Entering Very Long String in Opera's Manage Contacts Causes the Application to Freeze

 

Summary

We are going to apply Input Constraint attack to test Opera’s Mail feature. It allows the user to manage contacts but the Postal Address input box has no limit on the length of the user input. Entering too many characters in that Postal Address field freezes the application.

Application Description

Opera is a Web browser developed in 1994. Its developers claim that it is the fastest and most standards-compliant browser today. It is available for all popular operating systems. (Source: www.opera.com)

Opera's news and e-mail client is called M2. It is quickly responsive with large number of messages, has integrated IMAP and news, clicking on a contact allows the user to see all messages from that contact, and others. It also provides features to manage the information about contacts.

Test Design

This presentation was inspired by Risk Based Testing. One possible risk is buffer overflow vulnerability. We can test for it by applying an Input Constraint attack (James Whittaker, How to break Software).

More specifically, the attack can be applied by entering a very long string of characters in one of the input fields in Mail -> Manage contacts.

The expected result would be that the application won't allow input that is larger than the buffer of the corresponding field.

Performing the Test

  1. Start the application. Then select Mail -> Manage contacts...


  2. In the menu that appears select New... so we can create a new contact, on which we will perform the test.


  3. The field, which will be used in our test, is in the Home panel. Enter very long sequence of characters in it.

Results/Relevance

The application stops responding.

Since the contacts can be Exported and Imported through Mail -> Manage Contacts -> File -> Import/Export Opera contacts, it is possible that this bug is a security threat as well. For example, a malicious user can send a specifically crafted contact file, which if imported will crash the victim's application (See Similar Tests). Sometimes long string inputs can be used to take control over the attacked computer.

Similar Tests/Additional Notes

Let's perform a simple test to see if the problem can be exploited. We will create a contact and export it to a file. Then we will modify the file by placing a very large string of characters in the place that will be imported as the contact's address. Then we will import the file. The goal is to see if one person can use the bug to create a file that when imported as a contact will cause damage to another person's system.

  1. Start by creating a new contact and entering something in the address field (the word "test" in this case). Click OK.

    2.  

  2. Export the contact to a file.

    3.  

  3. Now we can open the file to modify it using a plain text editor. If the file is not plain text, such editor will not be very helpful.

    4.  

  4. The file is in fact plain text, and it easy to find the value "POSTALADDRESS=test".

    5.  

  5. Replace the word "test" with very long string of characters.

    6.  

  6. Save the file and import it into Opera's contacts. By importing the file we are playing the role of the victim.

    7.  

  7. Again it causes the application to stop responding. This time the file could have been send by someone else, to intentionally cause problems for the victim.

 

The same vulnerability exists for the Notes field.

Configuration

Testing Opera Software's Opera 7.23 on:

Created 18 June 2004 for the CSTER

All images and written material ©Copyright Georgi Nikolov 2004

This work is licensed under the Creative Commons Attribution-ShareAlike License.
To view a copy of this license, visit
http://creativecommons.org/licenses/by-sa/2.0/
or send a letter to
Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305,
USA.