How does ๐ or ๐ฉ affect our S๏ฟฝcurity?
A bughunter and offensive perspective on โบโโโโโโโ โโคโโ โคโโข
Created by Christopher Bleckmann-Dreher / @schniggie
http://bsides.ๅ.xyz
Agenda
- WhoAmI
- ASCII and ISO-8859
- Unicode
- Unicode encodings
- Security implications 101
- Real world examples
- Summary + QA
WhoAmI
- Offensive IT sec guy / Pentester
- Bughunter (retired)
- Author
ASCII
- American Standard Code for Information Interchange
- Established in 1963
- 7-Bit character set
- Only 128 characters
- 0000000 โ 1111111
- A: (65)โโ = (41)โโ = (1000001)โ
- a: (97)โโ = (61)โโ = (1100001)โ
ISO-8859-?
- ASCII compatible ๐
- 8-Bit character set
- 256 characters
- 00000000 โ 11111111
- 8859-2: (Central Europe)
Unicode
- Since 1991
- MultiByte character set
- Fully ASCII and ISO-8859 compatible ๐
- Different encodings (UTF-8, UTF-16, UTF-32, EBCDIC, โฆ)
Unicode
- U+0000 โ U+10FFFF
- U+0000 โ U+007F: ASCII
- U+0080 โ U+00FF: ISO
- U+0000 โ U+FFFF (BMP: Basic Multilingual Plane) = 65536 characters
- U+010000 โ U+10FFFF (Astral Planes) = Over a million
Unicode Encodings
Security Implications - Length of UTF8 String
size_t length = measure(str1) + measure(str2) + 1;
char *concat = malloc(sizeof(char) * length);
if(concat == NULL) { // error }
snprintf(concat, length, "%s%s", str1, str2);
int measure(char *string) {
// allocate enough memory to hold the wide string
size_t needed = mbstowcs(NULL, string, 0) + 1;
wchar_t *wcstring = malloc(needed * sizeof *wcstring);
if (!wcstring) return -1;
// change encodings
if (mbstowcs(wcstring, string, needed) == (size_t)-1) return -2;
// measure width
int width = wcswidth(wcstring, needed);
free(wcstring);
return width;
}
Security Implications - JavaScript Compare
Security Implications - JavaScript Compare
Security Implications - JavaScript Compare
Security Implications - JavaScript RegEx
Security Implications - JavaScript RegEx
Security Implications - JavaScript RegEx
- Test it yourself http://scriptular.com
Security Implications - MySQL vs. UTF-8
Security Implications - MySQL vs. UTF-8
Security Implications - MySQL vs. UTF-8
Security Implications - MySQL vs. UTF-8
Abusing Unicode to attack a victim
Anything suspicious?
Anything suspicious?
IDN Domains
- Allowed since end of 2009
- Stored as ASCII strings using Punycode transcription
- No changes to the DNS system needed
Source: https://en.wikipedia.org/wiki/Internationalized_domain_name
IDN Domains
IDN Domains and Mailing
IDN Domains โ Real world attack scenario
IDN Domains โ Find good ones
IDN $$$
Left or right?
Left or right?
Howto:
ruby -e 'File.rename("backdoor_ppt.exe", "resume\xe2\x80\xaetpp.exe")'
RTLO Snapchat
RTLO $250
RTLO Go Go Go and hunt ... (from 2017)
2019 and still sth. to care about?
Crashing every iOS and OS X device
- In 2013 every iOS and OS X device was vulnerable to
- For example Browser, Messages (SMS, iMessage, Whatsapp, โฆ), Wireless Hotspots
Crashing every iOS and OS X device
- Even Facebook implemented filter withtin Messenger
Frontend ๐ Backend
Frontend ๐ Backend
Spotify account hijacking
Spotify account hijacking
1. User: แดฎแดตแดณแดฎแดตแดฟแดฐ triggers forgot password 1. Forgot password: >>> canonical_username(u'\u1d2e\u1d35\u1d33\u1d2e\u1d35\u1d3f\u1d30') u'BIGBIRD' 2. Click on password reset Link in Mail: >>> canonical_username(canonical_username(u'\u1d2e\u1d35\u1d33\u1d2e\u1d35\u1d3f\u1d30')) u'bigbird'
Phabricator Bypass
Phabricator Bypass
Phabricator Bypass
PILE OF POO
Summary
For developer:
- Verify that methods, functions, frameworks can handle Unicode
- Input validation should also handle Unicode characters
- Verify that all system and interconnection can handle Unicode
For Hunters:
- Go and inject ๐ฉ
- Automate it / Implement it in tools
Acknowledgment
- Mathias Bynens @mathias
- @FakeUnicode
Thanks for your time :)
