New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 5 users
Status: Fixed
Owner:
Closed: May 26
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
Security: Additional whole-script confusable domain label spoofing (Cyrillic)
Reported by jackwill...@gmail.com, Apr 24 2017 Back to list
VERSION
Chrome Version: 58.0.3029.81 stable
Operating System: windows 7

REPRODUCTION CASE

>>> x = "ӏіпкеԁіп.com"
>>> x.decode("utf-8")
u'\u04cf\u0456\u043f\u043a\u0435\u0501\u0456\u043f.com'

ӏіпкеԁіп.com is not linkedin.com

 
Components: UI>Browser>Omnibox UI>Security>UrlFormatting UI>Internationalization
This was raised in the original bug  crbug.com/683314  comment #46 a few hours earlier; it is not fixed by the fix for that issue.

http://xn--e1ajoc5id65ftl.com/
Comment 2 by meacer@chromium.org, Apr 24 2017
Labels: -Restrict-View-SecurityTeam allpublic
I'm keeping the bug open so that CC's can determine whether to dupe it or not. I'm dropping view restrictions though, as this is already public on the other bug.
Comment 3 by palmer@chromium.org, Apr 25 2017
Cc: creis@chromium.org pkasting@chromium.org mgiuca@chromium.org
Labels: Security_Impact-Stable Security_Severity-Medium Team-Security-UX M-59 OS-All Pri-1
Status: Available
Summary: Security: Additional whole-script confusable domain label spoofing (Cyrillic) (was: Security: IDN Phishing using whole-script confusables on Windows)
Confirmed this works on Linux too,and on ToT as of last week. Not Windows-specific, or fixed. Explicitly CCing some relevant peeps.

#1: Does anyone know why the previous fix does not also fix this issue?
Comment 4 by creis@chromium.org, Apr 25 2017
Cc: n...@chromium.org
Owner: js...@chromium.org
Adding jshin@ for his thoughts, since he fixed  issue 683314 .
Project Member Comment 5 by sheriffbot@chromium.org, Apr 26 2017
Status: Assigned
Comment 6 by js...@chromium.org, Apr 28 2017
Sigh... I tried to avoid adding  ( \u043a (к) ).  It's not regarded as confusable with 'k'  by the current Unicode confusables data (actually, 10.0 beta) 

http://unicode.org/cldr/utility/confusables.jsp?a=%D3%8F%D1%96%D0%BF%D0%BA%D0%B5%D4%81%D1%96%D0%BF&r=None


Comment 7 by js...@chromium.org, Apr 28 2017
So, if we want to treat it as such, we have to add it to the list used to fix  bug 683314 . 

Comment 8 by mmoroz@google.com, Apr 28 2017
Issue 716295 has been merged into this issue.
Cc: ncarter@chromium.org
I'm adding \u043a (к) to supplement Unicode's confusables list at
https://codereview.chromium.org/2784933002 . 

The way the CL works is different from the way  bug 683314  was handled. Eventually, the fix for  bug 683314  may as well  be removed because the above CL is less likely to have a 'false rejection' while still protecting 'popular/top domains'.  

As for 'ӏ' (U+04CF) vs 'l', I was hesitant as to whether or not to map ӏ to l in the above CL.  It's like '1' (digit 1) vs 'l'. We don't do anything for '1inkedin.com'.   

Anyway, the above CL has a much lower chance of false rejection so I decided to include U+04CF (ӏ) to 'l' mapping. 
Project Member Comment 11 by bugdroid1@chromium.org, May 19
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a8add0308ba6067eb3de5a8fe82f9c2f2460ad91

commit a8add0308ba6067eb3de5a8fe82f9c2f2460ad91
Author: jshin <jshin@chromium.org>
Date: Fri May 19 06:49:10 2017

Add checks against spoofing attempt at top domains

Remove diacritic marks from a hostname and calculate the confusability
skeleton of the accent-free name. Look it up in the pre-calculated list of
the skeletons of top 10k domains.

Removing diacritic marks from a hostname is equivalent to comparing names with
the primary collation strength in the root locale. To make them equivalent,
three mappings are added (ł > l; ø > o; đ > d) on top of the diacritic-removal.
Also add two more mappings ([кĸκ] > k,  п > n) to supplement the Unicode's
confusables list.

Binary file size increase: ~ 59kB for the DAFSA representation of top
domain name skeletons.

The IDN display policy check takes ~ 2µs longer on the average (3.3 µs => 5.5µs)
on my machine per the test run over ~1 million IDNs in com TLD).

