New issue
Advanced search Search tips

Issue 833143 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Jun 1
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 1
Type: Bug-Security
Team-Security-UX



Sign in to add a comment

Lao could lead to idn spoof

Reported by zxyrz...@gmail.com, Apr 15 2018

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

Steps to reproduce the problem:
http://xn--o7c4g.com/
http://xn--o7ca8kb.com/

What is the expected behavior?

What went wrong?
ຣ (U+0EA3) => s
໐ (U+0ED0) => o
ດ (U+0E94) => n
ຮ (U+0EAE) => s
ບ (U+0E9A) => u

for example, `so.com` and `soso.com` in top domain list could be spoofed by this two characters: ຣ໐

Did this work before? N/A 

Chrome version: 65.0.3325.181  Channel: stable
OS Version: OS X 10.13.4
Flash Version: Shockwave Flash 29.0 r0
 
soso.png
7.1 KB View Download
Components: UI>Browser>Omnibox UI>Security>UrlFormatting
Labels: -Pri-2 M-66 Security_Severity-Medium Security_Impact-Stable Pri-1
Owner: creis@chromium.org
Status: Assigned (was: Unconfirmed)
Cc: creis@chromium.org js...@chromium.org
Owner: mgiuca@chromium.org

Comment 3 by mgiuca@chromium.org, Apr 17 2018

Cc: -js...@chromium.org mgiuca@chromium.org
Owner: js...@chromium.org
jshin deals with domain name spoofing.

Comment 4 by js...@chromium.org, Apr 17 2018

U+0e11 (ฑ) and U+0e17 (ท) in Thai can have a similar issue. 

Comment 5 by zxyrz...@gmail.com, Apr 18 2018

As you mentioned Thai, I considered about it yet,U+0E01(ก) is more similar to `n` in address bar than U+0e11 (ฑ) and U+0e17 (ท), and U+0E1A (บ) is similar to `u` as well, but there is no more characters looks like common latin characters, maybe U+0E1E (พ) is one
Project Member

Comment 6 by sheriffbot@chromium.org, May 2 2018

jshin: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 7 by sheriffbot@chromium.org, May 16 2018

jshin: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 8 by js...@chromium.org, May 22 2018

Status: Started (was: Assigned)
https://chromium-review.googlesource.com/c/chromium/src/+/1058710
Project Member

Comment 9 by bugdroid1@chromium.org, May 29 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8ac035c31d42cedcc2a772d7765622dc9f406240

commit 8ac035c31d42cedcc2a772d7765622dc9f406240
Author: Jungshik Shin <jshin@chromium.org>
Date: Tue May 29 20:16:30 2018

Add Lao/Thai spoofable entries


    U+0E1E (พ) => w
    U+0E9E (ພ) => w
    U+0E9F (ຟ) => w

    U+0EA3 (ຣ) => s
    U+0EAE (ຮ) => s

    U+0E1A (บ) => u
    U+0E9A (ບ) => u

    Note that U+0E1F(ฟ) and U+0E23 (ร) were added a while ago.

BUG= 833143 
TEST=components_unittests --gtest_filter=*IDN*

Change-Id: I882e7d272cdca1d80aa23be94b4d7906ff8653c1
Reviewed-on: https://chromium-review.googlesource.com/1058710
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#562565}
[modify] https://crrev.com/8ac035c31d42cedcc2a772d7765622dc9f406240/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/8ac035c31d42cedcc2a772d7765622dc9f406240/components/url_formatter/top_domains/test_domains.list
[modify] https://crrev.com/8ac035c31d42cedcc2a772d7765622dc9f406240/components/url_formatter/top_domains/test_skeletons.gperf
[modify] https://crrev.com/8ac035c31d42cedcc2a772d7765622dc9f406240/components/url_formatter/url_formatter_unittest.cc

Project Member

Comment 10 by sheriffbot@chromium.org, May 30 2018

Labels: -M-66 M-67
Status: Fixed (was: Started)
Fixed in trunk. Will see if we want to merge to M-67. 
Project Member

Comment 12 by sheriffbot@chromium.org, Jun 1

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Project Member

Comment 14 by sheriffbot@chromium.org, Jun 8

Labels: Merge-Request-68
Project Member

Comment 15 by sheriffbot@chromium.org, Jun 8

Labels: -Merge-Request-68 Hotlist-Merge-Review Merge-Review-68
This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Merge-Review-68 Merge-Approved-68
Approving merge for 68. BRanch:3440
Labels: -reward-topanel reward-unpaid reward-500
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Thanks zxyrzg02@ for the report! The VRP panel decided to award $500 for this report.
Labels: -reward-unpaid reward-inprocess
Cc: abdulsyed@chromium.org
Pls merge you change to M68 branch 3440 ASAP so we can pick it up for this week Beta release. Merge has to happen latest by 1:00 PM PT tomorrow, Tuesday (06/19), so we can pick it up for Wednesday Beta release.




Has this been merged yet to M68?
Project Member

Comment 22 by bugdroid1@chromium.org, Jul 18

Labels: -merge-approved-68 merge-merged-3440
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/66b0b8146b61b90c87a4100d76ab9c8e4723d42c

commit 66b0b8146b61b90c87a4100d76ab9c8e4723d42c
Author: Jungshik Shin <jshin@chromium.org>
Date: Wed Jul 18 00:05:52 2018

[M68 branch] Add Lao/Thai spoofable entries

    U+0E1E (พ) => w
    U+0E9E (ພ) => w
    U+0E9F (ຟ) => w

    U+0EA3 (ຣ) => s
    U+0EAE (ຮ) => s

    U+0E1A (บ) => u
    U+0E9A (ບ) => u

    Note that U+0E1F(ฟ) and U+0E23 (ร) were added a while ago.

BUG= 833143 
TEST=components_unittests --gtest_filter=*IDN*
TBR=abdulsyed@chromium.org,meacer@chromium.org

Change-Id: I882e7d272cdca1d80aa23be94b4d7906ff8653c1
Reviewed-on: https://chromium-review.googlesource.com/1058710
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#562565}
Reviewed-on: https://chromium-review.googlesource.com/1141215
Reviewed-by: Jungshik Shin <jshin@chromium.org>
Cr-Commit-Position: refs/branch-heads/3440@{#708}
Cr-Branched-From: 010ddcfda246975d194964ccf20038ebbdec6084-refs/heads/master@{#561733}
[modify] https://crrev.com/66b0b8146b61b90c87a4100d76ab9c8e4723d42c/components/url_formatter/idn_spoof_checker.cc
[modify] https://crrev.com/66b0b8146b61b90c87a4100d76ab9c8e4723d42c/components/url_formatter/top_domains/test_domains.list
[modify] https://crrev.com/66b0b8146b61b90c87a4100d76ab9c8e4723d42c/components/url_formatter/top_domains/test_skeletons.gperf
[modify] https://crrev.com/66b0b8146b61b90c87a4100d76ab9c8e4723d42c/components/url_formatter/url_formatter_unittest.cc

Labels: Release-0-M68
Labels: CVE-2018-6167 CVE_description-missing
Project Member

Comment 25 by sheriffbot@chromium.org, Sep 7

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: idn-spoof

Sign in to add a comment