New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 4 users

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: IDN spoofing with Combining Dot Above U+0307

Reported by gnehs...@gmail.com, Jul 28 2017

Issue description

DESCRIPTION:
IDN allows spoofing in Omnibox

VERSION
Chrome Version: Version 60.0.3112.78 (Official Build) (64-bit) stable
Operating System: Ubuntu 16.04.2 LTS

REPRODUCTION CASE

http://xn--unicode-8he.org/

>>> "xn--unicode-8he.org".decode("idna")
u'uni\u0307code.org'


 
Screenshot from 2017-07-29 00-54-17.png
35.5 KB View Download
Cc: js...@chromium.org
Components: UI>Browser>Omnibox UI>Internationalization
Status: Untriaged (was: Unconfirmed)
Summary: Security: IDN spoofing with Combining Dot Above U+0307 (was: Security: IDN allows spoofing in Omnibox)
This spoof works in Chrome 62.3168, although it's possible that registrar policies would prevent it from being registered.

https://unicode-table.com/en/0307/

Maybe related to Issue 727092?


Comment 2 by vakh@chromium.org, Jul 31 2017

Cc: -js...@chromium.org
Labels: OS-Chrome OS-Linux OS-Mac OS-Windows
Owner: js...@chromium.org
Status: Assigned (was: Untriaged)
jshin@ -- this is similar to other IDN spoofing bugs that you have fixed in the past so assigning to you for fixing or triage. thanks.

Please note that the spoof is somewhat apparent.
Labels: OS-Android
"Somewhat apparent" seems generous. I don't think more than one user in a thousand would ever notice this, even when looking closely. It's a pixel-perfect spoof on Android. 
Labels: Security_Severity-Medium Security_Impact-Stable
Project Member

Comment 5 by sheriffbot@chromium.org, Aug 2 2017

Labels: M-60
Project Member

Comment 6 by sheriffbot@chromium.org, Aug 2 2017

Labels: Pri-1

Comment 7 by js...@chromium.org, Aug 2 2017

Cc: markda...@google.com
Well,  unicode.org is not in the top domain list :-)  so this type of look-alike is passed through. It's a known issue. 

http://xn--microsoft-6jf.com/  (mi\u0307crosoft.com) is not allowed. 

So, "high value" domains (if they're in the list) are ok as shown in the above example. 

Repeated combining marks are also blocked. However, in this case, Latin small letter i is already normalized (it cannot be decomposed further - e.g. into dotless i + combining dot above - U+0307; if it were, "i + U+0307" would be blocked by the repeated combining mark rule).

We can think of blocking a sequence like 'i + U+0307, j + U+0307, etc". 

Comment 8 by js...@chromium.org, Aug 3 2017

> Repeated combining marks are also blocked. 

An example. "café" followed by U+0301 is blocked.  ( café́.com ==> xn--caf-dma49x.com/) 
Cc: mgiuca@chromium.org

Comment 10 by js...@chromium.org, Aug 10 2017

See bug 727092 comment 3 for U+3xx block. 
Project Member

Comment 11 by sheriffbot@chromium.org, Aug 25 2017

jshin: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
I agree that we should forbid i\u0307

BTW, this isn't quite as much of a problem on a Mac, see screenshot1. The dot is clearly strange. And of course, the behavior might be different on Windows / Linux (or on different versions of them). 

However, I tested out various results, and some fonts "absorb" the dot and others don't, even on a Mac. See screenshot 2 (also https://docs.google.com/a/google.com/document/d/1XRQIFoBfKbcpClOXoOje35-Z20GVDo_M16G89vwfYSI/edit?usp=sharing)

Question: are there settings that will change the font showing in the address bar on Chrome?
Screen Shot 2017-08-25 at 15.46.44.png
45.9 KB View Download
Screen Shot 2017-08-25 at 15.52.11.png
37.2 KB View Download
Friendly security sheriff ping: is there progress on resolving this issue?
Project Member

Comment 14 by sheriffbot@chromium.org, Sep 6 2017

Labels: -M-60 M-61
Project Member

Comment 15 by sheriffbot@chromium.org, Sep 8 2017

jshin: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 16 by js...@chromium.org, Sep 14 2017

> Question: are there settings that will change the font showing in the address bar on Chrome?

Afaik,there's no way to change that.  

Anyway, thank you for testing, Mark. 

Somehow, I forgot to land my CL ( https://chromium-review.googlesource.com/c/chromium/src/+/607907 ). I just sent it to CQ. 

