Subject: pkg/25588: www/opera7 is local-code-execution exploitable
To: None <gnats-bugs@gnats.NetBSD.org>
From: Christian Biere <christianbiere@gmx.de>
List: pkgsrc-bugs
Date: 05/16/2004 04:19:15
>Number:         25588
>Category:       pkg
>Synopsis:       www/opera7 is local-code-execution exploitable
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun May 16 02:20:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Christian Biere
>Release:        NetBSD 2.0E
>Organization:
>Environment:
System: NetBSD cyclonus 2.0E NetBSD 2.0E (STARSCREAM) #0: Sat Apr 24 19:43:57 CEST 2004 bin@cyclonus:/usr/obj/sys/arch/i386/compile/STARSCREAM i386
>Description:

The startup wrapper script for Opera7 - I've checked 7.23 and 7.50 -
contains the shell code as seen below in the packages for FreeBSD and
Solaris (but not Linux). This means if you start opera from a insecure
directory like /tmp which is (usually) world-writeable, anyone could
place appropriate files there and inject arbitrary code. I do not have
the slightest idea what's the legimate purpose behind using $PWD-relative
paths here. The vendor has been informative on Thursday.

Strike 1:
# Opera enviroment
if test "${OPERA_DIR}" = '' ; then
    OPERA_DIR="${PWD}"
fi
export OPERA_DIR

[...]
// Opera package classes get all permissions
grant codebase \"file://${OPERA_DIR}/java//opera.jar\" {
	permission java.security.AllPermission;
};

Strike 2:
# Opera Plug-in enviroment, Add more plugin search paths here
# If OPERA_PLUGIN_PATH is set NPX_PLUGIN_PATH will be ignored

for DIR in \
    "${PWD}/plugins" \

[...]
    if test -d "${DIR}" ; then OPERA_PLUGIN_PATH="${OPERA_PLUGIN_PATH}":"${DIR}"; fi
done

Strike 3 (the worst):
# Setting environment relative to current working directory
LD_LIBRARY_PATH="${PWD}/lib:${LD_LIBRARY_PATH}"
export LD_LIBRARY_PATH

Three strikes and you're out.

>How-To-Repeat:

Exploiting this might require luck (people starting opera while having /tmp
as $PWD) or social engineering (e.g., untaring something in $HOME or $PWD
which includes a lib directory) but should be straight-forward besides
that.

>Fix:

Remove all code which adds paths relative to the current working directory
to environment variables from the wrapper script.

>Release-Note:
>Audit-Trail:
>Unformatted: