A good reference for finding the Win32 equivalent of a .NET API, and vice versa. It’s a bit dated to .NET 1.0 and 1.1, but it’s been useful.
http://msdn.microsoft.com/en-us/library/aa302340.aspx
Tagged referenceBrian has pointed out how some string comparison functions will perform an implicit uppercase when doing case-insensitive comparisons. Obviously this could open up security holes in applications performing input validation.
My quick analysis on this is – your software is safe unless I can control the culture tag. Recommendation perform input validation prior to doing string comparison, otherwise these test cases might catch you off guard:
// U+0130 LATIN CAPITAL LETTER I WITH DOT ABOVE will lowercase to i U+0049
Compare("\u0130", "i", ignoreCase);
// U+0131 LATIN SMALL LETTER DOTLESS I will uppercase to I U+0069
Compare("\u0131", "I", ignoreCase);
But we need to take a closer look at some specific functions. Looking at StringComparer in reflector, eventual it seems to go to:
case StringComparison.OrdinalIgnoreCase:
if (strA.IsAscii() && strB.IsAscii())
{
return nativeCompareOrdinal(strA, strB, true);
}
return TextInfo.CompareOrdinalIgnoreCase(strA, strB);
And since we’re not talkin ASCII, TextInfo.CompareOrdinalIgnoreCase gets called:
internal static unsafe int CompareOrdinalIgnoreCase(string str1, string str2)
{
return nativeCompareOrdinalIgnoreCase(InvariantNativeTextInfo, str1, str2);
}
Which eventually interops with native libraries:
[MethodImpl(MethodImplOptions.InternalCall)]
private static extern unsafe int nativeCompareOrdinalIgnoreCase(void* pNativeTextInfo, string str1, string str2);
It seems to be using the Win32 comparison functions for Unicode, presumably CompareString or CompareStringEx see http://msdn.microsoft.com/en-us/library/dd374047(VS.85).aspx#SC_comp_func.
If you can set a specific culture for, say, Turkey ‘tr-TR’ on the StringComparer, then both test cases return equal. I don’t get this because one of the tests would match if they were lowercased, while the other would match if uppercased, and I presumed there was only an uppercase comparison happening.
// Test StringComparer.Create with CreateSpecificCulture
if (sc.Compare(TestCases.Lowers, TestCases.ToLower) == 0)
{
Console.WriteLine("CreateSpecificCulture performs 'lowercase' comparisons: {0} and {1} are equal", TestCases.Lowers, TestCases.ToLower);
}
if (sc.Compare(TestCases.Uppers, TestCases.ToUpper) == 0)
{
Console.WriteLine("CreateSpecificCulture performs 'uppercase' comparisons: {0} and {1} are equal", TestCases.Uppers, TestCases.ToUpper);
}
The result of this is:
CreateSpecificCulture performs ‘lowercase’ comparisons: I and i are equal
CreateSpecificCulture performs ‘uppercase’ comparisons: i and I are equal
Opera released 10.01 recently, which fixed a memory corruption issue found with Casaba’s IDN/URI fuzzer.
http://www.opera.com/support/kb/view/938/
Tagged advisory, IDNThanks to the BlueHat crew for putting on such a well organized and quality event. I’m happy I was a part of it.
Someone in the audience (was that you?) noticed an a new Internet Explorer bug during my visual spoofing demo! I was told not to bring any zero days, but there was no policy against finding them during the show luckily!
Binscope is a binary analysis tool that checks binaries for compliance with Microsoft SDL policies.
A video demonstrating BinScope as also released.
Microsoft released one of their file fuzzing tools MiniFuzz and included a video demonstrating the fuzzing tool.
Tagged toolsAt Black Hat I’m planning to demo a new tool we’ve been putting together at Casaba Security. It’s mostly a brute force input testing tool right now, aimed at finding cross-site scripting (XSS) bugs but with a unique set of techniques. It automates the testing process greatly, by auto-injecting a canary and ID into each input be it query string, HTTP header, or POST parameter.
It basically bombs a Web-app with a slew of Unicode characters to find XSS bugs – hence the name – Unibomber.
Appended to the canary is a special character – special because it can transform into a ‘dangerous’ character through normalization, casing, or best-fit mapping operations. So we end up injecting these special characters all over the place and then detecting where they get transformed and displayed as output.
The beauty is that we can find both reflected and persistent XSS bugs this way. It’s not a one-click tool though, this is intended rather for an experienced person, who knows how to find and exploit an XSS bug. The Unibomber assists the pen-tester by automating input-injection and ‘output encoding’ detection to find the vulnerability hotspots.
Tagged testing, tools, XSSI’ll also be doing a Breakout Session in the Genoa room at 13:45 on July 29th, to go over the open source Web-security testing tool Watcher, and another new tool in the works. Come by and say hi!
Here’s an updated abstract for my Unicode talk:
Web-applications are being exploited every day as attackers find new vectors for performing cross-site scripting attacks. This talk will cover ways which latent character and string handling can transform clever inputs into malicious outputs. Many application frameworks such as .NET and ICU enable these behaviors without the developer’s knowledge. String transformations through best-fit mappings, casing operations, normalization, over-consumption and other means will be discussed, with inputs useful for testing. A testing tool is also planned for release.
The current state of visual spoofing attacks will also be discussed. Phishing attacks are prevalent on the Web, and well-designed URL’s can increase an attack’s chance of success. It’s eye-opening to see demonstrations of just how vulnerable modern Web browsers still are to many forms of visual spoofing attacks.
Tagged presentationMore from: http://support.apple.com/kb/HT3613
CVE-ID: CVE-2006-2783
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack
Description: WebKit ignores Unicode byte order mark sequences when parsing web pages. Certain websites and web content filters attempt to sanitize input by blocking specific HTML tags. This approach to filtering may be bypassed and lead to cross-site scripting when encountering maliciously-crafted HTML tags containing byte order mark sequences. This update addresses the issue through improved handling of byte order mark sequences. Credit to Chris Weber of Casaba Security, LLC for reporting this issue.
Tagged advisoryUpdate from: http://support.apple.com/kb/HT3613
CVE-ID: CVE-2009-0153
Available for: Windows XP or Vista
Impact: Maliciously crafted content may bypass website filters and result in cross-site scripting
Description: An implementation issue exists in ICU’s handling of certain character encodings. Using ICU to convert invalid byte sequences to Unicode may result in over-consumption, where trailing bytes are considered part of the original character. This may be leveraged by an attacker to bypass filters on websites that attempt to mitigate cross-site scripting. This update addresses the issue through improved handling of invalid byte sequences. For Mac OS X v10.5 systems, this issue is addressed in Mac OS X v10.5.7. Credit to Chris Weber of Casaba Security for reporting this issue.
Tagged advisoryAs I’ve found with most of the major Web-apps out there, including social media giants like Facebook and others, Unicode support is far from complete. I’m not a big MySQL guy, but have been building some stuff lately and ran into this:
http://dev.mysql.com/doc/refman/6.0/en/faqs-cjk.html#qandaitem-22-11-1-16
Basicall MySQL version < 6.0.4 doesn’t support characters outside the BMP (Basic Multilingual Plane) which seems to be a common pattern for a lot of software. The BMP is all code points 0×0000 to 0xFFFF, however, Unicode stretches far beyond to 0×10FFFF. It makes sense I suppose, after all the BMP is made of the most commonly used scripts, the stuff beyond it (supplementary) are usually considered rare.
Tagged MySQL