Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Direction reversal char
Posted by: tehryan
Date: October 12, 2007 01:33PM

I'm pretty sure this isn't the right forum for this, but I couldn't find one properly suited so I picked here.

There's a character I found on a foreign website that does some weird stuff and I'm pretty sure it could be used as an extremely effective bypass filter but I'm having all kinds of trouble figuring out how it can be used...

when you paste this character, everything after it is immediately reversed. (for this reason I'm not pasting the character till the end of this post)

that makes me think it might be possible to do something like this:

[pastecharhere]
<tpircs>
;(1)trela
<tpircs/>

and this actually works. I typed that code in notepad, and opened it in firefox/ie and it displays the way I want it to (forwards rather than backwards) but it doesn't execute as javascript. same with regular html.

Anyone have any ideas or know anything about this character?

&#8235;&#8236;&#8237;&#8238;&#8234;&#8235;&#8236;&#8237;&#8238;&#1161;

this is what I'm talking about. hopefully it doesn't mess up the forums ;(

Options: ReplyQuote
Re: Direction reversal char
Posted by: tehryan
Date: October 12, 2007 01:37PM

hmm... looks like security slays this... look here:
http://www1.freewebs.com/ryancartner/weirdchar.htm

Paste that char somewhere and start typing.



Edited 1 time(s). Last edit at 10/12/2007 01:39PM by tehryan.

Options: ReplyQuote
Re: Direction reversal char
Posted by: Gareth Heyes
Date: October 12, 2007 04:06PM

This is right to left entity for arabic and other languages, although at first I thought there might be scope for using it in a exploit it appears that the browser only reverses the text on display and not when it is processing script.

The actual character is only
&#8238;
(1)trela=daolno emarfi>

I tried that code in FF, Opera and Safari, anyone want to try it in IE?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 10/12/2007 04:19PM by Gareth Heyes.

Options: ReplyQuote
Re: Direction reversal char
Posted by: tehryan
Date: October 13, 2007 12:18PM

Gareth: you're right. as far as I can tell from further playing around its only effecting display. I bet there are some interesting social engineering vectors still tho... for instance get your hands on this domain:
moc.lapyap.us(or other tld)
the browser would display
su.paypal.com

Options: ReplyQuote
Re: Direction reversal char
Posted by: thornmaker
Date: October 13, 2007 12:52PM

what do you make of this: http://www.lapyap.com ?

Options: ReplyQuote
Re: Direction reversal char
Posted by: Spyware
Date: October 15, 2007 11:54AM

thornmaker Wrote:
-------------------------------------------------------
> what do you make of this: http://www.lapyap.com ?

A lame joke. It's an image for Rods sake.

Options: ReplyQuote
Re: Direction reversal char
Posted by: Anonymous User
Date: October 19, 2007 07:35PM

If don't get it completely wrong at the moment (2am *g*) it IS able to get it executed:

http://php-ids.org/files/xss.html

-> copy with select-all from source view and try it on the php-ids demo *blush* - gotta work on that tomorrow ;)

Options: ReplyQuote
Re: Direction reversal char
Posted by: thornmaker
Date: October 19, 2007 08:18PM

.mario: it works for me too. that's awesome!

Options: ReplyQuote
Re: Direction reversal char
Posted by: Gareth Heyes
Date: October 20, 2007 06:03AM

@Mario

Tried it on FF and it didn't execute :(

Which browser did you try it on?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Direction reversal char
Posted by: Gareth Heyes
Date: October 20, 2007 06:06AM

Just tried it again....
Whaaaooooo amazing!

It works!!!! Cool

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Direction reversal char
Posted by: Anonymous User
Date: October 20, 2007 07:27AM

Yeah but you'll have to copy/paste it, but then it reverses back to the proper direction.

dir="ltr"
dir="rtl"

Options: ReplyQuote
Re: Direction reversal char
Date: October 26, 2007 01:38AM

I was unable to get it to execute any statements, but it's still a cool trick.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Direction reversal char
Posted by: Reiners
Date: October 26, 2007 05:47AM

I read about this some time ago, just for those of you who are interested:
http://neworder.box.sk/forum.php?did=multSecurity%20and%20Networking&thread=261094
http://seclists.org/fulldisclosure/2007/Aug/0455.html
seems like you can have alot of fun with this character ;)

Options: ReplyQuote
Re: Direction reversal char
Posted by: Anonymous User
Date: October 26, 2007 12:26PM

It's more than one character btw - it's eight all together:

var i =0;
var j = String.fromCharCode
while(i < 65536) {try{eval('con'+j(i)+'sole.log("Found: '+i+' '+j(i)+'")');} catch(e) {}i++

Here's how to detect them:

if (preg_match('/(?:%E2%80%(?:A|8)\w|%EF%BB%BF)/i', urlencode($value))) {
  echo 'eeeew!';
}

Options: ReplyQuote
Re: Direction reversal char
Posted by: Anonymous User
Date: October 26, 2007 08:19PM

hehe

Options: ReplyQuote
Re: Direction reversal char
Posted by: Gareth Heyes
Date: November 21, 2007 09:35AM

I dunno if it has been mentioned before but I found this tag interesting:-

<bdo dir="rtl">Hello</bdo>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote


Sorry, only registered users may post in this forum.