So I finally managed to install Safari today, not sure why it worked this time but it did. :)
Apple seems oblivious to null-bytes, or they don't read up on the advisories. Well, I can't blame them. It's hard to build something secure for the Microsoft OS. There are a lot of things you need to consider as a browser developer, how Windows handles file types, their extensions and such, and naturally the annoying string terminating null-byte. But really, isn't this the first thing you try when you want to exploit the browser? That is what I was thinking when I found out that Mozilla was vulnerable to file type confusion on the Windows platform due to encoded null-bytes[1]. Either way, it's fun.
file:///C:/WINDOWS/explorer.exe%00.html
file:///C:/WINDOWS/system.ini%00.txt
The next example is rather annoying, if we try to open explorer.exe as a WMV audio file, it makes squeaky noises inside Winamp. Kinda strange, kinda fun!
file:///C:/WINDOWS/explorer.exe%00.wmv
So that's quite fun after lunch on a sunny Sunday afternoon. Further I'm busy creating a couple of new tools. One will be a Firefox extension which I wanted to build for quite some time now, which will prevent CSRF and XSS (most XSS is CSRF actually). Another tool I am working on will be a kind of web based nmap and network pentest tool rolled into one. I also came across this new paper on token kidnapping which I am currently reading:
http://www.argeniss.com/research/TokenKidnapping.pdf
I also heard that there was or will be an attack on CNN:
http://www.thedarkvisitor.com/2008/04/breaking-upcoming-chinese-hacker-attack-on-cnn-building-steam/
plus Nate McFeters gave a cool post on the new Flash vulns by Mark Dowd:
http://blogs.zdnet.com/security/?p=1030
a lot to read today...
[1] http://www.mozilla.org/security/announce/2007/mfsa2007-22.html.