It adds about 1500 domains to the list of domains to display in Punycode out
of ~ 1 million IDNs in com TLD. (3018 => 4571)

In addition, disallow combining diarctic marks unless they're preceded by
Latin-Greek-Cyrillic.

BUG= 703750 , 714628 , 719199 , 722639 
TEST=components_unittests --gtest_filter=*IDNToUni*

Review-Url: https://codereview.chromium.org/2784933002
Cr-Commit-Position: refs/heads/master@{#473109}

[modify] https://crrev.com/a8add0308ba6067eb3de5a8fe82f9c2f2460ad91/components/url_formatter/BUILD.gn
[modify] https://crrev.com/a8add0308ba6067eb3de5a8fe82f9c2f2460ad91/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/a8add0308ba6067eb3de5a8fe82f9c2f2460ad91/components/url_formatter/idn_spoof_checker.h
[add] https://crrev.com/a8add0308ba6067eb3de5a8fe82f9c2f2460ad91/components/url_formatter/top_domains/BUILD.gn
[add] https://crrev.com/a8add0308ba6067eb3de5a8fe82f9c2f2460ad91/components/url_formatter/top_domains/README
[add] https://crrev.com/a8add0308ba6067eb3de5a8fe82f9c2f2460ad91/components/url_formatter/top_domains/alexa_domains.list
[add] https://crrev.com/a8add0308ba6067eb3de5a8fe82f9c2f2460ad91/components/url_formatter/top_domains/alexa_skeletons.gperf
[add] https://crrev.com/a8add0308ba6067eb3de5a8fe82f9c2f2460ad91/components/url_formatter/top_domains/make_alexa_top_list.py
[add] https://crrev.com/a8add0308ba6067eb3de5a8fe82f9c2f2460ad91/components/url_formatter/top_domains/make_top_domain_gperf.cc
[modify] https://crrev.com/a8add0308ba6067eb3de5a8fe82f9c2f2460ad91/components/url_formatter/url_formatter.cc
[modify] https://crrev.com/a8add0308ba6067eb3de5a8fe82f9c2f2460ad91/components/url_formatter/url_formatter_unittest.cc

Project Member Comment 12 by bugdroid1@chromium.org, May 19
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4eec0f46bf71277f9de364ea8f4fb2f41d894b16

commit 4eec0f46bf71277f9de364ea8f4fb2f41d894b16
Author: tsergeant <tsergeant@chromium.org>
Date: Fri May 19 07:24:38 2017

Revert of Mitigate spoofing attempt using Latin letters. (patchset #47 id:850001 of https://codereview.chromium.org/2784933002/ )

Reason for revert:
This CL is causing compile to fail on Win x64:
https://build.chromium.org/p/chromium/builders/Win%20x64/builds/11432

FAILED: obj/components/url_formatter/top_domains/make_top_domain_gperf/make_top_domain_gperf.obj
make_top_domain_gperf.cc(46): error C2220: warning treated as error - no 'object' file generated
make_top_domain_gperf.cc(46): warning C4267: 'argument': conversion from 'size_t' to 'int', possible loss of data

Original issue's description:
> Add checks against spoofing attempt at top domains
>
> Remove diacritic marks from a hostname and calculate the confusability
> skeleton of the accent-free name. Look it up in the pre-calculated list of
> the skeletons of top 10k domains.
>
> Removing diacritic marks from a hostname is equivalent to comparing names with
> the primary collation strength in the root locale. To make them equivalent,
> three mappings are added (ł > l; ø > o; đ > d) on top of the diacritic-removal.
> Also add two more mappings ([кĸκ] > k,  п > n) to supplement the Unicode's
> confusables list.
>
> Binary file size increase: ~ 59kB for the DAFSA representation of top
> domain name skeletons.
>
> The IDN display policy check takes ~ 2µs longer on the average (3.3 µs => 5.5µs)
> on my machine per the test run over ~1 million IDNs in com TLD).
>
> It adds about 1500 domains to the list of domains to display in Punycode out
> of ~ 1 million IDNs in com TLD. (3018 => 4571)
>
> In addition, disallow combining diarctic marks unless they're preceded by
> Latin-Greek-Cyrillic.
>
> BUG= 703750 , 714628 , 719199 , 722639 
> TEST=components_unittests --gtest_filter=*IDNToUni*
>
> Review-Url: https://codereview.chromium.org/2784933002
> Cr-Commit-Position: refs/heads/master@{#473109}
> Committed: https://chromium.googlesource.com/chromium/src/+/a8add0308ba6067eb3de5a8fe82f9c2f2460ad91

