Opera 9.50 beta and prior remote DoS (freeze)

Advisory Content :

* Name : Opera 9.50 beta / 9.24 Remote DoS

* Type : Remote DoS

* Credits: Gynvael Coldwind of Vexillium & Simey

* Impact : Low

* Short description

Opera is vulnerable to a remote DoS attack, using spacially crafted BMP

files, that causes the browser to freeze for a short amount of time

(around 4 minutes on fast computer). An attacker could create a web

page that contains multiple BMP files displayed by an <img> tag. This

would freeze the browser for N*4 minutes, where N is the number of

images (so 100 images, the browser freezez for almost 7 hours). When

frozen, the browser consumes 100% CPU power.

* Verbose description

BMP file format allows Run Length Encoding in case of 4 and 8 bit

bitmaps. The RLE used in BMP format has additional features like

skipping the decompression write pointer to end of the line (bytes 00

00), skiping to the end of bitmap (00 01), and moving the write

pointer to another line and column (00 02 XX YY).

Opera has an ultra slow implementation of the 00 02 XX YY feature.

Normalny an decompression algorithm adds XX and YY * width to the

write pointer, but Opera has implemented a much slower way, with

additional check etc. The implementation performs XX + YY * width

incrementations (each with it's own checks and other calculations).

An attacker could use this fact to create a BMP file with maximum

possible width (in Opera this would be around 32000 pixels), and

the file's data should be filled with 00 02 FF FF opcodes (see

DoS_PoC/DoS_BMP_Generator/test10.cpp for a sample generator).

One malformed bitmap freezes the browser for some time. The time

depends on CPU speed. A simple benchmark tests have been performed:

CPU TYPE/SPEED TIME

Intel Core 2 Quad 2.4 GhZ over 4 minutes

Intel Celeron M 1.6 GhZ over 20 minutes

Through this time the browser is frozen, does not react to user

commands, and does not redraw it's content.

Additionally, the attacker could create a web page that contains

multiple images (<img> tag) to freeze the browser for N*OneFreezeTime

(where N is the number of images). See DoS_PoC/RunMe.html for a simple

example (10 bitmaps used). Please note that due to Opera's bitmap

caching, each bitmap should be named differently (for example

test1.bmp, test2.bmp, and so on).

* Proof of Concept

(This DoS'es the Opera, no warning is provided ;>)

http://gynvael.vexillium.org/opera_dos/

* Disclaimer

This document and all the information it contains is provided "as is",

without any warranty. The author is not responsible for the

misuse of the information provided in this advisory. The advisory is

provided for educational purposes only.

Permission is hereby granted to redistribute this advisory, providing

that no changes are made and that the copyright notices and

disclaimers remain intact.

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

Opera 9.50 beta and prior remote DoS (freeze)