!!! RED ALERT: SHIELDS UP, TROJAN SOURCE HAS ARRIVED !!!

[Skybuck]

I haven't even read this document fully yet, but all signs point to MAJOR TROUBLE AHEAD for open source projects:

https://www.trojansource.codes/trojan-source.pdf

My recommendation is to hold all patches/pull requests until solutions/defense/shields are found !

Bye for now,
  Skybuck.

[NotATether]

If it was Star Trek, this would be the point where you're bombarded with so much gunfire that your shields drop to 6% or you have to abandon ship  

But I call bullshit on that paper. Simply running an xterm or other CMD/terminal that only supports ANSI character sets will mitigate this by making the code appear to be the malicious gibberish it really is.

My recommendation is to hold all patches/pull requests until solutions/defense/shields are found !

I don't think you've maintained an open source project but if you have you would know that it is clearly impossible to do this without opening yourself up more gunfire unpatched vulnerabilities.

[dlystyr]

Also, this is not so different to supply chain attacks if this was committed to a library. As a cybersecurity analyst, we vet any software and new updates in a sandbox before releasing them to production. We also have other security tools in place to stop malicious behaviour or alert us if any malicious behaviour is found.

Also agree on the command line with NotATether, most only support ANSI.

I could see in some cases how this can be a problem, but papers like this are only useful to bring information like this to the masses and people in cybersecurity as something to look out for. I doubt there are many of these attacks being exploited in the wild.

[Skybuck]

If it was Star Trek, this would be the point where you're bombarded with so much gunfire that your shields drop to 6% or you have to abandon ship  

But I call bullshit on that paper. Simply running an xterm or other CMD/terminal that only supports ANSI character sets will mitigate this by making the code appear to be the malicious gibberish it really is.

My recommendation is to hold all patches/pull requests until solutions/defense/shields are found !

I don't think you've maintained an open source project but if you have you would know that it is clearly impossible to do this without opening yourself up more gunfire unpatched vulnerabilities.

If this was Star Trek hmmm.... then we would believe our shields are ON while they are OFF lol.

Trigger:
if Shield = "OFF" then Shield = "ON"

Anyway... at least you admit there is a big fat problem by switching to CMD.exe, no more project source files for you, no more fancy pancy development environment for you ! LOL.

I wonder how many bugs/hints/warning messages are missed by CMD.EXE !

CMD.EXE on Windows 7 is immune indeed, not sure about powershell on Windows 11.

Anyway have fake with your fake shields ! LOL.

Fake vaccines, now we have FAKE SHIELDS and FAKE CODE LOL ! =D

Anyway on a more serious note, GITHUB has taken some precautions which can be seen here:

https://github.com/nickboucher/trojan-source/blob/main/C/commenting-out.c

and here:

https://github.blog/changelog/2021-10-31-warning-about-bidirectional-unicode-text/

So not all is bad.

Github was recently purchased by Microsoft, makes me wonder... are they trying to cover up something ?

[DaveF]

This has been known for YEARS and until some non programmers and clueless media people got a hold of it nobody cared.
This is one example I found dated 2017: https://github.com/golang/go/issues/20209
There is at least one more from a bit earlier that I can't find that more or less said the same thing.

Only people who don't program a lot or get paid to scare people think it's a big deal.
Edit take a look at: https://bugs.eclipse.org/bugs/show_bug.cgi?id=339146 you may have to create an account to see it.
-Dave

[PrimeNumber7]

My recommendation is to hold all patches/pull requests until solutions/defense/shields are found !

https://github.blog/changelog/2021-10-31-warning-about-bidirectional-unicode-text/

It looks like a solution has already been found.

I think the risks of this kind of attack is fairly low. The maintainers of most repos are not going to allow for random changes to comments or to docstrings.

In addition to throwing warnings when invisible chars is used, much of this vulnerability could be eliminated by using "returns" vs "return", standardizing when/where comments are allowed, and disallowing comments and docstrings to contain anything that would execute as code if it were not commented out.

[HeRetiK]

I think the risks of this kind of attack is fairly low. The maintainers of most repos are not going to allow for random changes to comments or to docstrings.

