Title : Opera Web Browser 12.11 WriteAV Vulnerability
Version : 12.11 Build 1661 and 12.12
Date : 2012-12-03
Vendor : http://www.opera.com/
Impact : High
Contact : coolkaveh [at] rocketmail.com
Twitter : @coolkaveh
tested : windows XP SP3
Author : coolkaveh
#####################################################################################################################
Opera is a web browser and Internet suite developed by Opera Software with over 270 million users worldwide.
The browser handles common Internet-related tasks such as displaying web sites, sending and receiving e-mail
Messages, managing contacts, chatting on IRC, downloading files via BitTorrent, and reading web feeds. Opera is
Offered free of charge for personal computers and mobile phones.
#####################################################################################################################
Bug :
----
Heap corruption during the handling of the Gif files
context-dependent
Successful exploits can allow attackers to execute arbitrary code
----
######################################################################################################################
(f00.704): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000b0b ebx=0000000b ecx=0000100b edx=042bc048 esi=0417ffff edi=00141048
eip=67237c8b esp=0012e3d8 ebp=0000001e iopl=0 nv up ei ng nz na po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010283
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Opera\Opera.dll -
Opera!OpSetLaunchMan+0xb69f5:
67237c8b 880e mov byte ptr [esi],cl ds:0023:0417ffff=??
0:000>!exploitable -v
eax=00000b0b ebx=0000000b ecx=0000100b edx=042bc048 esi=0417ffff edi=00141048
eip=67237c8b esp=0012e3d8 ebp=0000001e iopl=0 nv up ei ng nz na po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010283
Opera!OpSetLaunchMan+0xb69f5:
67237c8b 880e mov byte ptr [esi],cl ds:0023:0417ffff=??
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\WINMM.dll -
Exception Faulting Address: 0x417ffff
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation
Exception Hash (Major/Minor): 0x63712c74.0x0c14230f
Stack Trace:
Opera!OpSetLaunchMan+0xb69f5
Opera!OpSetLaunchMan+0xb66fc
Opera!OpSetLaunchMan+0xb644a
Opera!OpSetLaunchMan+0x38f4d
Opera!OpSetLaunchMan+0x1b7b3
Opera!OpSetLaunchMan+0x20a498
Opera!OpSetLaunchMan+0x1fb4e3
Opera!OpSetLaunchMan+0x1fb5d5
Opera!OpSetLaunchMan+0x16d0c1
ntdll!RtlRemoveVectoredExceptionHandler+0x2a2
ntdll!RtlAllocateHeap+0x117
Opera!OpSetLaunchMan+0x1503b9
ntdll!RtlRemoveVectoredExceptionHandler+0x823
ntdll!RtlFreeHeap+0x130
WINMM!timeGetTime+0x2c
Instruction Address: 0x0000000067237c8b
Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at Opera!OpSetLaunchMan+0x00000000000b69f5 (Hash=0x63712c74.0x0c14230f)
User mode write access violations that are not near NULL are exploitable.
################################################################################
Proof of concept included.
http://www21.zippyshare.com/v/83302158/file.html
http://www.exploit-db.com/sploits/23107.zip