The WIse SECurity
[ Back ]
Tuesday, November 04, 2008, 11:47
Some days ago there has been a bit of movement in the security scene since Opera 9.61 was released.
We got opera:* considered as:
For every opera:* feature.
So by injecting an iframe from opera:historysearch and pointing to opera:config there was a match in the SOP.
That is the real issue.
Well, not really, that is only one of the hypotesis that have to be satisfied in order to lead to automatic command
The very first and interesting issue was the CSRF to opera:* location allowed using the window.open Js method
from a http: scheme protocol, and that has to be credited to Roberto Suggi Liverani for finding that.
The rest of the history is quite straightforward.
After the issue found by Roberto I started to play a bit with the historysearch feature parameters.
And it resulted in a very simple attribute-escaping-injection in the next-previous Xss.
So by pointing the browser to:
there was the chance to exploit once again the opera:* scheme, but just if some result in the historysearch
page was found.
That's why the payload needs to be in the attacker evil page.
The only problem was that '/' could not be used because of Opera's way of encoding/decoding them.
Double urlencoding came into help. The solution was using %%32f in spite of %2f.
(Avif Raff's came up with '<image src=x onerror=Payload' solution)
And that's the full Poc.
So, another new "chrome" alike interface to be abused? Maybe.
What is for sure is that when a browser adds new local functionalities accessible to the user, dressed as
internal_scheme: with html page and internal Js methods, well, security should be taken very seriously by doing:
0. Research in the history of other browsers' flaws;
1. Risk Assessment in the design phase;
2. Threat analysis and Abuse Cases Analysis in the design phase;
3. Secure Code Review of the new features;
4. Black Box Penetration Testing.
And that's where Opera missed its chance.
We all hope they learnt something from their history(search).
Now I can say that I'm a melomaniac again.
kuza55, Wednesday, November 05, 2008, 01:25
Nice work Stefano :D
Comments are disabled
Wisec is brought to you by...
Wisec is written and mantained by Stefano Di Paola.
Wisec uses open standards, including XHTML, CSS2, and XML-RPC.
All Rights Reserved 2004
All hosted messages and metadata are owned by their respective authors.