Yeah, I feel like malicious code changes similar to the proof of concepts in the paper would immediately raise some eyebrows. Not even for fear of invisible characters but because no one wants arbitrary, unhelpful comments sprinkled all over their code. Worse still, if the reviewer is aware of the existence of this kind of attack, the code and commenting style that is required to sneak unwanted logic in will immediately draw attention to itself. You might as well try your luck with an openly visible exploit that is accompanied by a comment that says "// totally not an exploit".

It is a fun attack vector but I don't think it's a very practical one, even ignoring the ease with which such an attempt can be thwarted on the compiler or editor level.

[PrimeNumber7]

I think the risks of this kind of attack is fairly low. The maintainers of most repos are not going to allow for random changes to comments or to docstrings.

Yeah, I feel like malicious code changes similar to the proof of concepts in the paper would immediately raise some eyebrows. Not even for fear of invisible characters but because no one wants arbitrary, unhelpful comments sprinkled all over their code. Worse still, if the reviewer is aware of the existence of this kind of attack, the code and commenting style that is required to sneak unwanted logic in will immediately draw attention to itself. You might as well try your luck with an openly visible exploit that is accompanied by a comment that says "// totally not an exploit".

It is a fun attack vector but I don't think it's a very practical one, even ignoring the ease with which such an attempt can be thwarted on the compiler or editor level.

When a pull request is being reviewed, all changes to the code (including comments) are highlighted, and all changes need to be justified. If someone is asking for a comment to be added to a method when no changes are being made to the method, nor has there been any confusion about the method by the userbase, the change will probably be rejected.

If a new function or method is being introduced into a codebase, there might be a bigger risk that the new function or method does not execute as it appears.

Unit testing should also catch these types of attacks. If someone modified code in order to get it to execute in a way that is different than is intended, unit tests for the affected function should fail.

[HCP]

I haven't even read this document fully yet

Maybe come back and let us know what you think after you have actually read the document fully.

Fake vaccines, now we have FAKE SHIELDS and FAKE CODE LOL ! =D

This forum needs a #facepalm emoji...

[NotATether]

I don't get why can't someone just code a small program to strip the UTF8 format characters out of the file in the first place? Even better if this functionality was integrated in git with a setting to disable it for individual files (eg. Those in RTL languages).

[Skybuck]

My first unicode bug discovery:

It was actually my deep dive into a bitcoin label/text/display bug, a long time ago, that alerted me for the first time of bugs in unicode implementations (windows, bitcoin used old vunerable api, instead of api_ex)

Now that I have dig deeper into the unicode standard a lot of puss is coming out:

Examples:

"The directional formatting characters are used only to influence the display ordering of text. In all other respects they should be ignored—they have no effect on the comparison of text or on word breaks, parsing, or numeric analysis."

"When working with bidirectional text, the characters are still interpreted in logical order—only the display is affected. The display ordering of bidirectional text depends on the directional properties of the characters in the text. Note that there are important security issues connected with bidirectional text: for more information, see [UTR36]."

^ And then the bomb of bombs:

https://www.unicode.org/reports/tr36/

^Unicode Security Considerations:
(Visual Security Issues, Internationalized Domain Names,Mixed-Script Spoofing,Single-Script Spoofing,Inadequate Rendering Support,Malicious Rendering,Bidirectional Text Spoofing,Glyphs in Complex Scripts,Syntax Spoofing,Missing Glyphs,Numeric Spoofs,IDNA Ambiguity,Punycode Spoofs UTF-8 Exploits ,Ill-Formed Subsequences,Substituting for Ill-Formed Subsequences,Text Comparison (Sorting, Searching, Matching) ,Buffer Overflows,Deletion of Code Points,Illegal Input Byte Sequences)

Damn they know about it too! Well thank you for making all our systems so unsafe!

Whoever thought that something as simple as our alphabet and text was safe, will be very disappointed!
.
.
.
.

So it turns out UNICODE is full of security bugs and considerations. YIKES !

This casts big doubts on the whole UNICODE system you might as well consider it a GIGANTIC NSA conspiracy to make all of our systems WEAK and HACKABLE.

Even if it's not a conspiracy the vunerabilities are sky-rocketing leading me to write the following text for you all:
.
.
.
.
Stop or slow down digitization.

Unfortunately and with a heavy heart I have to conclude that digitization is going too fast and appears to be too vulnerable.

Also thanks to politicians who pay academics to find vulnerabilities in hardware/equipment and software/codes.

In recent years, bangers of cracks/holes/vulnerabilities have been found in hardware/devices and software/codes.

