Advisories » Opera Browser JPEG Image and JavaScript Handling Remote Command Execution Vulnerabilities

Release Date:	05/01/2007	Severity:	Highly Critical
SecWatch Advisory:	SWID1016651	Cause:	Not specified
Solution Status:	Vendor Patch	Impact:	Execution of arbitrary code
Exploit Status:	Exploit Available	Access Vector:	From remote

Affected Software:	Opera 9.x

Original Advisory:	http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=4.. http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=4.. http://www.opera.com/support/search/supsearch.dml?index=851 http://www.opera.com/support/search/supsearch.dml?index=852
References:	FrSIRT/ADV-2007-0060
CVE:	CVE-2007-0126 CVE-2007-0127
Secunia:	SA23613

Description:

Two vulnerabilities in Opera have been reported, which can be exploited by remote users to compromise a user's system.

1) A error within the processing of JPEG files can be exploited to cause a heap-based buffer overflow via a JPEG file with a specially crafted DHT marker.

2) An error within createSVGTransformFromMatrix() can be exploited by passing an incorrect object to the said function.

Successful exploitation of the vulnerabilities allow execution of arbitrary code.

Proof of Concept:

Demonstration exploit code is available:
http://secwatch.org/exploits/2007/01/Opera_JPG_DHT.info

Solution:

The vulnerabilities have been fixed in version 9.10.

Credits:

iDEFENSE