Opera JPEG Processing Heap Corruption Vulnerabilities

Opera is vulnerable in parsing the JPEG file format. Discovered were four vulnerabilities, each in different segments of the file format. posidron will describe in this advisory the two important ones.

1 - ntdll.RtlAllocateHeap() DHT vulnerability
2 - ntdll.RtlAllocateHeap() SOS vulnerability

Opera Mini for mobile phones could be vulnerable also. The second bug looks very interesting to this topic.

Vulnerable Systems:
 * Opera version 9.01 Build 8552

Details
The following code produces the sample image on which all further operations are made. It's a valid image which was generated with Adobe Photoshop.

Credit:
The information has been provided by posidron.
The original article can be found at: http://www.milw0rm.com/exploits/3101 

http://www.securiteam.com/exploits/5YP082AKAW.html

Published Tuesday, January 09, 2007 8:44 AM by donna
Filed under: ,