Opera Browser Content Length Buffer Overflow

March 18, 2010

Opera is a web browser and Internet suite developed by the Opera Software Company. The browser handles common Internet-related tasks such as rendering web pages, sending and receiving e-mail messages, chatting on IRC clients, downloading files.

Hypertext Transfer Protocol (HTTP) is one of the most popular web browsing protocols used on the Internet. It can be processed by any web browsers, including Opera. HTTP is a client/server type protocol, and an HTTP session is composed by a sequence of network request-response transactions. Basically, an HTTP client initiates a request by establishing a TCP connection to a particular port on a host (typically port 80), and sends a request message. The HTTP server listening on that port responds with a status line upon receiving the request message. For example, a client sends the following request:

GET /index.html HTTP/1.1 HOST: 10.0.0.1 ...

and a server will respond with a response similar to:

HTTP/1.0 200 OK Date: Mon, Mar 15, 2010 13:32:12 GMT Content-Type: text/html Content-Length: 1022   ...

In the preceding example the size of the content being transferred, "1022" bytes, is defined by the HTTP header Content-Length. This method of transfer is useful for cases when content is pre-computed and is ready to send as a single response.

A buffer-overflow vulnerability exists in Opera. Specifically, the HTTP Content-Length header is incorrectly handled. Opera uses the sscanf function to read the Content-Length value as a singed 64 bits integer. If the Content-Length is manipulated carefully, it could lead to a heap buffer overflow in the vulnerable Opera codes. A remote attack can take use of this vulnerability to entice a user and execute arbitrary code on the target client.

SonicWALL UTM team has researched this vulnerability and created two IPS signatures to prevent the attack attempts addressing this issue:

  • 4873 Opera Browser Content Length BO Attempt 1
  • 4878 Opera Browser Content Length BO Attempt 2

This vulnerability is not referred by Common Vulnerabilities and Exposures.