Opera Browser File URI Buffer Overflow (Nov 20, 2008)


Opera is a web browser similar to Microsoft Internet Explorer and Mozilla Firefox. It is capable of displaying web pages and executing web applications. It can also interpret and render many types of Internet content, including various versions of HTML, XML, CSS (Cascade Style Sheet), JavaScript, various graphic formats and so on. Opera is made available for Windows, Macintosh, Unix and Linux based platforms.

Uniform Resource Identifier scheme (URI) is a very common naming structure that can be parsed by Opera. An example of an URI is http://www.sonicwall.com. These URIs can be embedded into any HTML web page to link to the other web pages.

There is a buffer overflow vulnerability in Opera Web browser. The vulnerability occurs when the browser tries to parse a very long URI starts with file://. The string may overwrite a fixed sized heap-based buffer and corrupt the memory, or even lead the execution of the injected code.

SonicWALL UTM team has developed a signature to block any attack addressing this issue, which is listed as bellow:

  • 3641 Opera Browser File URI Handling BO Attempt

There are also some existing signatures that can detect most of the suspicious shell codes in a web page, which are listed as bellow. They will largely eliminate the possibility of the attacks that try to inject and execute shell code by exploiting this vulnerability.

  • 3124 Javascript Code Injection Attempt (Win/Linux)
  • 3127 Javascript Code Injection Attempt (Mac)
  • 4096 Mozilla Firefox Wrapped JavaScript Code Execution
  • 4665 Javascript Code Injection Attempt (Win/Linux) 2
  • 4701 Javascript Code Injection Attempt (Win/Linux) 3
  • 4744 Javascript Code Injection Attempt (Win/Linux) 4
  • 4760 Unicode Javascript Code Injection Attempt 1
  • 4761 Unicode Javascript Code Injection Attempt 2
  • 5051 Javascript Code Injection Attempt (Win/Linux) 5

There will be another article summarizes these JavaScript Code Injection signatures soon.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.