[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-disclosure] UTF reverse-writing WYSINWG "feature"
From:       "HASEGAWA Yosuke" <yosuke.hasegawa () gmail ! com>
Date:       2007-08-31 1:21:26
Message-ID: 5559abfc0708301821n6f7b75a7v210e0cdc5429d4cd () mail ! gmail ! com
[Download RAW message or body]

Hi.

On 8/28/07, Tonu Samuel <tonu@jes.ee> wrote:
> But by concerns are related to security. For example even looking title
> of this digg.com page with Firefox or Konqueror and you see that browser
> name is reversed! I looked into source code with Firefox and lot of
> things are reversed too!

In Japan, this trick -- Visual camouflage usgin
Unicode Bidi -- is already known since 2005.
By including RLO(U+202E) in the a file name, Visual spoofing
of the extension is possible.

For example, create a file named such as:
 "this-(U+202E)txt.exe"
And when this file is indicated over theExplorer.exe,
it is visible in "this-exe.txt", like as a TEXT file.
Although this file is visible to txt file seemingly, but, of
course, it operates as exe file.

Here is the sample image on Japanese edition of Windows.
<http://openmya.hacker.jp/hasegawa/public/20061209/momiji9.png>

In Japan, it is already said that the malware which used this
trick is distributed through a Winny the most famous P2P
software in Japan - network.

Execution of malware by this trick can be prevented by
restricting execution of the file which contains RLO in
a filename,using group (or local) policy.


-- 
HASEGAWA Yosuke
    yosuke.hasegawa@gmail.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]