[linux-misc] [Fwd: [Full-Disclosure] state of homograph attacks]

Markus Wernig markus at wernig.net
Mon Feb 7 21:59:18 CET 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sorry, das musste ich einfach forwarden. Die Sache ist einfach zu
unglaublich: Browser mit IDN- (International Domain Names)
Unterstuetzung (also alle ausser MSIE) sind anfaellig fuer eine harmlos
anmutende, aber potenziell toedliche Attacke: Sie koennen im Adressfeld
einen ganz anderen Domainnamen anzeigen, als die Seite, die sie gerade
darstellen. Und das sogar mit SSL und gueltigen Zertifikaten. Vgl.
angehaengtes Mail.

lg /markus

- -------- Original Message --------
Subject: [Full-Disclosure] state of homograph attacks
Date: Sun, 6 Feb 2005 17:53:32 -0800 (PST)
From: fulldisclosure at cubesearch.com
To: full-disclosure at lists.netsys.com

The state of homograph attacks

I.	Background

International Domain Name [IDN] support in modern browsers allows
attackers to spoof domain name URLs + SSL certs.

II.	Description

In December 2001, a paper was released describing Homograph attacks [1].
This new attack allows an attacker/phisher to spoof the domain/URLs of
businesses. At the time this paper was written, no browsers had
implemented Unicode/UTF8 domain name resolution.

Fast forward to today:  Verisign has championed International Domain Names
(IDN) [2].  RACES has been replaced with PUNYCODE [3].  Every recent
gecko/khtml based browser implements IDN (which is just about every
browser [4] except for IE; plug-in are available [5]).

III.	The details

Proof of concept URL:

http://www.shmoo.com/idn/

Clicking on any of the two links in the above webpage using anything but
IE should result in a spoofed paypal.com webpage.

The links are directed at "http://www.pаypal.com/", which the
browsers punycode handlers render as www.xn--pypal-4ve.com.

This is one example URL - - there are now many ways to display any domain
name on a browser, as there are a huge number of codepages/scripts which
look very similar to latin charsets.

Phishing attacks are the largest growing class of attacks on the internet
today.  I find it amusing that one of the large early adopters of IDN
offer an 'Anti-Phishing Solution' [6].

Finally, as a business trying to protect their identity, IDN makes their
life very difficult.  It is expected there will be many domain name
related conflicts related to IDN.

Vulnerable browsers include (but are not limited to):

Most mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc)
Safari 1.2.5
Opera 7.54
Omniweb 5

Other comment:

There are some inconsistencies with how the browsers match the host name
with the Common Name (CN) in the SSL cert.  Most browsers seem to match
the punycode encoded hostname with the CN, yet a few (try to) match the
raw UTF8 with the CN.  In practice, this makes it impossible to provide
'SSL' services effectively, ignoring the fact that IE doesn't yet support
them.

IV.	Detection

There are a few methods to detect that you are under a spoof attack.  One
easy method is to cut & paste the url you are accessing into notepad or
some other tool (under OSX, paste into a terminal window) which will allow
you to view what character set/pagecode the string is in.  You can also
view the details of the SSL cert, to see if it's using a punycode wrapped
version of the domain (starting with the string 'xn-'.

V.	Workaround

You can disable IDN support in mozilla products by setting
'network.enableIDN' to false.  There is no workaround known for Opera or
Safari.

VI.	Vendor Responses

Verisign: No response yet.
Apple:  No response yet.
Opera:  They believe they have correctly implemented IDN, and will not be
making any changes.
Mozilla:  Working on finding a good long-term solution; provided clear
workaround for disabling IDN.

VII.	Timeline

2002 - Original paper published on homograph attacks
2002-2005 - Verisign pushes IDN, and browsers start adding support for it
Jan 19, 2005 - Vendors notified of vulnerability
Feb 6, 2005 - Public disclosure @shmoocon 2005

VIII.	Copyright

This paper is copyright 2005, Eric Johanson  ericj at shmoo.com

Assistance provided by:
- - The Shmoo Group
- - The Ghetto Hackers

Thank you, you know who you are.

References:

[1] http://www.cs.technion.ac.il/~gabr/papers/homograph.html
[2]
http://www.verisign.com/products-services/naming-and-directory-services/naming-services/internationalized-domain-names/index.html

[3] http://mct.verisign-grs.com/index.shtml
[4]
http://www.verisign.com/products-services/naming-and-directory-services/naming-services/internationalized-domain-names/page_002201.html#01000002

[5] http://www.idnnow.com/index.jsp
[6]
http://www.verisign.com/verisign-business-solutions/anti-phishing-solutions/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

- --
***************************************************
Markus Wernig
UNIX/Network Security Engineer - CISSP, CCSA
GPG - http://markus.wernig.net/pubkey - CA558BF7
- - -------------------------------------------------
Linux User Group Bern - http://lugbe.ch
Freie Software f. die Schweiz: http://wilhelmtux.ch
***************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCB9al8BX/d8pVi/cRAgifAJ9+2bs84rFSI9Me1MzgD3X1bQLT9wCfQwAD
tShqf2hHJDH7dAEJcX8x/rA=
=RrZI
-----END PGP SIGNATURE-----


More information about the Linux-misc mailing list