Overflow
http://security.gentoo.org/glsa/glsa-200606-01.xml
(UNKNOWN)  GENTOO  GLSA-200606-01
http://securitytracker.com/id?1015912
(UNKNOWN)  SECTRACK  1015912
http://www.opera.com/docs/changelogs/windows/854/
(UNKNOWN)  CONFIRM  http://www.opera.com/docs/changelogs/windows/854/
http://www.sec-consult.com/259.html
(UNKNOWN)  MISC  http://www.sec-consult.com/259.html
http://www.securityfocus.com/archive/1/archive/1/430876/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060413 SEC Consult SA-20060314 :: Opera Browser CSS Attribute Integer Wrap / Buffer Overflow
http://www.securityfocus.com/bid/17513
(PATCH)  BID  17513
http://www.vupen.com/english/advisories/2006/1354
(UNKNOWN)  VUPEN  ADV-2006-1354
http://xforce.iss.net/xforce/xfdb/25829
(UNKNOWN)  XF  opera-wcsncpy-css-bo(25829)

- 漏洞信息

Opera Web浏览器样式表属性缓冲区溢出漏洞
中危 数字错误
2006-04-19 00:00:00 2006-04-20 00:00:00
远程  
        Opera是一款流行的WEB浏览器,支持多种平台。
        Opera实现上存在有符号型变量处理漏洞,远程攻击者可能利用此漏洞导致客户机上的Opera程序崩溃。
        Opera在wcsncpy调用中存在有符号型变量比较错误,攻击者可以覆盖目标缓冲区后的大量内存,导致Opera崩溃。但很难利用这个漏洞执行任意代码,因为尽管拷贝了大量的内存,但只有很少的部分是可控的。
        攻击者可以通过在样式表属性中指定超长的值来触发这个漏洞。以下是有漏洞函数的反汇编。请注意如果arg_length > 0x7FFFFFFF的话,就可以绕过在0x67B8CF0D的有符号型比较。
        .text:67B8CEFE ; int __stdcall POC_CALL_TO_WCSNCPY_67B8CEFE(wchar_t *,int)
        .text:67B8CEFE POC_CALL_TO_WCSNCPY_67B8CEFE proc near ; CODE XREF:
        sub_67B4DB72+9D6 p
        .text:67B8CEFE ;
        _POC_CALL_WSCNCPY_67B8AE6E+1B4 p
        .text:67B8CEFE
        .text:67B8CEFE arg_pbuf_src= dword ptr 4.text:67B8CEFE arg_length= dword ptr 8
        .text:67B8CEFE
        .text:67B8CEFE mov eax, POC_pbuf_target
        .text:67B8CF03 push ebx
        .text:67B8CF04 push esi
        .text:67B8CF05 push edi
        .text:67B8CF06 mov edi, [esp+0Ch+arg_length]
        .text:67B8CF0A mov esi, [eax+40h]
        .text:67B8CF0D cmp edi, 4096
        .text:67B8CF13 mov ebx, ecx
        .text:67B8CF15 jl short loc_67B8CF1C ; signedness error
        .text:67B8CF17 mov edi, 4095
        .text:67B8CF1C
        .text:67B8CF1C loc_67B8CF1C: ; CODE XREF:
        POC_CALL_TO_WCSNCPY_67B8CEFE+17 j
        .text:67B8CF1C push edi ; size_t
        .text:67B8CF1D push [esp+10h+arg_pbuf_src] ; wchar_t *
        .text:67B8CF21 push esi ; wchar_t *
        .text:67B8CF22 call _wcsncpy
        .text:67B8CF27 and word ptr [esi+edi*2], 0
        .text:67B8CF2C add esp, 0Ch
        .text:67B8CF2F mov ecx, ebx
        .text:67B8CF31 push esi ; wchar_t *
        .text:67B8CF32 call sub_67B8CD10
        .text:67B8CF37 test ax, ax
        .text:67B8CF3A jge short loc_67B8CF48
        .text:67B8CF3C mov ecx, [ebx+5D0h]
        .text:67B8CF42 call sub_67B8C7BC
        .text:67B8CF47 inc eax
        .text:67B8CF48
        .text:67B8CF48 loc_67B8CF48: ; CODE XREF:
        POC_CALL_TO_WCSNCPY_67B8CEFE+3C j
        .text:67B8CF48 pop edi
        .text:67B8CF49 pop esi
        .text:67B8CF4A pop ebx
        .text:67B8CF4B retn 8
        .text:67B8CF4B POC_CALL_TO_WCSNCPY_67B8CEFE endp
        
        尽管传送2GB的字符串看起来是不可能的,但由于在调用函数中的另一个漏洞,只需注入32k字符串就可扩展为很大的负值。
        .text:67B8AF62 loc_67B8AF62: ; CODE XREF:
        _POC_CALL_WSCNCPY_67B8AE6E+E2 j
        .text:67B8AF62 movsx eax, [ebp+var_length_ovfl] ; here
        the error occurs: short int length is sign extended
        .text:67B8AF62 ; to a long
        integer. the result is a large negative value if length
        .text:67B8AF62 ; is negative.
        .text:67B8AF66 jmp short loc_67B8AF5D
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.opera.com

- 漏洞信息

31744
Opera Integer signedness Stylesheet Arbitrary Code Execution
Loss of Integrity Upgrade
Exploit Private Vendor Verified

- 漏洞描述

- 时间线

2006-04-13 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 8.54 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Opera Web Browser Stylesheet Attribute Buffer Overflow Vulnerability
Boundary Condition Error 17513
Yes No
2006-04-13 12:00:00 2006-06-07 05:52:00
SEC Consult Unternehmensberatung GmbH is credited with the discovery of this vulnerability.

- 受影响的程序版本

SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
S.u.S.E. SuSE Linux Standard Server 8.0
S.u.S.E. SuSE Linux School Server for i386
S.u.S.E. SUSE LINUX Retail Solution 8.0
S.u.S.E. SuSE Linux Openexchange Server 4.0
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 9.0 x86_64
S.u.S.E. Linux Professional 9.0
S.u.S.E. Linux Professional 8.2
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
Opera Software Opera Web Browser 8.52
Gentoo Linux
Opera Software Opera Web Browser 8.54

- 不受影响的程序版本

Opera Software Opera Web Browser 8.54

- 漏洞讨论

Opera is prone to a buffer-overflow vulnerability. This issue is due to the application's failure to properly bounds-check user-supplied input before using it in a string-copy operation.

This issue allows remote attackers to crash affected web browsers. Due to the nature of this issue, attackers may be able to exploit this issue to execute machine code, but this has not been confirmed.

Opera version 8.52 is vulnerable to this issue; other versions may also be affected.

- 漏洞利用

The following HTML content is reportedly sufficient to crash the browser:

<STYLE type=text/css>A { FONT-FAMILY: 35000x'A' } </STYLE>

- 解决方案

Opera has released version 8.54 to address this issue.

Please see the references for vendor advisories and fixes.


Opera Software Opera Web Browser 8.52

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站