← Back to team overview

linuxdcpp-team team mailing list archive

  1. linuxdcpp-team team
  2. Mailing list archive
  3. Message #08250

[Bug 1425276] [NEW] The Unicode mirror character and possibly other similar ones can be used for nick spoofing in ADC hubs

  Thread PreviousDate PreviousThread Next 
*** This bug is a security vulnerability ***

Private security bug reported:

Basically what's described at http://stackoverflow.com/questions/3115204/unicode-mirror-character used by some recent malware to trick with file extensions seems to be working for DC++, too. 
See the attached screenshot. It produces various other funny effects throughout the DC++ interface where the nick is displayed alone or in conjunction with other text/data.

For other possible problematic chars cologic suggests that anything in
http://www.fileformat.info/info/unicode/block/general_punctuation/list.htm
from U+2000 to U+206F inclusive is pretty suspect. Some look like they
have legitimate use, though, (U+2030 to U+205E inclusive, for example).
But, minimally, filtering out a few of the codepoints from that block:
LEFT-TO-RIGHT OVERRIDE (U+202D), RIGHT-TO-LEFT OVERRIDE (U+202E), LEFT-
TO-RIGHT EMBEDDING (U+202A), RIGHT-TO-LEFT EMBEDDING (U+202B),   POP
DIRECTIONAL FORMATTING (U+202C), etc.

Also here's a handy list of possible other suspects:
http://kb.mozillazine.org/Network.IDN.blacklist_chars

** Affects: dcplusplus
     Importance: High
         Status: Confirmed

** Attachment added: "Unicode mirror char 'RIGHT-TO-LEFT OVERRIDE' (U+202E) in effect"
   https://bugs.launchpad.net/bugs/1425276/+attachment/4326653/+files/mirrorchar.jpg

-- 
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to DC++.
https://bugs.launchpad.net/bugs/1425276

Title:
  The Unicode mirror character and possibly other similar ones can be
  used for nick spoofing in ADC hubs

Status in DC++:
  Confirmed

Bug description:
  Basically what's described at http://stackoverflow.com/questions/3115204/unicode-mirror-character used by some recent malware to trick with file extensions seems to be working for DC++, too. 
  See the attached screenshot. It produces various other funny effects throughout the DC++ interface where the nick is displayed alone or in conjunction with other text/data.

  For other possible problematic chars cologic suggests that anything in
  http://www.fileformat.info/info/unicode/block/general_punctuation/list.htm
  from U+2000 to U+206F inclusive is pretty suspect. Some look like they
  have legitimate use, though, (U+2030 to U+205E inclusive, for
  example). But, minimally, filtering out a few of the codepoints from
  that block: LEFT-TO-RIGHT OVERRIDE (U+202D), RIGHT-TO-LEFT OVERRIDE
  (U+202E), LEFT-TO-RIGHT EMBEDDING (U+202A), RIGHT-TO-LEFT EMBEDDING
  (U+202B),   POP DIRECTIONAL FORMATTING (U+202C), etc.

  Also here's a handy list of possible other suspects:
  http://kb.mozillazine.org/Network.IDN.blacklist_chars

To manage notifications about this bug go to:
https://bugs.launchpad.net/dcplusplus/+bug/1425276/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next