Surprising software vulnerabilities or exploits?
Everyone does know about SQL injections, but one of the most surprising exploits I recently heard about was putting SQL injections into bar codes. Testers should be checking ALL inputs for malicious SQL. An attacker could show up at an event and crash their registration system, change prices at stores, etc. I think just bar code hacking in general was surprising to me. No wow factor here, just something else to be aware of.
EDIT: Just had a discussion where the idea of putting the SQL injection on a magnetic card strip was brought up. I guess you can put one anywhere, so test any and all input, especially from users and these kinds of data storage devices.
My favorite and most impressive I've seen so far are a class of cryptography techniques know as Side Channel Attacks.
One type of a side channel attack uses power monitoring. Encryption keys have been recovered from smart card devices by carefully analyzing how much power is drawn from the power supply. The processors embedded within them use different amounts of power to process different sets of instructions. Using this tiny bit of information, it's possible to recover protected data, completely passively.
I think a relatively recent Linux vulnerability qualifies for your description of exploiting code that seems safe (though a bit mistructured).
This was specifically the piece of code in the Linux kernel:
struct sock *sk = tun->sk; // initialize sk with tun->sk
…
if (!tun)
return POLLERR; // if tun is NULL return error
Due to a GCC optimization, the if statement and body are removed (which is reasonable for userland code, not so much for kernel code). Through some cleverness a person was able to build an exploit out of this.
A summary:
http://isc.sans.org/diary.html?storyid=6820
A posted exploit:
http://lists.grok.org.uk/pipermail/full-disclosure/2009-July/069714.html
EDIT: Here is a much more in depth summary of how this code was exploited. It's a short read, but a very good explanation of the mechanisms used for the exploit.
http://lwn.net/SubscriberLink/342330/f66e8ace8a572bcb/