Introduction
We reported a vulnerability in Opera Browser on October 22, 2018. The current status of the vulnerability is patched as Opera software has recently released an update on December 19, 2018, to patch a DLL search order hijacking vulnerability after we reported it to them.
Opera 57.0.3098.102 and prior versions are vulnerable to a DLL Search Order hijacking attack. An attacker could send a ZIP archive composed of dummy HTML pages along with a DLL containing payload (malicious DLL) to the target victim. Extracting this archive and executing any HTML page triggers the malicious DLL to load and transfer the access of the system back to the attacker. Meanwhile, the issue was found to be exploitable on Windows 7 Operating systems only.
Vulnerability Analysis
The vulnerability allowed an attacker to load a malicious DLL from any location accessible by the current user. This means that to exploit this vulnerability, an attacker will not need any special access to the system; instead, an attacker can craft a malicious package and send it across to his target. The target can download and keep this package anywhere in the system.
We reported a vulnerability in Opera Browser on October 22, 2018. The current status of the vulnerability is patched as Opera software has recently released an update on December 19, 2018, to patch a DLL search order hijacking vulnerability after we reported it to them.
Opera 57.0.3098.102 and prior versions are vulnerable to a DLL Search Order hijacking attack. An attacker could send a ZIP archive composed of dummy HTML pages along with a DLL containing payload (malicious DLL) to the target victim. Extracting this archive and executing any HTML page triggers the malicious DLL to load and transfer the access of the system back to the attacker. Meanwhile, the issue was found to be exploitable on Windows 7 Operating systems only.
Vulnerability Analysis
The vulnerability allowed an attacker to load a malicious DLL from any location accessible by the current user. This means that to exploit this vulnerability, an attacker will not need any special access to the system; instead, an attacker can craft a malicious package and send it across to his target. The target can download and keep this package anywhere in the system.
Once extracted and any HTML page is executed from this malicious package, due to the vulnerability, the browser tries to load the DLL files from its current folder. Here, the presence of malicious DLL files will trigger the backdoor as soon as the page tries to load in the browser. The vulnerability is a little different than the conventional DLL hijack because most of the DLL hijacks occur from the executable path of the software and are not system-wide. This means in a conventional scenario the attacker will place malicious DLL files in the executable folder for the software which would typically be Program Files directory. However, such scenarios would require an attacker to have access to the target machine already. However, in our case, since the DLL files are searched from the current directory from where the HTML files are executed, the attacker will not require local access at all.
Vulnerable DLLs
The Search order hijack was found for the following DLLs:
1. shcore.dll
2. peerdist.dll
3. dcomp.dll
Vulnerability Acknowledgement
CVE-2018-18913 - (https://blogs.opera.com/desktop/changelog-for-57/)
Security Hall of Fame - https://security.opera.com/hall-of-fame/
Fix
Opera software has patched the vulnerability in the 57.0.3098.106 release of the browser. The Security team at opera has thanked us for finding this issue out and reporting.
Article Link: https://lucideustech.blogspot.com/2019/02/opera-search-order-hijacking-cve-2018-18913.html