CVE-2010-1349
published 2010-04-12CVE-2010-1349: Integer overflow in Opera 10.10 through 10.50 allows remote attackers to execute arbitrary code via a large Content-Length value, which triggers a heap…
PriorityP259critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
19.79%
97.1th percentile
Integer overflow in Opera 10.10 through 10.50 allows remote attackers to execute arbitrary code via a large Content-Length value, which triggers a heap overflow.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| opera | opera_browser | — | — |
| opera | opera_browser | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
F3 A5 (REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI])
- →Exploit delivers a malicious HTTP response with a large Content-Length value to trigger a heap overflow in Opera 10.10–10.50; monitor for abnormally large Content-Length headers served to Opera clients. ↗
- →The PoC exploit server listens on TCP port 81 by default and waits for an Opera browser connection before sending the malicious payload; alert on Opera User-Agent connections to non-standard HTTP ports such as 81. ↗
- →The exploit uses a REP MOVS (F3 A5) instruction sequence at address 6781E0BA as part of the heap overflow primitive; this byte pattern in shellcode or heap spray context is indicative of exploitation. ↗
- ·The PoC defaults to TCP port 81 but accepts a command-line argument to override it, meaning the attacker-controlled server could operate on any port. ↗
- ·The exploit only sends the payload after receiving exactly 8 bytes from the connecting Opera client (MSG_WAITALL), so partial or malformed requests will not trigger payload delivery. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
http://my.opera.com/securitygroup/blog/2010/03/09/the-malformed-content-length-header-security-issuehttp://osvdb.org/62714http://secunia.com/advisories/38820http://www.exploit-db.com/exploits/11622http://www.opera.com/support/kb/view/948/http://www.securityfocus.com/bid/38519http://www.securitytracker.com/id?1023690http://www.vupen.com/english/advisories/2010/0529https://exchange.xforce.ibmcloud.com/vulnerabilities/56673http://my.opera.com/securitygroup/blog/2010/03/09/the-malformed-content-length-header-security-issuehttp://osvdb.org/62714http://secunia.com/advisories/38820http://www.exploit-db.com/exploits/11622http://www.opera.com/support/kb/view/948/http://www.securityfocus.com/bid/38519http://www.securitytracker.com/id?1023690http://www.vupen.com/english/advisories/2010/0529https://exchange.xforce.ibmcloud.com/vulnerabilities/56673
2010-04-12
Published