← Back to context

Comment by rwmj

4 days ago

What is the threat profile here? I don't understand how this would be exploited in the real world. Once you're linking to a library, there are so many ways for the library to exploit your main program (eg. by running arbitrary code in constructors).

5 comments

rwmj

Reply
rurban  4 days ago

https://github.com/rurban/libu8ident

Search for homoglyph attacks and the unicode security guidelines for identifiers

  • rwmj  4 days ago

    OK that is pretty interesting. For the TL;DR crowd, the exploit was:

      if(environmentǃ=ENV_PROD){
    // bypass authZ checks in DEV
    return true;
  }

    where the 'ǃ' is a Unicode homoglyph (U+1C3 "LATIN LETTER ALVEOLAR CLICK") which obviously completely changes the nature of the code.

    I'll note that GCC gives a clear warning here ("suggest parentheses around assignment used as truth value"), so as always, turn on -Werror and take warnings seriously!

    • quuxplusone  4 days ago

      The shown code is JavaScript; it wouldn't compile as C, because "environment[alveolar-click]" was never declared, and C requires declare-before-use. Does the advice to use GCC -Werror still apply to JavaScript? (I'd guess no, but I don't know for sure if I'm missing something.)

      1 reply →