CWE-1007 屏幕显示出的不同编码的同形字母不易区分

Insufficient Visual Distinction of Homoglyphs Presented to User

结构: Simple

Abstraction: Base

状态: Incomplete

被利用可能性: Medium

基本描述

The software displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action.

扩展描述

Some glyphs, pictures, or icons can be semantically distinct to a program, while appearing very similar or identical to a human user. These are referred to as homoglyphs. For example, the lowercase "l" (ell) and uppercase "I" (eye) have different character codes, but these characters can be displayed in exactly the same way to a user, depending on the font. This can also occur between different character sets. For example, the Latin capital letter "A" and the Greek capital letter "Α" (Alpha) are treated as distinct by programs, but may be displayed in exactly the same way to a user. Accent marks may also cause letters to appear very similar, such as the Latin capital letter grave mark "À" and its equivalent "À" with the acute accent.

Adversaries can exploit this visual similarity for attacks such as phishing, e.g. by providing a link to an attacker-controlled hostname that looks like a hostname that the victim trusts. In a different use of homoglyphs, an adversary may create a back door username that is visually similar to the username of a regular user, which then makes it more difficult for a system administrator to detect the malicious username while reviewing logs.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 451 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 451 cwe_View_ID: 1000 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

Paradigm: {'cwe_Name': 'Web Based', 'cwe_Prevalence': 'Sometimes'}

Technology: {'cwe_Name': 'Web Server', 'cwe_Prevalence': 'Sometimes'}

常见的影响

范围 影响 注释
['Integrity', 'Confidentiality'] Other An attacker may ultimately redirect a user to a malicious website, by deceiving the user into believing the URL they are accessing is a trusted domain. However, the attack can also be used to forge log entries by using homoglyphs in usernames. Homoglyph manipulations are often the first step towards executing advanced attacks such as stealing a user's credentials, Cross-Site Scripting (XSS), or log forgery. If an attacker redirects a user to a malicious site, the attacker can mimic a trusted domain to steal account credentials and perform actions on behalf of the user, without the user's knowledge. Similarly, an attacker could create a username for a website that contains homoglyph characters, making it difficult for an admin to review logs and determine which users performed which actions.

检测方法

Manual Dynamic Analysis

If utilizing user accounts, attempt to submit a username that contains homoglyphs. Similarly, check to see if links containing homoglyphs can be sent via email, web browsers, or other mechanisms.

可能的缓解方案

Implementation

策略:

Use a browser that displays Punycode for IDNs in the URL and status bars, or which color code various scripts in URLs. Due to the prominence of homoglyph attacks, several browsers now help safeguard against this attack via the use of Punycode. For example, Mozilla Firefox and Google Chrome will display IDNs as Punycode if top-level domains do not restrict which characters can be used in domain names or if labels mix scripts for different languages.

Implementation

策略:

Use an email client that has strict filters and prevents messages that mix character sets to end up in a user's inbox. Certain email clients such as Google's GMail prevent the use of non-Latin characters in email addresses or in links contained within emails. This helps prevent homoglyph attacks by flagging these emails and redirecting them to a user's spam folder.

示例代码

The following looks like a simple, trusted URL that a user may frequently access.

attack

http://www.еxаmрlе.соm

However, the URL above is comprised of Cyrillic characters that look identical to the expected ASCII characters. This results in most users not being able to distinguish between the two and assuming that the above URL is trusted and safe. The "e" is actually the "CYRILLIC SMALL LETTER IE" which is represented in HTML as the character &#x0435, while the "a" is actually the "CYRILLIC SMALL LETTER A" which is represented in HTML as the character &#x0430. The "p", "c", and "o" are also Cyrillic characters in this example. Viewing the source reveals a URL of "http://www.еxаmрlе.соm". An adversary can utilize this approach to perform an attack such as a phishing attack in order to drive traffic to a malicious website.

The following displays an example of how creating usernames containing homoglyphs can lead to log forgery.

Assume an adversary visits a legitimate, trusted domain and creates the account "admin" where the 'a' and 'i' characters are Cyrillic characters instead of the expected ACII. Any actions the adversary performs will be saved to the log file and look like they came from a legitimate administrator account.

result

123.123.123.123 аdmіn [17/Jul/2017:09:05:49 -0400] "GET /example/users/userlist HTTP/1.1" 401 12846
123.123.123.123 аdmіn [17/Jul/2017:09:06:51 -0400] "GET /example/users/userlist HTTP/1.1" 200 4523
123.123.123.123 аdmіn [17/Jul/2017:09:10:02 -0400] "GET /example/users/editusers HTTP/1.1" 200 6291
123.123.123.123 аdmіn [17/Jul/2017:09:10:02 -0400] "GET /example/users/editusers HTTP/1.1" 200 6291
123.123.123.123 аdmіn [17/Jul/2017:09:10:02 -0400] "GET /example/users/editusers HTTP/1.1" 200 6291
123.123.123.123 аdmіn [17/Jul/2017:09:10:02 -0400] "GET /example/users/editusers HTTP/1.1" 200 6291

However, upon closer inspection, the account that generated these log entries is "аdmіn". This makes it more difficult to determine which actions were performed by the adversary and which actions were executed by the legitimate "admin" account.

分析过的案例

标识 说明 链接
CVE-2013-7236 web forum allows impersonation of users with homoglyphs in account names https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7236
CVE-2012-0584 Improper character restriction in URLs in web browser https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0584
CVE-2009-0652 Incomplete blacklist does not include homoglyphs of "/" and "?" characters in URLs https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0652
CVE-2017-5015 web browser does not convert hyphens to punycode, allowing IDN spoofing in URLs https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5015
CVE-2005-0233 homoglyph spoofing using punycode in URLs and certificates https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0233
CVE-2005-0234 homoglyph spoofing using punycode in URLs and certificates https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0234
CVE-2005-0235 homoglyph spoofing using punycode in URLs and certificates https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0235

引用