logo
allArticlesConferencesPresentations

HostSplit: Exploitable Antipatterns in Unicode Normalization

Conference:  BlackHat USA 2019

2019-08-08

Summary

The vulnerability of Unicode normalization in hostnames can be exploited to steal tokens and compromise security. Best practices include using ASCII for all hostname comparisons, using STD three ASCII Rules flag for conversions, and writing wrapper functions to prevent vulnerabilities in platform code.
  • Unicode normalization in hostnames can be exploited to steal tokens and compromise security
  • Software should make all decisions about hostnames using ASCII
  • Use STD three ASCII Rules flag for conversions
  • Write wrapper functions to prevent vulnerabilities in platform code
The vulnerability was exploited in Office 365 by using a redirect to steal tokens. The attack was made easier by the use of open redirects. The vulnerability can also be used against email and other network protocols that use hostnames. Best practices include testing software for Unicode normalization vulnerabilities and only comparing hostnames as ASCII.

Abstract

This talk demonstrates new exploit techniques that leverage Unicode normalization behavior to bypass URL security filters and, in some cases, allow one domain to impersonate another. Where previous attacks against internationalized domain names relied on visual spoofing, these attacks fool software with URL strings that are parsed as belonging to one hostname but resolved as belonging to a different host name.The vulnerabilities that enable these attacks are widespread, because they result from practical compromises in implementing IDNA standards. The author of this talk identified several new CVE's which will be discussed, including vulnerabilities in Edge/IE, .NET, Python, Java, Office 365, and Gmail. A more general exploit pattern against OAuth is also explained.Although some platform-level problems have already been corrected, many of the fixes for these vulnerabilities will need to be made at an application level. It is likely that there are still many software packages with Unicode normalization vulnerabilities of this type. This talk discusses methods to test for these vulnerabilities as well as coding and design best practices for preventing them.
Materials:
Slides
Paper
Tags:

Post a comment

Related work

New Phishing Attacks Exploiting OAuth Authentication Flows

Conference:  Defcon 29
Authors:
2021-08-01

Defending against chained attacks on your SSO/OAuth identity system

Conference:  Global AppSec San Francisco 2022
Authors: Jenko Hwong
2022-11-18

Second Breakfast: Implicit and Mutation-Based Serialization Vulnerabilities in .NET

Conference:  Defcon 31
Authors: Jonathan Birch Principal Security Software Engineer, Microsoft
2023-08-01

You have No Idea Who Sent that Email: 18 Attacks on Email Sender Authentication

Conference:  BlackHat USA 2020
Authors:
2020-08-06

A new class of DNS vulnerabilities affecting many DNS-as-Service platforms

Conference:  Defcon 29
Authors:
2021-08-01

Crashing Your Way to Medium-IL: Exploiting the PDB Parser for Privilege Escalation

Conference:  BlackHat USA 2021
Authors:
2021-08-04