Opera Browser File URI Buffer Overflow (Nov 20, 2008)

Opera is a web browser similar to Microsoft Internet Explorer and Mozilla Firefox. It is capable of displaying web pages and executing web applications. It can also interpret and render many types of Internet content, including various versions of HTML, XML, CSS (Cascade Style Sheet), JavaScript, various graphic formats and so on. Opera is made available for Windows, Macintosh, Unix and Linux based platforms.

Uniform Resource Identifier scheme (URI) is a very common naming structure that can be parsed by Opera. An example of an URI is http://www.sonicwall.com. These URIs can be embedded into any HTML web page to link to the other web pages.

There is a buffer overflow vulnerability in Opera Web browser. The vulnerability occurs when the browser tries to parse a very long URI starts with file://. The string may overwrite a fixed sized heap-based buffer and corrupt the memory, or even lead the execution of the injected code.

SonicWALL UTM team has developed a signature to block any attack addressing this issue, which is listed as bellow：

• 3641 Opera Browser File URI Handling BO Attempt

There are also some existing signatures that can detect most of the suspicious shell codes in a web page, which are listed as bellow. They will largely eliminate the possibility of the attacks that try to inject and execute shell code by exploiting this vulnerability.

• 3124 Javascript Code Injection Attempt (Win/Linux)

• 3127 Javascript Code Injection Attempt (Mac)

• 4096 Mozilla Firefox Wrapped JavaScript Code Execution

• 4665 Javascript Code Injection Attempt (Win/Linux) 2

• 4701 Javascript Code Injection Attempt (Win/Linux) 3

• 4744 Javascript Code Injection Attempt (Win/Linux) 4

• 4760 Unicode Javascript Code Injection Attempt 1

• 4761 Unicode Javascript Code Injection Attempt 2

• 5051 Javascript Code Injection Attempt (Win/Linux) 5

There will be another article summarizes these JavaScript Code Injection signatures soon.