Subject: pkg/25588: www/opera7 is local-code-execution exploitable
To: None <gnats-bugs@gnats.NetBSD.org>
From: Christian Biere <christianbiere@gmx.de>
List: pkgsrc-bugs
Date: 05/16/2004 04:19:15
>Number: 25588
>Category: pkg
>Synopsis: www/opera7 is local-code-execution exploitable
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun May 16 02:20:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator: Christian Biere
>Release: NetBSD 2.0E
>Organization:
>Environment:
System: NetBSD cyclonus 2.0E NetBSD 2.0E (STARSCREAM) #0: Sat Apr 24 19:43:57 CEST 2004 bin@cyclonus:/usr/obj/sys/arch/i386/compile/STARSCREAM i386
>Description:
The startup wrapper script for Opera7 - I've checked 7.23 and 7.50 -
contains the shell code as seen below in the packages for FreeBSD and
Solaris (but not Linux). This means if you start opera from a insecure
directory like /tmp which is (usually) world-writeable, anyone could
place appropriate files there and inject arbitrary code. I do not have
the slightest idea what's the legimate purpose behind using $PWD-relative
paths here. The vendor has been informative on Thursday.
Strike 1:
# Opera enviroment
if test "${OPERA_DIR}" = '' ; then
OPERA_DIR="${PWD}"
fi
export OPERA_DIR
[...]
// Opera package classes get all permissions
grant codebase \"file://${OPERA_DIR}/java//opera.jar\" {
permission java.security.AllPermission;
};
Strike 2:
# Opera Plug-in enviroment, Add more plugin search paths here
# If OPERA_PLUGIN_PATH is set NPX_PLUGIN_PATH will be ignored
for DIR in \
"${PWD}/plugins" \
[...]
if test -d "${DIR}" ; then OPERA_PLUGIN_PATH="${OPERA_PLUGIN_PATH}":"${DIR}"; fi
done
Strike 3 (the worst):
# Setting environment relative to current working directory
LD_LIBRARY_PATH="${PWD}/lib:${LD_LIBRARY_PATH}"
export LD_LIBRARY_PATH
Three strikes and you're out.
>How-To-Repeat:
Exploiting this might require luck (people starting opera while having /tmp
as $PWD) or social engineering (e.g., untaring something in $HOME or $PWD
which includes a lib directory) but should be straight-forward besides
that.
>Fix:
Remove all code which adds paths relative to the current working directory
to environment variables from the wrapper script.
>Release-Note:
>Audit-Trail:
>Unformatted: