Vulnerability Development mailing list archives

RE: Opera Browser goes Crash

From: Michael Erl <Michael.Erl () pentasys de>
Date: Wed, 24 Oct 2001 17:33:21 +0200


The same happens on my machine (Win2000 Server, Opera 5.12). Closes all
windows and is terminated without any notification. When I relaunch Opera
I'm asked how to start because the last session was terminated abnormally.

        Michael Erl

-----Original Message-----
From: Holmes, Ben [mailto:Ben.Holmes () getronics com]
Sent: Tuesday, October 23, 2001 10:53 AM
To: Vuln-Dev (E-mail)
Subject: Opera Browser goes Crash

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I usually use Opera browser (it truly is a fast browser), and 
it just closed
when I went to a link...

The link was "http://www.malware.com/hello.html";

In Netscape, it is supposed to play a sound file...

In I.E it just comes up and allows to view source.

The source is basically a small JavaScript part (and that 
should work fine),
but the other part is a large embedded sound file.. it is in 
this form:

'<embed src="data:audio/wav;base64,[Base 64 data of a sound file]"
autostart=true width=0 height=0 loop=true>' tag.

It didn't seem to give an error message or anything.. if it 
was overflowing
a buffer I'd usually expect that it would generate a windows 
error message
when it gets random junk like this...  But it just closes.. 
completely and
gracefully... but it closes nevertheless..

I am thinking:

A> It is a configuration problem on this PC... It decodes the 
Base 64 (or
goes to) but some plug in or system it uses to play the file 
or decode it
that is possibly specific to this PC dies.

B> The length of the embed tag is too long and overflows an 
internal buffer
and jumps right to a close (either graciously, or by super good error
checking routines)...  Or something else happens that makes 
windows not
notice that a program is doing wierd_funky_things (tm)

C> The "embed" tag is touchy and its implementation is bad, 
this doesn't
seem the case though, because if I make the [Base 64 data of 
a sound file]
part much smaller, it just does the same as IE does.

If it is "B"... is it exploitable in the form:

'<embed src="data:audio/wav;base64,[Nasty 
code][Padding][address of a jmp
esp]" autostart=true width=0 height=0 loop=true>'

or some other such thing, that would cause "Nasty Code" to be 
run in the
Opera process.

Does it happen on anyone else's computer that runs Opera... or is this
little currently Opera specific DoS also "this computer" specific...

- -- Benjamin Holmes

E&OE. All spelling and grammatical errors are for your enjoyment and
entertainment only and are copyright Benjamin Holmes.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
Comment: Pee Gee Peeeeee!

iQA/AwUBO9Uv/HLvuelW5gClEQLO5wCg+K5tXdKdWAiaEBj71BiYnks964wAoJP5
VvPSGdUiC5c8kZ8/yhA5DZ06
=XF0I
-----END PGP SIGNATURE-----

Current thread:

Re: Opera Browser goes Crash, (continued)
- Re: Opera Browser goes Crash Martin Sunnerdahl (Oct 23)
- Re: Opera Browser goes Crash David Worth (Oct 23)
- RE: Opera Browser goes Crash Jason Waldhelm (Oct 23)
- Re: Opera Browser goes Crash Sephiroth (Oct 24)
  - Re: Opera Browser goes Crash Chip Mefford (Oct 24)
- Re: Opera Browser goes Crash Timothy . Lyons (Oct 23)
- Re: Opera Browser goes Crash Eric Johnson (Oct 23)
- Re: Opera Browser goes Crash http-equiv () excite com (Oct 23)
- Re: Opera Browser goes Crash riezel . t . serdan (Oct 23)
  - Re: Opera Browser goes Crash Aj Effin Reznor (Oct 24)
- RE: Opera Browser goes Crash Michael Erl (Oct 24)
- Re: Opera Browser goes Crash http-equiv () excite com (Oct 24)