Category Archives: Silly

WYSIWYDS – What You See Is What You Don’t See

Posted on by

There is a lot of vulnerability research focused on bugs in APIs that work with fonts.

Today I came up with a slightly different type of a possible font vulnerability which I could not test in practice (although I tried). The idea is visual in nature and if it works, could be the case of a first font-based ‘rootkit’ ๐Ÿ˜‰

I am kidding of course, but let me explain the idea.

We are so used to trust what we see on the screen that it’s very easy to fall a victim to various Unicode tricks (same looking letters in different languages have different Unicode codes, right-to-left override, etc.). I was wondering what would happen if instead of using all the old tricks, we actually changed the font itself and replaced some of its character definitions with our own (or added new ones). The new/modified characters could be then used to name malicious files and users would be none the wiser as the names of the files would mimic ASCII names that users are familiar with.

A kinda impersonation on a different level.

To test the idea I changed my console window font to Lucida, and then used FontForge to distort the letter ‘A’ just for a test. I then exported the result to a TTF file and replaced the c:\WINDOWS\Fonts\lucon.ttf with my new TTF.

I then restarted the system and started the cmd.exe.

To my horror, the screen looked like this:

Looks like FontForge corrupted the TTF file, so I should probably look for a better TTF editor…

I ran the test on Win7, so it’s a very limited scope, but one thing is for sure – I managed to replace the font, and have it assigned to the cmd terminal (even if it didn’t work); I guess that if it worked I would see that ugly, disfigured ‘A’ I modded.

The idea is lame, the test was unsuccessful, nothing else to report…

You may be wondering why even writing about it?

For starters, a possible ability to fool the user is one thing.

The other thing are security tools. While they scan the system and present the information, how can we be so sure that the information they present is exactly what it intended. Think of e.g. Task Manager or Autoruns. They use ‘MS Sans Serif’ and ‘MS Shell Dlg 2’ to show stuff. Say you name your program ‘\x6000\x6001\x6002\x6003\x6004\x6005\x6006\x6007\x6008\x6009\x6008’ and change the TTF characters to present the string as ‘svchost.exe’.

Who (except technical people) seeing such a well-known process name will suspect anything dodgy?

The strings printed on our screens are just a visual representations – what lies underneath can be a completely different story.

Bonus:

Looks like my toying around does trigger real-world vulnerabilities too; when I tried to toy around with the properties of the cmd window where my corrupted font was loaded I managed to cause the conhost.exe associated with my terminal process to crash. It was on an old, unpatched version of Windows 7 so it’s probably an old vuln, but my guess is… this could be yet another case that may be a result of trusting API functions w/o checking the results.

In terms of software that processes such modified data outside the system where the TTF is modified – this is obviously easy for them to spot – any EDR, or forensic suite will show weird characters in place where one would expect something readable…

And of of course, replacing system fonts requires admin privileges. The goal of the post is not to say it’s easy, more that it’s possible.

If you have better font editing skills/software and manage to successfully test the idea please let me know. Thanks.

It’s understood… that EU dudes… sell GDPRization…

Posted on by

I’ve been recently thinking of GDPR, and its influence on the non-EU websites… in particular, I was curious how the legislation affects the user experience for non-EU sites for visitors from EU. We hear about many websites in US simply denying the access e.g. LA Times:

but I was curious how many other web sites really do so…

I came up with a quick & dirty (and pretty simple) idea of checking how the popular web sites respond to the regulation… by visiting them and taking a screenshot.

Of course, manual check would be too labor-intensive, so I automated it.

First, I needed a list of top world web sites so I downloaded the Cisco Umbrella list. I know it’s biased, but don’t know any better source (since theย  free Alexa top 1M is long gone, and others – I really don’t know how accurate they are).

I then created a simple script in perl to extract the first 10000 top unique domains from the list (and exclude all subdomains on the way):

use strict;
use warnings;
my %h;
my $cnt=0;
while (<>)
{
  if (/,([^\.]+\.[^\.]+$)/)
  {
    if (!defined($h{$1}))
    {
      print "$1";
      $h{$1}++;
      $cnt++;
      exit if $cnt >= 10000;
    }
  }
}

Next, I wrote a simple phantomjs script to grab a screenshot of these domains (all accessed via http and then rerunning for https for these that didn’t work):

system = require('system')
var page = require('webpage').create();
     page.viewportSize = { width: 1024, height: 768 };
     page.clipRect = { top: 0, left: 0, width: 1024, height: 768 };
address = system.args[1];
output  = system.args[2];
page.open(address, function() {
  page.render(output);
  phantom.exit();
});

And then I ran the phantomjs on domains from this data set… each page visited is saved as a png.

To my surprise, the experiment didn’t work as I anticipated.

Most of web sites visited didn’t really make any comment on GDPR and it was business as usual. Some offer an option to accept new privacy policies. In the end I only came up with a bunch of examples.

Still, it was worth trying…

Lessons learned…

  • Some web sites detect phantom JS as a bot – they will block your IP, or offer a captcha challenge
  • Lots of top domains don’t even host a web site; you can see default IIS, Nginx pages, errors (404, 403s ;))
  • Privacy banners, if they exist, are handled in many different ways – from simple OK, to more advanced settings with a multi-choice questionnaire; I include some example below
  • Many non-English web sites provide information about privacy in their native language; this is an interesting conundrum to solve in general – how a non-speaker can use the web site w/o an ability to understand the Privacy Policies? I provide some examples in French, Italian and Dutch (and of course, English)
  • Way too many advertising and marketing web sites, all united to promise you the best monetization ever; and yes, AI-based advertising is already here ๐Ÿ™‚

I am wondering if the methodology I used was incorrect? Perhaps it would be faster to just query google for all the web sites that refer to GDPR? I couldn’t come up with a good google dork though. And searching still brings many of such geo-locked web sites and include them in ‘normal’ results. You only learn about GDPR stuff when you try to visit the actual page. Google cache is still available though in some cases. So… I guess this transitional stage will last for some time. If you have any idea on how to run a research like this better, please let me know.

And finally some screenshots

diynetwork.com

goodrx.com

chicago tribune

Collect and gather

Everquote

Fubo.tv

Gannet

Orlando Sentinel

Pandora (not sure if it is GDPR related though)

Myspace

Ebates

European Union page itself

Atlas Obscura

At Hoc

Cosmopolitan

My recipes

piwikpro

Simpsons World

Le Monde

Meteo IT

NOS

And finally NSFW, all the screenshots related to porn.