Scientists at the University of Cambridge, Ross Anderson and Nicholas Boucher, have published information about the Trojan Source attack concept (CVE-2021-42574), which can be used to inject malicious code into legitimate applications through comment fields. The PoC exploit is already available on GitHub.
The attack is based on the use of bidirectional control characters in source code comments. Such characters, known as BiDi (“bidirectional”), are Unicode control characters that are used within a text string to signal the transition from LTR (left to right) to RTL (right to left) mode and vice versa.
In practice, these characters are used exclusively for software applications and are invisible to humans, since they are only used to embed text with a different reading direction in large blocks of text (for example, to insert lines in Arabic or Hebrew).
Researchers have found that most compilers and code editors have no protocols for handling BiDi symbols or signalling their presence in source comments.
According to experts, attackers can insert BiDi control characters into comments that people cannot see, and upon compilation, they will move text from the comment field into executable code or move code in comments, thereby exposing applications to attacks and bypassing security checks.
In addition to compilers, several code editors and hosting services, as listed in the table below, are also reported to be affected.
In addition, according to experts, source code compilers are vulnerable to another problem (CVE-2021-42694) related to homoglyphs. During such attacks, classic Latin letters are replaced with similar characters from other alphabets.
The researchers write that the second attack can be used to create two different functions that look the same to the human eye but are actually different. Anderson and Boucher claim that in this way, an attacker can covertly add malicious code to a project.
The researchers summarize that compilers and editors should detect bidirectional control characters and homoglyphs and be sure to communicate them to people. So far, however, only the developers behind the official Rust compiler have released the update.
Let me remind you that I also wrote that Expert hacked 70% of Wi-Fi networks in Tel Aviv for research.