Bug 479336 (CVE-2009-0652)

IDN blacklist needs to include box-drawing characters

RESOLVED FIXED in mozilla1.9.2a1

Status

()

Core
Networking
P2
normal
RESOLVED FIXED
8 years ago
8 years ago

People

(Reporter: dveditz, Assigned: dveditz)

Tracking

({fixed1.8.1.21, fixed1.9.1, verified1.9.0.9})

Trunk
mozilla1.9.2a1
fixed1.8.1.21, fixed1.9.1, verified1.9.0.9
Points:
---
Bug Flags:
blocking1.9.1 +
blocking1.9.0.9 +
wanted1.9.0.x +
wanted1.8.1.x +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:low])

Attachments

(2 attachments)

(Assignee)

Description

8 years ago
The IDN code contains a blacklist of characters that are confusingly similar to others that automatically kick us into the punycode display. This is stored as the pref "network.IDN.blacklist_chars".

Apparently we're missing the box-drawing characters, and a recent talk at blackhat DC appears to have taken advantage of that to spoof an SSL connection to a bank.
https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf

Since it's just a screen shot I can't be sure, but I can reproduce the results with those characters.
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x+
Flags: blocking1.9.1?
Flags: blocking1.9.0.8?
Flags: blocking1.8.1.next?
(Assignee)

Updated

8 years ago
Whiteboard: [sg:low]
(Assignee)

Comment 1

8 years ago
Specifically I meant 
 2571 BOX DRAWING LIGHT DIAGONAL UPPER RIGHT TO LOWER LEFT

There are other potential omissions from the list, characters that look similar to other characters we've already included. Should maybe consider
 066A ARABIC PERCENT SIGN 
   (and maybe 0609 and 060A depending on font)
 2052 COMMERCIAL MINUS SIGN
both are percent signs with tiny dots, which on my system/font made a pretty good slash in the URL field.
 2041 CARET INSERTION POINT (looks like a slash with a smudge on the bottom)

If we've included 05C3 HEBREW PUNCTUATION SOF PASUQ because it looks like a colon, shouldn't we also have
 02D0 MODIFIER LETTER TRIANGULAR COLON
 0589 ARMENIAN FULL STOP
 2236 RATIO
 A789 MODIFIER LETTER COLON

We've got 0702 SYRIAC SUBLINEAR FULL STOP. We might want to look into
 0701 SYRIAC SUPRALINEAR FULL STOP    (I doubt this one)
 0703 SYRIAC SUPRALINEAR COLON
 0704 SYRIAC SUBLINEAR COLON

We're inconsistent about fractions. We block on xBC and xBD but not xBE, and in the range 2153-215F which are all fractions we reject seven and allow six.

One that doesn't work in my font but shows up in the Unicode charts as a slash-like char is
 1735 PHILIPPINE SINGLE PUNCTUATION

In any case, we need to add 2571.
Yep, chuck them all in. If we find a letter that has this problem, we may have to stop and ask more questions, but if it's punctuation, I have no problem adding it.

Gerv
(Assignee)

Updated

8 years ago
Flags: blocking1.8.1.next?
(Assignee)

Updated

8 years ago
Assignee: nobody → dveditz
Flags: blocking1.9.0.8? → blocking1.9.0.8+
(Assignee)

Comment 3

8 years ago
Many of those punctuation characters probably would have been coalesced under NAMEPREP had they existed in earlier Unicode versions. Looks like the IETF is in the process of standardizing "IDNA2008" to replace the earlier IDNA2003 (rfc 3490,3491,3492) we're following.

I filed bug 479520 on looking into that for a future version, for now we should just blacklist these characters.

I didn't find any characters scarier than what Moxie Marlinspike revealed at BlackHat, unhiding this bug to reduce duplicate filings.
Group: core-security
Created attachment 363436 [details] [diff] [review]
patch - v1
Attachment #363436 - Flags: review?(gerv)
(Assignee)

Comment 5

8 years ago
Comment on attachment 363436 [details] [diff] [review]
patch - v1

r=dveditz

This much looks good.
Attachment #363436 - Flags: review?(gerv) → review+
Attachment #363436 - Flags: approval1.9.1?
Attachment #363436 - Flags: approval1.9.0.8?
http://hg.mozilla.org/mozilla-central/rev/a884555d99c5
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.2a1
(Assignee)

Comment 7

8 years ago
Comment on attachment 363436 [details] [diff] [review]
patch - v1

approved for 1.8.1.21 and 1.9.0.8, a=dveditz for release-drivers
Attachment #363436 - Flags: approval1.9.0.8?
Attachment #363436 - Flags: approval1.9.0.8+
Attachment #363436 - Flags: approval1.8.1.next+
Keywords: checkin-needed
(Assignee)

Comment 8

8 years ago
Fix checked into the 1.8 branch
Keywords: fixed1.8.1.21
(Assignee)

Comment 9

8 years ago
Fix checked into the 1.9.0 branch
Keywords: fixed1.9.0.8

Updated

8 years ago
Keywords: checkin-needed
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2
Attachment #363436 - Flags: approval1.9.1? → approval1.9.1+
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/4d2b36c2398a
Keywords: fixed1.9.1
Verified that fix is checked in for 1.9.0.
Keywords: fixed1.9.0.9 → verified1.9.0.9

Comment 12

8 years ago
Created attachment 371866 [details] [diff] [review]
1.8.0 version

Updated

8 years ago
Alias: CVE-2009-0652
You need to log in before you can comment on or make changes to this bug.