(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Huawei Honor 6X CVE-2017-2733 Local Information Disclosure Vulnerability
 
Multiple Samsung Galaxy Products CVE-2016-4031 Security Bypass Vulnerability
 
Apache Log4j CVE-2017-5645 Remote Code Execution Vulnerability
 
Multiple Samsung Galaxy Products CVE-2016-4030 Security Bypass Vulnerability
 
Oracle VM VirtualBox CVE-2017-3538 Local Security Bypass Vulnerability
 
Multiple Toshiba memory card installers DLL Loading Remote Code Execution Vulnerability
 
Google gRPC CVE-2017-7861 Heap Based Buffer Overflow Vulnerability
 
Asterisk Open Source and Certified Asterisk RTP Resource Exhaustion Denial of Service Vulnerability
 
Google gRPC CVE-2017-7860 Heap Buffer Overflow Vulnerability
 
PostgreSQL CVE-2016-5424 Multiple Local Privilege Escalation Vulnerabilities
 
Juniper NorthStar Controller Application CVE-2017-2321 Remote Privilege Escalation Vulnerability
 
Linux Kernel CVE-2017-7889 Multiple Local Security Bypass Vulnerabilities
 

[This is a guest diary contributed by Remco Verhoef. If you would like to contribute a guest post, please let us know via our contact page]

Currently there is a campaign going on where phishing attacks will use domains that lookexactly like safe domainsby using Punycode domains. (https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/)

This is called a homograph attack. The Punycode domains will start with xn-- prefix and browsers will show the decoded Unicode domain name in the address bar where the Unicode characters (homographs) used appears like the original characters.

I wrote a program to look for similar characters within a font, comparing exact matches of glyphs. Outputting the table below. It shows the (ASCII) character with the homograph(s). Each font could have different homographs. For Phishing campaigns not only homograph domains could be used, but also the glyphs with small changes. Besides the program to built the table, I width:370px" />

When using for example URL (courtesy of Xudong Zheng) https://www.xn--80ak6aa92e.com/, you width:300px" />

It is possible to request SSL certificates (using e.g., Lets Encrypt) with Punycode domain names, making this attack even more dangerous. The address bar will appear secure and contain the safe domain name. Impossible to recognize the difference.

Weve found the following safe domain alternatives. These are probably tip of the iceberg. These domains are exact counterparts of the safe domains. Some companies register a lot of the homograph domains themselves. Google for example, but it seems they forgot a few.

Punycode domain

Unicode domain

Safe domain

Registrar safe domain

Registrar homograph domain

xn--q1a6b.com

ci.com

ci.com

CI Investments Inc.

Privacy Protection

xn--goole-tmc.com

google.com

google.com

Google

Proxy Protection LLC

xn--ooie-z7bc.com

googie.com

google.com

Google

WHOISGUARD PROTECTED

xn--instaram-3sd.com

instagram.com

instagram.com

Instagram, LLC

WHOISGUARD PROTECTED

xn--teleram-cfd.com

telegram.com

telegram.com

Gatehouse Media, LLC

Shield Digital Security Group

xn--hatsapp-h41c.com

whatsapp.com

whatsapp.com

Whatsapp Inc.

Rafael Fernndez Lpez (private)

xn--yutube-i15b.com

youtube.com

youtube.com

MARKMONITOR INC.

Anna Potepa (private)

xn--80ak6aa92e.com

apple.com

apple.com

CSC CORPORATE DOMAINS, INC.

Contact Privacy Inc. Customer 1241053230

This is the domain of Xudong Zheng.

xn--q1a6b.com

ci.com

ci.com

CI Investments Inc.

Privacy Protection


Firefox, Chrome, and Opera browsers are vulnerable to the homograph attack, whereas the latest Chrome will contain a fix for this issue. Within Firefox the support for Punycode can be disabled by navigating to about:config and disabling network.IDN_show_punycode.

Resources:

https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/

https://en.wikipedia.org/wiki/IDN_homograph_attack

https://www.punycoder.com/

https://unicode-table.com/en/

https://www.xudongz.com/blog/2017/idn-phishing/

https://isc.sans.edu/forums/diary/This+Article+is+Brought+to+You+By+the+Letter+12494/20319

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 
Juniper NorthStar Controller Application CVE-2017-2326 Local Security Bypass Vulnerability
 
Philips In.Sight CVE-2015-2884 Information Disclosure Vulnerability
 
python-pysaml2 CVE-2016-10149 XML Entity Expansion Denial of Service Vulnerability
 
Schneider Electric Modicon CVE-2017-7575 Information Disclosure Vulnerability
 
Dovecot CVE-2017-2669 Denial of Service Vulnerability
 
 
Linux Kernel 'selinux/hooks.c' Local Denial of Service Vulnerability
 
Watchguard Fireware XXE DoS & User Enumeration
 
ICU CVE-2017-7868 Multiple Heap Buffer Overflow Vulnerabilities
 
FFmpeg CVE-2017-7862 Heap Buffer Overflow Vulnerability
 
FreeType 2 CVE-2017-7864 Out of Bounds Write Heap Buffer Overflow Vulnerability
 
ICU CVE-2017-7867 Multiple Heap Buffer Overflow Vulnerabilities
 
Microsoft Windows CVE-2017-0191 Denial of Service Vulnerability
 
Microsoft Windows Hyper-V CVE-2017-0184 Remote Denial of Service Vulnerability
 
Microsoft Windows LDAP CVE-2017-0166 Remote Privilege Escalation Vulnerability
 
Microsoft Windows Kernel 'Win32k.sys' CVE-2017-0058 Local Information Disclosure Vulnerability
 
Internet Storm Center Infocon Status