Safari Integer Overflow Aids Inter Protocol Exploitation
Page 1 of 1
Safari Integer Overflow Aids Inter Protocol Exploitation
This has been out there for almost a week, but I thought it was worthwhile to talk about a little bit. Safari has a typical integer overflow in the way they look at ports. So if you add the number 65,536 to the port you want to connect to (in this case 25 + 65,536 = 65,561) you can bypass their port blocking. The guys at Goatse Security [NSFW] found a way to use the old Inter-protocol exploitation attack against sendmail all over again.
There are a lot of implications here - first of all, port blocking is wildly insufficient. It’s not on all browsers, and even if it were, blocking 100 out of the 65,000 potential ports is just asking for problems. Secondly, no one is doing this sort of research. There are a ridiculous amount of services out there that may be forgiving enough to allow a browser to “speak” to them, but I don’t see anyone outside of a handful of people, like Weev, Wade Alcorn, Samy Kumkar, Aaron Weaver and myself doing this kind of research. There’s literally thousands of potentially exploitable services out there! It could take years at this rate to even map out the issues with the privileged ports. Scary. Lastly, the port blocking that is in place, is obviously not working either - because we’ve found more than one way to bypass it (first using FTP instead of HTTP in Mozilla and now integer overflows in Safari). Feels like a huge can of worms to me that would be better solved with a whitelist instead of a blacklist.
There are a lot of implications here - first of all, port blocking is wildly insufficient. It’s not on all browsers, and even if it were, blocking 100 out of the 65,000 potential ports is just asking for problems. Secondly, no one is doing this sort of research. There are a ridiculous amount of services out there that may be forgiving enough to allow a browser to “speak” to them, but I don’t see anyone outside of a handful of people, like Weev, Wade Alcorn, Samy Kumkar, Aaron Weaver and myself doing this kind of research. There’s literally thousands of potentially exploitable services out there! It could take years at this rate to even map out the issues with the privileged ports. Scary. Lastly, the port blocking that is in place, is obviously not working either - because we’ve found more than one way to bypass it (first using FTP instead of HTTP in Mozilla and now integer overflows in Safari). Feels like a huge can of worms to me that would be better solved with a whitelist instead of a blacklist.
andry- Moderator
- Posts : 467
Join date : 2010-05-07
Similar topics
» Adobe Flash Player and AIR AVM2 intf_count Integer Overflow Remote Code Execution
» Windows live Messenger malformed file overflow DoS remote exploitation.
» Bonus Safari XXE (only affecting Safari 4 Beta)
» Shocking News in PHP Exploitation
» A Secure Cookie Protocol
» Windows live Messenger malformed file overflow DoS remote exploitation.
» Bonus Safari XXE (only affecting Safari 4 Beta)
» Shocking News in PHP Exploitation
» A Secure Cookie Protocol
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum
|
|