区块链安全

BscScan bidirectional Unicode text 不提示漏洞

2022年1月13日,我发现了如下问题,并且向 BSCScan 项目组提交了漏洞。目前 BSCScan 已修复该问题,因此披露原报告。

且这个问题已经有了对应的 swc:https://smartcontractsecurity.github.io/SWC-registry/docs/SWC-130。当然因为我提交给了项目组,所以并未对 SWC 项目提交 pr,所以这个 pr 是别人提的。


原报告:

背景:危险的 bidirectional Unicode text

参考:https://trojansource.codes/

通过精心构造的 bidirectional unicode text,可以导致:

/* begin admins only */ if (isAdmin){

源代码字符串的顺序被改变为:

/* if(isAdmin){begin admins only */

因而造成限制条件被绕过,引入危险。

而这种「传统安全」的漏洞,也可能被引入区块链中。

利用背景1:Solc 是否支持 bidirectional Unicode text 的编译?

是支持的。

这段代码在 Remix 可以被正常编译及执行。

利用背景2:本地编辑器是否支持 bidirectional Unicode text 的显示?

一些编辑器支持。

另一些不支持。

测试了两种在编写 .sol 时候常用的编辑器。

VSCode 是支持显示的:

atom 是不支持显示的:

利用背景3:区块链浏览器是否支持 bidirectional Unicode text 的提示?

Etherscan 是支持的:

如交易:https://ropsten.etherscan.io/address/0x662387929868eD7E1F1d6818497B78A62774BEa7#code

Bscscan 是完全不提示的:

见交易:https://testnet.bscscan.com/address/0x669BF217C82b1539734ca4ee25dce76063E383A2#code

并且 bscscan 是没有把这种 bidirectional Unicode text  过滤掉的,复制下来粘贴在 vscode 中:

利用思路:

因为编译问题,如果将 bidirectional unicode text 写入字符串中,将无法成功。但如果被写入注释中,则会原样保留。
将精心构造的恶意合约发布在 Bscscan 上,人工审核者可能会从区块链浏览器复制代码,如果粘贴到了不支持显示 bidirectional Unicode text 的编辑器中进行人工审核,那么仅凭肉眼是无法看出问题的,误判为安全。但是在编译执行、部署上链时,通过精心构造的恶意代码,攻击已经发生……

值得警惕:

目前随着 ens 项目的火热,将 unicode 字符显示带来的一些问题科普给了 web3 用户,尤其是 mirror 社区中两篇文章的针锋相对的辩论:

请停止注册一切ENS域名,因为它一文不值

关于对Das污蔑Ens的详细解答,以及其das本身存在的诸多问题。

web3 用户开始注意并了解 unicode 字符带来的一系列问题,这同样给了攻击者灵感。

所以我认为,这算是一个值得关注的漏洞,需要尽快修复。


English Version:

Background:dangerous bidirectional Unicode text

please see:https://trojansource.codes/

With carefully constructed bidirectional unicode text, this can result in:

/* begin admins only */ if (isAdmin){

The order of the source code strings is changed to:

/* if(isAdmin){begin admins only */

As a result, restrictions are bypassed and dangers are introduced.

And this “traditional security” vulnerability may also be introduced into the blockchain.

Exploit Background 1: Does Solc support compilation for bidirectional Unicode text?

Yes, it is!

This code can be compiled and executed successfully in Remix.

Exploit Background 2: Does the local editor support the display of bidirectional Unicode text?

Some editors support it.

Others are not supported.

Two editors commonly used when writing .sol were tested.

VSCode supports displaying:

atom is not supported for display:

Exploit Context 3: Does the blockchain browser support hints for bidirectional Unicode text?

Etherscan is supported:

such as transaction:https://ropsten.etherscan.io/address/0x662387929868eD7E1F1d6818497B78A62774BEa7#code

Bscscan is completely silent:

such as transaction:https://testnet.bscscan.com/address/0x669BF217C82b1539734ca4ee25dce76063E383A2#code

And bscscan does not filter out this bidirectional Unicode text, copy it and paste it in vscode:

Exploit Chain:

  1. Publish and verify a carefully constructed malicious contract on Bscscan.
  2. The human auditors may copy the code from the blockchain browser. If it is pasted into an editor that does not support bidirectional Unicode text for manual review, it cannot be seen by the naked eye. The evil contract will be misjudged as harmless.
  3. However, when compiling, executing and deploying on the chain, through carefully constructed malicious code, the attack has occurred…

Something to watch out for:

At present, with the popularity of the ENS project, some problems caused by unicode character displaying have been popularized to web3 users, especially the tit-for-tat debate between two articles in the mirror community:

web3 users began to notice and understand the set of problems posed by unicode characters, which also inspired attackers.

So I think this is a bug of concern and needs to be fixed as soon as possible.