Opera Vulnerability Discovered - Crash your Wii

--This post if being updated throughout the day, if you are reading via RSS, it is recommended that you go to the actual URL of this post to get the most recent information. --

PS2-Scene is reporting a vulnerability in the Opera Browser. They have posted code which uses SVG to crash the Wii's Web Browser. This could lead to arbitrary code execution. The hackers are busy at work trying to make something useful out of this, while Opera is probably scrambling to issue a patch to fix the problem.

XiaNaix posted:

A flaw exists within Opera's Javascript SVG implementation. When processing a createSVGTransformFromMatrix request Opera does not properly validate the type of object passed to the function. Passing an incorrect object to this function can result in it using a pointer that is user controlled when it attempts to make the virtual function call.

Exploitation of this vulnerability would allow an attacker to execute arbitrary code on the affected host. The attacker would first need to construct a website containing the malicious JavaScript and trick the vulnerable user into visiting the site. This would trigger the vulnerability and allow the code to execute with the privileges of the local user.

This exploit could possibly be used to run code on the Wii!

Get more info and example code from here

I've also added this link to the Wii Portal Page, so if you already have that bookmarked, you can test out the 'Crash My Wii' link from there as well.

So to reiterate, they can get the Wii to crash. This has not yet opened up any way to run homebrew, but it's the hole most hackers have been waiting for. Will update later when more is known.

UPDATE 11:35AM
More information about this bug posted on iDefense. Seems like Opera has known about this one since November.

UPDATE 11:40AM
trapflag on IRC is looking at the registers to find ways to execute code:
http://paste.uni.cc/12615 (x86 opera)

UPDATE 11:45AM
pab_ has it crashing on Opera 9 PPC binary with debugger attached
Debugger Output

UPDATE 12:05PM
Opera's Response to this bug:

"Attackers can specially call the function createSVGTransformFromMatrix to have the browser execute code with the user's rights. The vendor has categorized both of the holes as merely "moderate". The firm argues that it is not easy to exploit the heap overflow consistently."

- http://www.heise-security.co.uk/news/83279

Also, Opera claims they fixed this bug in Opera 9.10... but the Wii's version appears to be earlier than that.

An important thing to note is that if this works, it is also possible for dangerous things to happen to your Wii. Please use caution before you click on any unknown links, as someone may try to implement malicious code that breaks your Wii.

FreePlayPSP on digg writes:

I'm not sure how much is known about the Wii's architecture, so I'm not sure how viable it will be to run our own unsigned code through this. Not to mention that Opera seems to run in a sort of sandbox - I've Lastmeasured my Wii to the point that the browser was 100% unresponsive but the Home button still worked just fine. Haven't tested this out yet, though, so it's possible that this 'breaks' the sandbox.

Nice PoC, lbradeen and larholm. Question, though: is this an actual overflow, or just an out-of-memory glitch from trying to create an array with 0xFFFFFFFF members? I don't know much about how Opera handles memory in its Javascript handler, or if 0xFFFFFFFF means -1 or 4294967295 for Javascript in general. I assume that shoving this function into createSVGTransformFromMatrix simply bypasses some sort of memory limitation check. Is this really usable to run unsigned code, or just to crash the system?

--
Discuss this topic on the following forum posts:

- WiiNewz
- GBA Temp
- QJ.NET
- digg
- WiiLi
- WiiModWii

Or post your comments on this blog.