Tuesday 18 April 2017

Punycode phishing alert for Google Chrome / Firefox and the fix

What's Punycode? 

Internet host names should have ASCII characters only so RFC introduced Punycode to encode Unicode characters using ASCII codes to workaround that limitation and to use Unicode characters on domain names. Even without recognition of this feature for many people, most modern web browsers already support this so that the decoded Unicode characters appear on the address bars! It's easy to imagine what can happen if this feature is used for bad purposes - phishing. 

Test
Click this link. https://www.xn--e1awd7f.com/ (Don't worry, it's a good site that helps you to test your browser) If it directs you to a site that looks like 'https://www.epic.com', your browser is invulnerable for the attack. As you already guessed, the characters appear on the address bar are not ASCII, but non-English Unicode characters that look similar to ASCII ones. The following screenshot is from my Chrome that was not ready for detecting the situation (invulnerable). 


Fix/Workaround 
Firefox has a setting to disable decoding of Punycode characters. 
  1. Type about:config in address bar and press enter.
  2. Type Punycode in the search bar.
  3. Browser settings will show parameter titled: network.IDN_show_punycode, double-click or right-click and select Toggle to change the value from false to true.
Google Chrome has no setting yet (as of 18 Apr 2017 ), but luckly there is an extension to help you - Punycode Alert (https://chrome.google.com/webstore/detail/punycode-alert/djghjigfghekidjibckjmhbhhjeomlda ). With this extension, it alerts you when you visit a Punycoded site like that. It's not perfect as it doesn't block you to visit phishers but it's million times safer than using nothing, until Google releases a new Chrome version that deals with this. This is what appears when you visit there with the extension turned on. 

References

Evernote helps you remember everything and get organized effortlessly. Download Evernote.

Monday 10 April 2017

Fixing "Error C2059: syntax error : '('" in xlocale

Introduction

When you use std::string in a relatively large project, you may see the following error message that is hard to understand. 


The source code block complained about this is like this: 


The compiler didn't like the line of 'global(const locale&);' which looked just normal. This compiles with no error if you configure a new project, which makes it look more strange. 

Troubleshooting

The problem is simply caused by the 'global' keyword. Yeah, the project actually uses this keyword for another purpose. For my case, it is defined like this to indicate the function is globally referenced: 


Now it's very easy to understand - the 'global' in xlocale has been replaced by 'nothing' so that the line must have been transformed like this:

static _MRTIMP2_PURE locale __CLRCALL_PURE_OR_CDECL
       (const locale&);

As you can see here, the function definition on xlocale is certainly corrupted now by the 'global' keyword defined already for another purpose.

Fix

You may like to remove the definition of 'global' that looks unnecessary, but unfortunately it was used in so many places in my case that I couldn't do this. But now you understand the reason (there exists '#define global' somewhere before including <string>), we have three workarounds at least. 

  1. Use #undef before #include <string>, or 
  2. Remove #include <string> from your new header file and reference it on the cpp file, or 
  3. Do '#include <string>' (or including the header file that does '#include <string>' before having #define global (or including the header file that does '#define global'). eg.
    • (TestVictim.cpp) 
      #include <Windows.h>
      #include ....                          // (other system includes)
      #include "ImIncludingString.h"         // has #include <string>
      #include "ImDefiningGlobal.h"          // has #define global

#3 is probably the best way as it has no affect on other source files. 


Evernote helps you remember everything and get organized effortlessly. Download Evernote.