How does 🙈 or 💩 affect our S�curity?
A bughunter perspective to pwn web apps
Created by Christopher Bleckmann-Dreher / @schniggie
Agenda
- WhoAmI
- ASCII and ISO-8859
- Unicode
- Unicode encodings
- Security implications 101
- Real world examples
- Summary + QA
WhoAmI
- IT Security Consultant / Pentester
- Bughunter (retired)
- Author
ASCII
- American Standard Code for Information Interchange
- Established in 1963
- 7-Bit character set
- Only 128 characters
- 0000000 – 1111111
- A: (65)₁₀ = (41)₁₆ = (1000001)₂
- a: (97)₁₀ = (61)₁₆ = (1100001)₂
ISO-8859-?
- ASCII compatible 👍
- 8-Bit character set
- 256 characters
- 00000000 – 11111111
- 8859-2: (Central Europe)
Unicode
- Since 1991
- MultiByte character set
- Fully ASCII and ISO-8859 compatible 👍
- Different encodings (UTF-8, UTF-16, UTF-32, EBCDIC, …)
Unicode
- U+0000 – U+10FFFF
- U+0000 – U+007F: ASCII
- U+0080 – U+00FF: ISO
- U+0000 – U+FFFF (BMP: Basic Multilingual Plane) = 65536 characters
- U+010000 – U+10FFFF (Astral Planes) = Over a million
Unicode Encodings
Security Implications - Length of UTF8 String
size_t length = measure(str1) + measure(str2) + 1;
char *concat = malloc(sizeof(char) * length);
if(concat == NULL)
{
// error
}
snprintf(concat, length, "%s%s", str1, str2);
int measure(char *string) {
// allocate enough memory to hold the wide string
size_t needed = mbstowcs(NULL, string, 0) + 1;
wchar_t *wcstring = malloc(needed * sizeof *wcstring);
if (!wcstring) return -1;
// change encodings
if (mbstowcs(wcstring, string, needed) == (size_t)-1) return -2;
// measure width
int width = wcswidth(wcstring, needed);
free(wcstring);
return width;
}
Security Implications - JavaScript Compare
Security Implications - JavaScript Compare
Security Implications - JavaScript Compare
Security Implications - JavaScript RegEx
Security Implications - JavaScript RegEx
Security Implications - JavaScript RegEx
- Test it yourself http://scriptular.com/
Security Implications - MySQL vs. UTF-8
Security Implications - MySQL vs. UTF-8
Security Implications - MySQL vs. UTF-8
Security Implications - MySQL vs. UTF-8
Abusing Unicode to attack a victim
Anything suspicious?
Anything suspicious?
IDN Domains
- Allowed since end of 2009
- Stored as ASCII strings using Punycode transcription
- No changes to the DNS system needed
Source: https://en.wikipedia.org/wiki/Internationalized_domain_name
IDN Domains
IDN Domains and Mailing
IDN Domains – Real world attack scenario
Source: https://www.heise.de/newsticker/meldung/Browser-noch-immer-fuer-Phishing-per-Unicode-Domain-anfaellig-3686474.html
IDN Domains – Find good ones
IDN $$$
Left or right?
Left or right?
Howto:
ruby -e 'File.rename("backdoor_ppt.exe", "resume\xe2\x80\xaetpp.exe")'
RTLO Snapchat
RTLO $250
RTLO Go Go Go and hunt ...
Crashing every iOS and OS X device
- In 2013 every iOS and OS X device was vulnerable to
Source: https://arstechnica.com/apple/2013/08/rendering-bug-crashes-os-x-and-ios-apps-with-string-of-arabic-characters/
- For example Browser, Messages (SMS, iMessage, Whatsapp, …), Wireless Hotspots
Crashing every iOS and OS X device
- Even Facebook implemented filter withtin Messenger
Frontend 💔 Backend
Frontend 💔 Backend
Spotify account hijacking
Spotify account hijacking
1. User: ᴮᴵᴳᴮᴵᴿᴰ triggers forgot password 1. Forgot password: >>> canonical_username(u'\u1d2e\u1d35\u1d33\u1d2e\u1d35\u1d3f\u1d30') u'BIGBIRD' 2. Click on passwort reset Link in Mail: >>> canonical_username(canonical_username(u'\u1d2e\u1d35\u1d33\u1d2e\u1d35\u1d3f\u1d30')) u'bigbird'
Phabricator Bypass
Phabricator Bypass
Phabricator Bypass
PILE OF POO
Summary
For developer:
- Verify that methods, functions, frameworks can handle Unicode
- Input validation should also handle Unicode characters
- Verify that all system and interconnection can handle Unicode
- Go and inject 💩
- Automate it / Implement it in tools
Acknowledgment
- Mathias Bynens @mathias
- @Bugcrowd
Thanks for your time :)