Most of which have yet to be used by criminals.

We have a lot of trouble ahead of us.

The vulnerabilities are skyrocketing. ?You also notice it in the news, yet another ransomware attack, or failure of something.

It really can't go on like this.

I advise everyone to ask for or even stop digitization to give computer programmers and hardware programmers/designers/makers the time to plug gaps.

Finally, a personal touch, please don't abolish the teletext because I think that's fantastic lol, and we might regret the disappearance of the giro collection.

Please keep some non-digital systems standing! and also simpler systems/broadcast systems such as teletext
.
.
.
.
.
For bitcoin I will make an exception, the world may need an alternative currency system vs dollar/euro etc !

So keep working on BITCOIN ! =D

Update: Concerning the digitization:

Here's a simple idea how to do that:

Every information system that is used in the Country will be put on a list.

This list must then be completed/processed/treated by "security specialists".

They then go through systems on that list looking for vulnerabilities.

These must then be resolved.

There may be 1000 systems on that list.

After that, no new system may be added in the Country until that list has been reduced to 1000 or less.

1000 is an example it can also be more or less depending on what is sensible

Greetings,
  Skybuck.

[ABCbits]

Such attack should be detected easily using command git diff or GitHub compare features (on pull request or between different commit). Besides, even if the pull request/commit is accepted, it'll take before it's shipped as new version and there's time to detect such change.

[DaveF]

Such attack should be detected easily using command git diff or GitHub compare features (on pull request or between different commit). Besides, even if the pull request/commit is accepted, it'll take before it's shipped as new version and there's time to detect such change.

I've been looking around and for the real tech people it all seems to be a big nothing.
The people who get paid to discuss things and don't understand it seem to be running around screaming "the sky is falling"
Since, as you said, it will show up in any compare check and anything that does not display unicode which many desktop compilers don't. It sounds scarier then it really is.

I would really be more concerned about a real vulnerability like this: https://blog.talosintelligence.com/2021/10/apache-vuln-threat-advisory.html

-Dave

[NotATether]

This casts big doubts on the whole UNICODE system you might as well consider it a GIGANTIC NSA conspiracy to make all of our systems WEAK and HACKABLE.

Come on, you know better than to label security bugs as NSA conspiracies like this.

The vulnerabilities are skyrocketing. ?You also notice it in the news, yet another ransomware attack, or failure of something.

Most ransomware are the result of companies who are running old outdated software with ancient vulnerabilities, not by some funky stuff on last year's DEFCON or Black Hat World.

[Skybuck]

This casts big doubts on the whole UNICODE system you might as well consider it a GIGANTIC NSA conspiracy to make all of our systems WEAK and HACKABLE.

Come on, you know better than to label security bugs as NSA conspiracies like this.

The vulnerabilities are skyrocketing. ?You also notice it in the news, yet another ransomware attack, or failure of something.

Most ransomware are the result of companies who are running old outdated software with ancient vulnerabilities, not by some funky stuff on last year's DEFCON or Black Hat World.

Unfortunately NSA is not conspiracy theory, they have hacked about anything they can get their paws on and more ! LOL. The most funny one was hacking the POPE. He not talking to GOD, he talking to NSA.

Try to also look towards the future... how all of this can be exploited by scammers !

For bitcoin and other financial systems, swapping financial numbers comes to mind.

[Skybuck]

Anyways, it's time to test some of this code.

TEST 1 CODE section: OK SAFE

Code:

#include <stdio.h>
#include <stdbool.h>

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

TEST 2 QUOTE: OK SAFE

#include <stdio.h>
#include <stdbool.h>

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

TEST 3 JUST WEB COPY:, OK SAFE

#include <stdio.h>
#include <stdbool.h>

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

TELETYPE: OK SAFE

#include <stdio.h>
#include <stdbool.h>

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

SUPERSCRIPT: OK SAFE
<sup>#include <stdio.h>
#include <stdbool.h>

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}</sup>

SUBSCRIPT: OK SAFE

<sub>#include <stdio.h>
#include <stdbool.h>

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}</sub>

#include <stdio.h>
#include <stdbool.h>

Table column: OK SAFE

int main() {     bool isAdmin = false;     /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */         printf("You are an admin.\n");     /* end admins only  { ⁦*/     return 0; }

