Safari Integer Overflow Aids Inter Protocol Exploitation

This has been out there for almost a week, but I thought it was worthwhile to talk about a little bit. Safari has a typical integer overflow in the way they look at ports. So if you add the number 65,536 to the port you want to connect to (in this case 25 + 65,536 = 65,561) you can bypass their port blocking. The guys at Goatse Security [NSFW] found a way to use the old Inter-protocol exploitation attack against sendmail all over again.

There are a lot of implications here - first of all, port blocking is wildly insufficient. It’s not on all browsers, and even if it were, blocking 100 out of the 65,000 potential ports is just asking for problems. Secondly, no one is doing this sort of research. There are a ridiculous amount of services out there that may be forgiving enough to allow a browser to “speak” to them, but I don’t see anyone outside of a handful of people, like Weev, Wade Alcorn, Samy Kumkar, Aaron Weaver and myself doing this kind of research. There’s literally thousands of potentially exploitable services out there! It could take years at this rate to even map out the issues with the privileged ports. Scary. Lastly, the port blocking that is in place, is obviously not working either - because we’ve found more than one way to bypass it (first using FTP instead of HTTP in Mozilla and now integer overflows in Safari). Feels like a huge can of worms to me that would be better solved with a whitelist instead of a blacklist.