TBR=rsleevi@chromium.org,pkasting@chromium.org,nick@chromium.org,brettw@chromium.org,emilyschechter@chromium.org,jshin@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= 703750 , 714628 , 719199 , 722639 

Review-Url: https://codereview.chromium.org/2889303003
Cr-Commit-Position: refs/heads/master@{#473118}

[modify] https://crrev.com/4eec0f46bf71277f9de364ea8f4fb2f41d894b16/components/url_formatter/BUILD.gn
[modify] https://crrev.com/4eec0f46bf71277f9de364ea8f4fb2f41d894b16/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/4eec0f46bf71277f9de364ea8f4fb2f41d894b16/components/url_formatter/idn_spoof_checker.h
[delete] https://crrev.com/f677dc5c2d440d6e074a1d624e8a0b7a68371e08/components/url_formatter/top_domains/BUILD.gn
[delete] https://crrev.com/f677dc5c2d440d6e074a1d624e8a0b7a68371e08/components/url_formatter/top_domains/README
[delete] https://crrev.com/f677dc5c2d440d6e074a1d624e8a0b7a68371e08/components/url_formatter/top_domains/alexa_domains.list
[delete] https://crrev.com/f677dc5c2d440d6e074a1d624e8a0b7a68371e08/components/url_formatter/top_domains/alexa_skeletons.gperf
[delete] https://crrev.com/f677dc5c2d440d6e074a1d624e8a0b7a68371e08/components/url_formatter/top_domains/make_alexa_top_list.py
[delete] https://crrev.com/f677dc5c2d440d6e074a1d624e8a0b7a68371e08/components/url_formatter/top_domains/make_top_domain_gperf.cc
[modify] https://crrev.com/4eec0f46bf71277f9de364ea8f4fb2f41d894b16/components/url_formatter/url_formatter.cc
[modify] https://crrev.com/4eec0f46bf71277f9de364ea8f4fb2f41d894b16/components/url_formatter/url_formatter_unittest.cc

Project Member Comment 13 by sheriffbot@chromium.org, May 20
jshin: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 14 by bugdroid1@chromium.org, May 22
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a586e96794b89bef4729b33369b8c2035564d376

commit a586e96794b89bef4729b33369b8c2035564d376
Author: jshin <jshin@chromium.org>
Date: Mon May 22 07:20:17 2017

Add checks against spoofing attempt at top domains

Original CL (https://codereview.chromium.org/2784933002) was reverted due to
a compile failure on win_x64 (not detected by CQ but detected post-landing).

That issue was addressed using checked_cast.

Remove diacritic marks from a hostname and calculate the confusability
skeleton of the accent-free name. Look it up in the pre-calculated list of
the skeletons of top 10k domains.

Removing diacritic marks from a hostname is equivalent to comparing names with
the primary collation strength in the root locale. To make them equivalent,
three mappings are added (ł > l; ø > o; đ > d) on top of the diacritic-removal.
Also add two more mappings ([кĸκ] > k,  п > n) to supplement the Unicode's
confusables list.

Binary file size increase: ~ 59kB for the DAFSA representation of top
domain name skeletons.

The IDN display policy check takes ~ 2µs longer on the average (3.3 µs => 5.5µs)
on my machine per the test run over ~1 million IDNs in com TLD).

It adds about 1500 domains to the list of domains to display in Punycode out
of ~ 1 million IDNs in com TLD. (3018 => 4571)

In addition, disallow combining diarctic marks unless they're preceded by
Latin-Greek-Cyrillic.

TBR=pkasting@chromium.org
BUG= 703750 , 714628 , 719199 , 722639 
TEST=components_unittests --gtest_filter=*IDNToUni*
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_chromium_x64_rel_ng,win10_chromium_x64_rel_ng

Review-Url: https://codereview.chromium.org/2897873002
Cr-Commit-Position: refs/heads/master@{#473519}

