Posted on 11/01/2021 11:04:40 AM PDT by ShadowAce
Not clear to me what this can do. The string literal is read and has BiDi control characters. Will it just change the direction of how the characters are displayed in the browser or other software? Does the BiDi code keep reading until it finds another control character, thus causing a buffer read overrun enabling a buffer exploit?
So if compilers disabled BIDI then Chinese and Muslim code hacks would be disabled? Just curious ...
;-)
That may be deliberate so black hats will have to figure it out.
Back to writing octal code for the PDP-8.
But the scary part is it doesn't really matter what OS or software you use--it can be inserted everywhere as this is a sourcecode-level exploit that the compilers do not catch.
Or a developer could simply strip out all the comments from source code and leave only valid syntax to compile.
This is in̯̦͚͍͇̩͑̓͆͒̍ͪteresting
Not too concerned about it. They have to get it into your code. If someone got to my codebase, there would be more issues than them putting something like this into it.
Do we need to wear a mask or get a shot?
Seems a bit overblown to me as long as you are ingesting source code you just search for these control codes in the source. Could be done by the compiler with a TBD check but could equally well be done with a simple grep of a patch file.
I would suspect open source is more susceptible. And there is a lot of open source running on machines everywhere, so I would still like to see details on how this can be exploited.
bkmk
Ah, not true.
I’ve always thought unicode was a =really= bad idea in anything but documents, and generally not really so good an idea there unless you’re trying to display kanji or something.
You should be able to turn the stuff off. I would imagine in the future that code editors will have bright flashy things for these ‘bidi’ codes.
I wonder if it has to do with programming languages that allow pragmas/commands within comments, perhaps like the shebang directives in bash?
https://bash.cyberciti.biz/guide/Shebang
ANY time data (or code comments) have a chance of changing context into code execution, you have a potential security vulnerability.
:-D
As you say, open source could be the most susceptible because anyone could submit a change...and because it looks innocent or perhaps even beneficial, it would be merged in.
At that point, however, it just becomes a question of social engineering, right?
Do you use _any_ open source software tools? Could you then somehow be vulnerable to the introduction of a persistent threat?
One problem with trying to scan your own code is that there are SO many ways to encode unicode: hex string, octo encoding, XML constants, XML entity expansion or similar #define type defitions, etc... You only have to miss one.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.