VIR Vulnerability Intelligence Relay

CVE-2012-6470

critical
Published 2013-01-02 ยท Modified 2026-04-29
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
10.0

Description

Opera before 12.12 does not properly allocate memory for GIF images, which allows remote attackers to execute arbitrary code or cause a denial of service (memory overwrite) via a malformed image.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-23107 dos windows verified text ยท 4 KB
coolkaveh ยท 2012-12-03

Opera Web Browser 12.11 - Crash (PoC)

text exploit Source: Exploit-DB 
Title    :  Opera Web Browser 12.11 WriteAV Vulnerability
Version  :  12.11 Build 1661 and 12.12
Date     :  2012-12-03
Vendor   :  http://www.opera.com/
Impact   :  High
Contact  :  coolkaveh [at] rocketmail.com
Twitter  :  @coolkaveh
tested   :  windows XP SP3
Author   :  coolkaveh
#####################################################################################################################
Opera is a web browser and Internet suite developed by Opera Software with over 270 million users worldwide.
The browser handles common Internet-related tasks such as displaying web sites, sending and receiving e-mail 
Messages, managing contacts, chatting on IRC, downloading files via BitTorrent, and reading web feeds. Opera is 
Offered free of charge for personal computers and mobile phones.
#####################################################################################################################
Bug :
----
Heap corruption during the handling of the Gif files
context-dependent
Successful exploits can allow attackers to execute arbitrary code
---- 
######################################################################################################################
(f00.704): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000b0b ebx=0000000b ecx=0000100b edx=042bc048 esi=0417ffff edi=00141048
eip=67237c8b esp=0012e3d8 ebp=0000001e iopl=0         nv up ei ng nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010283
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Opera\Opera.dll - 
Opera!OpSetLaunchMan+0xb69f5:
67237c8b 880e            mov     byte ptr [esi],cl          ds:0023:0417ffff=??
0:000>!exploitable -v
eax=00000b0b ebx=0000000b ecx=0000100b edx=042bc048 esi=0417ffff edi=00141048
eip=67237c8b esp=0012e3d8 ebp=0000001e iopl=0         nv up ei ng nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010283
Opera!OpSetLaunchMan+0xb69f5:
67237c8b 880e            mov     byte ptr [esi],cl          ds:0023:0417ffff=??
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\WINMM.dll - 
Exception Faulting Address: 0x417ffff
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Exception Hash (Major/Minor): 0x63712c74.0x0c14230f

Stack Trace:
Opera!OpSetLaunchMan+0xb69f5
Opera!OpSetLaunchMan+0xb66fc
Opera!OpSetLaunchMan+0xb644a
Opera!OpSetLaunchMan+0x38f4d
Opera!OpSetLaunchMan+0x1b7b3
Opera!OpSetLaunchMan+0x20a498
Opera!OpSetLaunchMan+0x1fb4e3
Opera!OpSetLaunchMan+0x1fb5d5
Opera!OpSetLaunchMan+0x16d0c1
ntdll!RtlRemoveVectoredExceptionHandler+0x2a2
ntdll!RtlAllocateHeap+0x117
Opera!OpSetLaunchMan+0x1503b9
ntdll!RtlRemoveVectoredExceptionHandler+0x823
ntdll!RtlFreeHeap+0x130
WINMM!timeGetTime+0x2c
Instruction Address: 0x0000000067237c8b

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at Opera!OpSetLaunchMan+0x00000000000b69f5 (Hash=0x63712c74.0x0c14230f)

User mode write access violations that are not near NULL are exploitable.
################################################################################
Proof of concept included. 
http://www21.zippyshare.com/v/83302158/file.html 
Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23107.zip

Application impact
VendorProductVersionsFixed
operaopera_browser{"endIncluding":"12.11"}
operaopera_browser1.00
operaopera_browser2.00
operaopera_browser2.10
operaopera_browser2.12
operaopera_browser3.00
operaopera_browser3.10
operaopera_browser3.21
operaopera_browser3.50
operaopera_browser3.51
operaopera_browser3.60
operaopera_browser3.61
operaopera_browser3.62
operaopera_browser4.00
operaopera_browser4.01
operaopera_browser4.02
operaopera_browser5.0
operaopera_browser5.02
operaopera_browser5.10
operaopera_browser5.11
operaopera_browser5.12
operaopera_browser6.0
operaopera_browser6.1
operaopera_browser6.01
operaopera_browser6.02
operaopera_browser6.03
operaopera_browser6.04
operaopera_browser6.05
operaopera_browser6.06
operaopera_browser6.11
operaopera_browser6.12
operaopera_browser7.0
operaopera_browser7.01
operaopera_browser7.02
operaopera_browser7.03
operaopera_browser7.10
operaopera_browser7.11
operaopera_browser7.20
operaopera_browser7.21
operaopera_browser7.22
operaopera_browser7.23
operaopera_browser7.50
operaopera_browser7.51
operaopera_browser7.52
operaopera_browser7.53
operaopera_browser7.54
operaopera_browser7.60
operaopera_browser8.0
operaopera_browser8.01
operaopera_browser8.02
operaopera_browser8.50
operaopera_browser8.51
operaopera_browser8.52
operaopera_browser8.53
operaopera_browser8.54
operaopera_browser9.0
operaopera_browser9.01
operaopera_browser9.02
operaopera_browser9.10
operaopera_browser9.12
operaopera_browser9.20
operaopera_browser9.21
operaopera_browser9.22
operaopera_browser9.23
operaopera_browser9.24
operaopera_browser9.25
operaopera_browser9.26
operaopera_browser9.27
operaopera_browser9.50
operaopera_browser9.51
operaopera_browser9.52
operaopera_browser9.60
operaopera_browser9.61
operaopera_browser9.62
operaopera_browser9.63
operaopera_browser9.64
operaopera_browser10.00
operaopera_browser10.01
operaopera_browser10.10
operaopera_browser10.11
operaopera_browser10.20
operaopera_browser10.50
operaopera_browser10.51
operaopera_browser10.52
operaopera_browser10.53
operaopera_browser10.54
operaopera_browser10.60
operaopera_browser10.61
operaopera_browser10.62
operaopera_browser10.63
operaopera_browser11.00
operaopera_browser11.01
operaopera_browser11.10
operaopera_browser11.11
operaopera_browser11.50
operaopera_browser11.51
operaopera_browser11.52
operaopera_browser11.52.1100
operaopera_browser11.60
operaopera_browser11.61
operaopera_browser11.62
operaopera_browser11.64
operaopera_browser11.65
operaopera_browser11.66
operaopera_browser12.00
operaopera_browser12.01
operaopera_browser12.02
operaopera_browser12.10

References

CWEs

CWE-119

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.