[modify] https://crrev.com/a586e96794b89bef4729b33369b8c2035564d376/components/url_formatter/BUILD.gn
[modify] https://crrev.com/a586e96794b89bef4729b33369b8c2035564d376/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/a586e96794b89bef4729b33369b8c2035564d376/components/url_formatter/idn_spoof_checker.h
[add] https://crrev.com/a586e96794b89bef4729b33369b8c2035564d376/components/url_formatter/top_domains/BUILD.gn
[add] https://crrev.com/a586e96794b89bef4729b33369b8c2035564d376/components/url_formatter/top_domains/README
[add] https://crrev.com/a586e96794b89bef4729b33369b8c2035564d376/components/url_formatter/top_domains/alexa_domains.list
[add] https://crrev.com/a586e96794b89bef4729b33369b8c2035564d376/components/url_formatter/top_domains/alexa_skeletons.gperf
[add] https://crrev.com/a586e96794b89bef4729b33369b8c2035564d376/components/url_formatter/top_domains/make_alexa_top_list.py
[add] https://crrev.com/a586e96794b89bef4729b33369b8c2035564d376/components/url_formatter/top_domains/make_top_domain_gperf.cc
[modify] https://crrev.com/a586e96794b89bef4729b33369b8c2035564d376/components/url_formatter/url_formatter.cc
[modify] https://crrev.com/a586e96794b89bef4729b33369b8c2035564d376/components/url_formatter/url_formatter_unittest.cc

This seems like fixed.
Status: Fixed
Yes as long as it's a spoofing attempt against top domains. And, that's intended. 


If we want to address this in M59, it needs a different change (a lot simpler; just add a few more Cyrillic letters to the set of Cyrillic letters looking similar to Latin), but I'm a bit reluctant to do that partly because an example given is not a very good homoglyph IMHO. 


Comment 18 Deleted
shouldn't be reward-topanel? 
Re #19: As this was previously disclosed in https://bugs.chromium.org/p/chromium/issues/detail?id=683314#c46, I suspect not.
Note: This bug report has the exact same text as the disclosure in  https://crbug.com/683314#c46  and was posted 2 hours later.
Labels: -M-59 M-60
Labels: reward-0
I'm afraid the panel has looked at this and declined to reward. It will, however, likely get a CVE assigned when M60 goes stable.
Sounds good!
Project Member Comment 25 by sheriffbot@chromium.org, Jun 9
Labels: Merge-Request-60
Project Member Comment 26 by sheriffbot@chromium.org, Jun 9
Labels: -Merge-Request-60 Hotlist-Merge-Review Merge-Review-60
This bug requires manual review: Reverts referenced in bugdroid comments after merge request.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Merge-Review-60 Merge-Approved-60
Approving merge for M60. 
Please merge the patch to M60 branch(3112),Beta RC cut is scheduled @ 4.00 PM PST tomorrow(06/13).
Project Member Comment 29 by sheriffbot@chromium.org, Jun 15
Cc: abdulsyed@chromium.org
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
ping..
Labels: -Hotlist-Merge-Review -Merge-Approved-60
#14 made it into 60, so no need for merge.
Labels: Release-0-M60
Labels: CVE-2017-5106
Project Member Comment 34 by bugdroid1@chromium.org, Aug 2
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/444b343f4d6ae6e402443cc8b2e100fcc8d225fb

commit 444b343f4d6ae6e402443cc8b2e100fcc8d225fb
Author: Manoj Gupta <manojgupta@google.com>
Date: Wed Aug 02 19:47:47 2017

libcxx/libcxxabi: Fix dependency on sys-devel/llvm for host build.

libcxxabi:
libcxxabi does not specify llvm as its dependency. This results in
libcxxabi getting built ahead of llvm in chromiumos-sdk builder.
The build fails and succeeds after a retry after llvm is built.
Avoid the portage build error by adding llvm dependency.

libcxx:
Make the sys-devel/llvm dependency in libcxx conditional on cros_host.

BUG= chromium:747030 
BUG= chromium:714628 

TEST=equery d sys-devel/llvm shows libcxxabi.
TEST=emerge libcxxbi pulls in llvm if not installed.
TEST=verified that cros_host is listed in libcxx/libcxxabi USE flags in emerge.

Change-Id: I1bd6778f5f1756e93367e82ac75ba18486c19f0a
Reviewed-on: https://chromium-review.googlesource.com/595187
Commit-Ready: Manoj Gupta <manojgupta@chromium.org>
Tested-by: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[rename] https://crrev.com/444b343f4d6ae6e402443cc8b2e100fcc8d225fb/sys-libs/libcxx/libcxx-4.0.0-r7.ebuild
[modify] https://crrev.com/444b343f4d6ae6e402443cc8b2e100fcc8d225fb/sys-libs/libcxxabi/libcxxabi-9999.ebuild

Sign in to add a comment