Opera Browser Content Length Buffer Overflow (Mar 18, 2010)


Opera is a web browser and Internet suite developed by the Opera Software Company. The browser handles common Internet-related tasks such as rendering web pages, sending and receiving e-mail messages, chatting on IRC clients, downloading files.

Hypertext Transfer Protocol (HTTP) is one of the most popular web browsing protocols used on the Internet. It can be processed by any web browsers, including Opera. HTTP is a client/server type protocol, and an HTTP session is composed by a sequence of network request-response transactions. Basically, an HTTP client initiates a request by establishing a TCP connection to a particular port on a host (typically port 80), and sends a request message. The HTTP server listening on that port responds with a status line upon receiving the request message. For example, a client sends the following request:

GET /index.html HTTP/1.1 HOST: ...

and a server will respond with a response similar to:

HTTP/1.0 200 OK Date: Mon, Mar 15, 2010 13:32:12 GMT Content-Type: text/html Content-Length: 1022   ...   

In the preceding example the size of the content being transferred, “1022” bytes, is defined by the HTTP header Content-Length. This method of transfer is useful for cases when content is pre-computed and is ready to send as a single response.

A buffer-overflow vulnerability exists in Opera. Specifically, the HTTP Content-Length header is incorrectly handled. Opera uses the sscanf function to read the Content-Length value as a singed 64 bits integer. If the Content-Length is manipulated carefully, it could lead to a heap buffer overflow in the vulnerable Opera codes. A remote attack can take use of this vulnerability to entice a user and execute arbitrary code on the target client.

SonicWALL UTM team has researched this vulnerability and created two IPS signatures to prevent the attack attempts addressing this issue:

  • 4873 Opera Browser Content Length BO Attempt 1
  • 4878 Opera Browser Content Length BO Attempt 2

This vulnerability is not referred by Common Vulnerabilities and Exposures.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.