TABLE: OK SAFE

#include <stdio.h> #include <stdbool.h> int main() {     bool isAdmin = false;     /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */         printf("You are an admin.\n");     /* end admins only  { ⁦*/     return 0; }

GLOW: OK SAFE

#include <stdio.h>
#include <stdbool.h>

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

SHADOW: OK SAFE
#include <stdio.h>
#include <stdbool.h>

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

strikethrough: ok safe
#include <stdio.h>
#include <stdbool.h>

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

LIST: OK SAFE

• #include <stdio.h>
  #include <stdbool.h>
  
  int main() {
      bool isAdmin = false;
      /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
          printf("You are an admin.\n");
      /* end admins only  { ⁦*/
      return 0;
  }

right align: OK SAFE

#include <stdio.h>
#include <stdbool.h>

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

centered: OK SAFE

#include <stdio.h>
#include <stdbool.h>

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

preformatted text: OK SAFE

#include <stdio.h>
#include <stdbool.h>

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

left align: OK SAFE

#include <stdio.h>
#include <stdbool.h>

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

THIS FORUM SOFTWARE IS PRETTY GOOD AND SAFE ! LOL. though that right align is a bit whack ! HAHA.

FOR NOW THIS FORUM SOFTWARE IS SKYBUCK APPROVED ! =D

[NotATether]

Skybuck, you do know there are lucrative bounties by theymos for finding a vuln in forum software (and disclosing it privately), right?

[PrimeNumber7]

Something along the below would need to be inserted into the codebase in order for someone to potentially gain administrative access:

Code:

def admin_check(uid, admin_uids):
    '''
    checks if a uid belongs to an administrator
    
    inputs:
    uid: int username identification number of account being checked
    admin_uids: list, each item in list is the uid of an admin
    
    returns:
    boolean will be False if uid is not in admin_uids, otherwise function will
    return True
    #an invisible char will cause the docstring to end two lines up
    '''
    for uid_ in admin_uids:
        if uid == uid:
            return True
    return False

So the actual code the compiler sees is:

Code:

def admin_check(uid, admin_uids):
    '''
    checks if a uid belongs to an administrator
    
    inputs:
    uid: int username identification number of account being checked
    admin_uids: list, each item in list is the uid of an admin
    
    returns:
    boolean will be False if uid is not in admin_uids, otherwise function will'''
    return True
    #an invisiable char will cause the docstring to end two lines up
    ''''''
    for uid_ in admin_uids:
        if uid == uid:
            return True
    return False

As you can see, the above function will go from checking the UID and comparing it to the UIDs in the admin_uids, it will simply return True when called.

The above should be caught when running unit tests. Even without being caught via unit tests, it should be fairly clear that something is wrong because everyone would have admin access. The bigger risk is if the above was a method in a class that gets inherited by other classes that are used, and are very rarely called. If someone can get a server to call the above method, they could gain administrative access.

When someone installs a library their software depends on, it will download that library and any dependencies to that library to their local computer. So if your server uses some_library_that_depends_on_malicious_libraryA you can trivially check malicious_libraryA (and all other libraries) for invisible characters.

[DaveF]

Good point. But i doubt his test is meaningful since SMF (Simple Machines Forum) is written in PHP while he posted C code.

If you go though all the crap that that account has been posting for the 10 years it's been here, you can see a lot of nonsensical rambling postings. With a bit of paranoia sprinkled in.

That and the total inability to use the code tags.

As I said and others have pointed out, this vulnerability has been known for years. But since some news outlets picked it up, it's now 'important'.

What is also interesting that I have seen in discussions now, is how many people code in the cloud. I always as does just about everyone I know do everything locally and then push it up to github or wherever. I never knew how many people are doing it all online and then pull and compile it locally. Guess I'm old.

-Dave

[dlystyr]

Good point. But i doubt his test is meaningful since SMF (Simple Machines Forum) is written in PHP while he posted C code.

What is also interesting that I have seen in discussions now, is how many people code in the cloud. I always as does just about everyone I know do everything locally and then push it up to github or wherever. I never knew how many people are doing it all online and then pull and compile it locally. Guess I'm old.

-Dave

Completely agree. I have seen some of these cloud IDE's such as Cloud9 (which is amazon now I think) and their interface cant offer half the functionality of what something like PyCharm, PHPStorm or VSCode can. Especially with the Git integration.