Opera Null Issues
Well this is by far one of the weirdest bugs I’ve seen in a while. In doing some tests with my fuzzer, I realized that Opera doesn’t really handle null bytes very well. And I use the word “handle” loosely. It sorta can’t handle them at all. I ran a test where I injected a null byte immediately before a paragraph causing the whole bottom of the page to not show up when you view source. The obvious uses for causing things to fail to load when you view source are data hiding and obfuscation.
The second and much weirder issue is if you inject a null before lines of text it can cause them to fail to render completely within Opera. Why? I cannot fathom why that would happen, but it’s a pretty bizzare bug. Clearly Opera cannot handle nulls properly. Both Firefox and Internet Explorer happily ignore it and move on, rendering the page without any issues.
If you’ve got Opera installed you can see for yourself what I mean. Click here to see the Opera null byte issues. I can’t say how easy or difficult it is to fix these types of issues within Opera because I have no idea how their rendering engine is built, unlike Gecko and Internet Explorer’s rendering engines. Either way, it’s time to fix that one. This blog post goes out to Kyran for getting me to play with Opera a little more this morning. With that said, I’m going back to Firefox for day to day browsing.
November 5th, 2006 at 1:09 pm
all i can say is.. that is weird.
Only the second bug works in Opera 8.54 on XP though btw.. which is understandable since the view source functioning is pretty different between the two.
November 5th, 2006 at 4:53 pm
Isn’t it? I can’t figure out why it would be that way. Well, I guess we’ll have to wait for someone who knows Opera better to chime in here.
November 6th, 2006 at 1:02 am
RSnake, how do you produce a nullbyte in your fuzzer? is this an online app you have? or just local?
November 6th, 2006 at 1:34 am
when you make an HTML file use a hex editor to insert in a 00 byte.. i don’t think it’s possible to do from notepad.
for web apps, the following can be used: \ 0, % 00, \x 00; \u 0000; &# 00; etc.. (without the spaces, wordpress is rejecting my post otherwise)
if i remember his posts about his fuzzer, i think it was written in perl. Stole this from the cheat sheet:
perl -e ‘print “<IMG SRC=java\ 0script:alert(\”XSS\”)>”;’ > out
November 6th, 2006 at 9:37 am
Jungsonn, a null byte is the zero char in the fuzzer. I don’t have an online version since it is vulnerable to XSS (surprise surprise). All it takes is an apache install with a cgi-bin and a perl interpreter to get it working.
However, the way I did it in the HTML file was by editing it on the server with vim and inserting a null by typing control-v control-shift-@
I know, vim is kinda a pain, but it really is pretty useful for adding in random chars. You can also use bvi if you want to hex edit it. It takes some getting used to and it can only modify, not add new chars, so you have to leave a placeholder in vim and then edit it in bvi.
November 6th, 2006 at 8:31 pm
[…] Lo que se ha hecho en esta ocasión ha sido inyectar caracteres nulos mediante un fuzzer en un simple fichero de HTML (si alguien quiere probar, existe una forma más fácil de hacerlo: utilizar cualquier editor hexadecimal). […]
November 7th, 2006 at 3:14 am
My money is on the string passed to whatever function is null-terminated, and inserting the null before the end causes it to simply truncate it.
November 7th, 2006 at 2:20 pm
That sounds like a safe bet to me. Except it’s weird that it also terminates the entire bottom part of the page as you view source. They must be concatenating the strings together to generate the view source page.