Paid Advertising
web application security lab

Safari Integer Overflow Aids Inter Protocol Exploitation

This has been out there for almost a week, but I thought it was worthwhile to talk about a little bit. Safari has a typical integer overflow in the way they look at ports. So if you add the number 65,536 to the port you want to connect to (in this case 25 + 65,536 = 65,561) you can bypass their port blocking. The guys at Goatse Security [NSFW] found a way to use the old Inter-protocol exploitation attack against sendmail all over again.

There are a lot of implications here - first of all, port blocking is wildly insufficient. It’s not on all browsers, and even if it were, blocking 100 out of the 65,000 potential ports is just asking for problems. Secondly, no one is doing this sort of research. There are a ridiculous amount of services out there that may be forgiving enough to allow a browser to “speak” to them, but I don’t see anyone outside of a handful of people, like Weev, Wade Alcorn, Samy Kumkar, Aaron Weaver and myself doing this kind of research. There’s literally thousands of potentially exploitable services out there! It could take years at this rate to even map out the issues with the privileged ports. Scary. Lastly, the port blocking that is in place, is obviously not working either - because we’ve found more than one way to bypass it (first using FTP instead of HTTP in Mozilla and now integer overflows in Safari). Feels like a huge can of worms to me that would be better solved with a whitelist instead of a blacklist.

2 Responses to “Safari Integer Overflow Aids Inter Protocol Exploitation”

  1. Jose Selvi Says:

    Port Whitelist would be of course the best option, but there are lots and lots of web sites at any port like 8080, 8081, 81, 85, … It’s entropy is better than most RNG’s :)

    Just guessing: why browsers talk with any service in a stupid manner? why don’t they check for HTTP communication, for instance requesting “GET /” and waiting for HTTP correct response before real communication when service port seems strange.

    why browsers don’t drop the connection when they receive error messages sending first line of the GET/POST request? request=”GET / HTTP/1.1″ response = “syntax error” or “command not found”. This is not an HTTP server, why browser doesn’t care this messages?

    I think best solution is to improve browser intelligence for recognising HTTP and not-HTTP services, independently the port they use.

  2. RSnake Says:

    @Jose - the first part (the various ports) could be solved by a popup. There are very few webservers in the real world that I need to go to as an average user that aren’t on 80 and 443. If I want to specifically allow them, a popup would allow for that - it’s a thought anyway.

    To your second point, that would only solve part of the issue (where the server was returning bad data like the IMAP3 exploit). The other half is that the server needs to ignore things that aren’t speaking the right protocol instead of being so forgiving (like the IRC, SMTP, printer and Asterix vulns).