Krebs on "Trojan Source"

https://krebsonsecurity.com/2021/11/trojan-source-bug-threatens-the-security-of-all-code/ (from November 1)

Researchers with the University of Cambridge discovered a bug that affects most computer code compilers and many software development environments. At issue is a component of the digital text encoding standard Unicode, which allows computers to exchange information regardless of the language used. Unicode currently defines more than 143,000 characters across 154 different language scripts (in addition to many non-script character sets, such as emojis).

Specifically, the weakness involves Unicode’s bi-directional or “Bidi” algorithm, which handles displaying text that includes mixed scripts with different display orders, such as Arabic — which is read right to left — and English (left to right).

But computer systems need to have a deterministic way of resolving conflicting directionality in text. Enter the “Bidi override,” which can be used to make left-to-right text read right-to-left, and vice versa.

“In some scenarios, the default ordering set by the Bidi Algorithm may not be sufficient,” the Cambridge researchers wrote. “For these cases, Bidi override control characters enable switching the display ordering of groups of characters.”

Bidi overrides enable even single-script characters to be displayed in an order different from their logical encoding. As the researchers point out, this fact has previously been exploited to disguise the file extensions of malware disseminated via email.

Here’s the problem: Most programming languages let you put these Bidi overrides in comments and strings. This is bad because most programming languages allow comments within which all text — including control characters — is ignored by compilers and interpreters. Also, it’s bad because most programming languages allow string literals that may contain arbitrary characters, including control characters.

This vulnerability is, as far as I know, the first one to affect almost everything.”

“So you can use them in source code that appears innocuous to a human reviewer [that] can actually do something nasty,” said Ross Anderson, a professor of computer security at Cambridge and co-author of the research. “That’s bad news for projects like Linux and Webkit that accept contributions from random people, subject them to manual review, then incorporate them into critical code. This vulnerability is, as far as I know, the first one to affect almost everything.”

[...]

Cheers,
Scott.

Post #440,272 by Another Scott 11/4/21 5:44:46 PM 11/4/21 5:44:46 PM Reply	Krebs on "Trojan Source" https://krebsonsecurity.com/2021/11/trojan-source-bug-threatens-the-security-of-all-code/ (from November 1) Researchers with the University of Cambridge discovered a bug that affects most computer code compilers and many software development environments. At issue is a component of the digital text encoding standard Unicode, which allows computers to exchange information regardless of the language used. Unicode currently defines more than 143,000 characters across 154 different language scripts (in addition to many non-script character sets, such as emojis). Specifically, the weakness involves Unicode’s bi-directional or “Bidi” algorithm, which handles displaying text that includes mixed scripts with different display orders, such as Arabic — which is read right to left — and English (left to right). But computer systems need to have a deterministic way of resolving conflicting directionality in text. Enter the “Bidi override,” which can be used to make left-to-right text read right-to-left, and vice versa. “In some scenarios, the default ordering set by the Bidi Algorithm may not be sufficient,” the Cambridge researchers wrote. “For these cases, Bidi override control characters enable switching the display ordering of groups of characters.” Bidi overrides enable even single-script characters to be displayed in an order different from their logical encoding. As the researchers point out, this fact has previously been exploited to disguise the file extensions of malware disseminated via email. Here’s the problem: Most programming languages let you put these Bidi overrides in comments and strings. This is bad because most programming languages allow comments within which all text — including control characters — is ignored by compilers and interpreters. Also, it’s bad because most programming languages allow string literals that may contain arbitrary characters, including control characters. This vulnerability is, as far as I know, the first one to affect almost everything.” “So you can use them in source code that appears innocuous to a human reviewer [that] can actually do something nasty,” said Ross Anderson, a professor of computer security at Cambridge and co-author of the research. “That’s bad news for projects like Linux and Webkit that accept contributions from random people, subject them to manual review, then incorporate them into critical code. This vulnerability is, as far as I know, the first one to affect almost everything.” [...] Cheers, Scott.
Post #440,273 by drook 11/4/21 6:56:31 PM 11/4/21 6:56:31 PM Reply	How would this be exploited? It sounds like bidi control characters are a special case, in that it's the only control character allowed in comments. What am I missing? -- Drew
Post #440,275 by scoenye 11/4/21 7:32:23 PM 11/4/21 7:32:23 PM Reply	If a GUI honors it but the compiler does not then the human sees one thing, the compiler another. If the compiler drops the control characters without warning, that can become a problem. e.g. it could be used to make you see 0x0F where the compiler sees 0xF0. How feasibly any of this is is another matter. The example above is not very practical unless it hits a project that still uses literals for critical fields.
Post #440,280 by drook 11/5/21 8:41:22 AM 11/5/21 8:41:22 AM Reply	That sounds like the edgiest of edge cases Not saying it's impossible to exploit, but just about any other method must be easier. -- Drew
Post #440,285 by scoenye 11/5/21 8:45:54 PM 11/5/21 8:45:54 PM Reply	Pretty much. The more likely target is e-mail (URLs, attachment names, ...)
Post #440,282 by pwhysall 11/5/21 12:37:04 PM 11/5/21 12:37:04 PM Reply	"What are you missing?", you ask. The endless ingenuity of the evildoers to exploit anything in ways you didn't even consider possible, that's what.
Post #440,274 by scoenye 11/4/21 7:15:12 PM 11/4/21 7:15:12 PM Reply	Not quite new https://attack.mitre.org/techniques/T1036/002/ (from early 2020 on left-to-right override masquerading) And as to slipping something like this in a FOSS project, GNU diff still doesn't understand Unicode :-) It should flag the mess as a change. (On the assumption the most likely target of an attack is an existing privilege check.)

Welcome to IWETHEY!