Project Member

Comment 17 by bugdroid1@chromium.org, Sep 19 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1f6acd54ee3765d5c1a6f14fc31ddd4a74145314

commit 1f6acd54ee3765d5c1a6f14fc31ddd4a74145314
Author: Jungshik Shin <jshin@chromium.org>
Date: Tue Sep 19 23:32:13 2017

IDN display: Block U+0307 after i or U+0131

U+0307 (dot above) after i, j, l, or U+0131 (dotless i) would be
very hard to see if possible at all. This is not blocked
by the 'repeated diacritic' check because i is not decomposed
into dotless-i + U+0307. So, it has to be blocked separately.

Also, change the indentation in the output of
idn_test_case_generator.py .

This change blocks 80+ domains out of a million IDNs in .com TLD.

BUG= 750239 
TEST=components_unittests --gtest_filter=*IDN*

Change-Id: I4950aeb7aa080f92e38a2b5dea46ef4e5c25b65b
Reviewed-on: https://chromium-review.googlesource.com/607907
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Matt Giuca <mgiuca@chromium.org>
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#502987}
[modify] https://crrev.com/1f6acd54ee3765d5c1a6f14fc31ddd4a74145314/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/1f6acd54ee3765d5c1a6f14fc31ddd4a74145314/components/url_formatter/url_formatter_unittest.cc
[modify] https://crrev.com/1f6acd54ee3765d5c1a6f14fc31ddd4a74145314/tools/security/idn_test_case_generator.py

Comment 18 by js...@chromium.org, Sep 20 2017

Status: Fixed (was: Assigned)
Project Member

Comment 19 by sheriffbot@chromium.org, Sep 20 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 20 by js...@chromium.org, Sep 21 2017

Labels: Merge-Request-62
Merge-requesting for M62. This CL is very safe and has been baked in canary. 
Project Member

Comment 21 by sheriffbot@chromium.org, Sep 21 2017

Labels: -Merge-Request-62 Merge-Review-62 Hotlist-Merge-Review
This bug requires manual review: M62 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Merge-Review-62 Merge-Approved-62
Approving merge to M62. branchL3
branch:3202*
Labels: reward-topanel
Reminder to please merge to M62 branch 3202 asap.
Labels: -reward-topanel reward-unpaid reward-500
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
The VRP panel decided to award $500 for this report - many thanks!
Labels: -reward-unpaid reward-inprocess
Project Member

Comment 29 by bugdroid1@chromium.org, Oct 10 2017

Labels: -merge-approved-62 merge-merged-3202
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/37891167031e03efa0b5ef073d79f3c525bfb1cf

commit 37891167031e03efa0b5ef073d79f3c525bfb1cf
Author: Jungshik Shin <jshin@chromium.org>
Date: Tue Oct 10 20:46:20 2017

[Merge M62] IDN display: Block U+0307 after i or U+0131

U+0307 (dot above) after i, j, l, or U+0131 (dotless i) would be
very hard to see if possible at all. This is not blocked
by the 'repeated diacritic' check because i is not decomposed
into dotless-i + U+0307. So, it has to be blocked separately.

Also, change the indentation in the output of
idn_test_case_generator.py .

This change blocks 80+ domains out of a million IDNs in .com TLD.

BUG= 750239 
TEST=components_unittests --gtest_filter=*IDN*
TBR=abdulsyed

Change-Id: I4950aeb7aa080f92e38a2b5dea46ef4e5c25b65b
Reviewed-on: https://chromium-review.googlesource.com/607907
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Matt Giuca <mgiuca@chromium.org>
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#502987}(cherry picked from commit 1f6acd54ee3765d5c1a6f14fc31ddd4a74145314)
Reviewed-on: https://chromium-review.googlesource.com/709919
Reviewed-by: Jungshik Shin <jshin@chromium.org>
Cr-Commit-Position: refs/branch-heads/3202@{#645}
Cr-Branched-From: fa6a5d87adff761bc16afc5498c3f5944c1daa68-refs/heads/master@{#499098}
[modify] https://crrev.com/37891167031e03efa0b5ef073d79f3c525bfb1cf/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/37891167031e03efa0b5ef073d79f3c525bfb1cf/components/url_formatter/url_formatter_unittest.cc
[modify] https://crrev.com/37891167031e03efa0b5ef073d79f3c525bfb1cf/tools/security/idn_test_case_generator.py

Comment 30 by js...@chromium.org, Oct 13 2017

Cc: sffc@google.com
Labels: M-62 Release-0-M62

Comment 32 by js...@chromium.org, Oct 17 2017

 Issue 774842  has been merged into this issue.
Labels: CVE-2017-15390
Project Member

Comment 34 by sheriffbot@chromium.org, Dec 27 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: CVE_description-submitted

Sign in to add a comment