7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.005 Low
EPSS
Percentile
74.7%
Researchers looking for the browser front-end security issues found in Chrome, Safari, Firefox and other browsers there is a security vulnerability. This article describes Apple products Alphabet d-shaped problems caused by domain spoofing problem.
U+A771
The researchers found that Apple products in the Latin lowercase letter dum U+A771 and the Latin lowercase letter d (U+0064)is shaped very much alike. From the standard Unicode glyphs, you can see the d back one-handed, but in the Apple glyph in this apostrophe is ignored.
! [](/Article/UploadPic/2018-11/2018112320815689. png)
! [](/Article/UploadPic/2018-11/2018112320815638. png)
注册icloud.com
Then, the researchers registered a real domain for IDN spoofing. Verisign’s IDN registration rules do not allow mixing of Unicode script registration. If the IDN contains 2 or more Unicode scripts, the registration will be rejected. Because(U+A771)belonging to the Latin, so in line with the domain name registration rules, the researchers also successfully registered the domain name.
! [](/Article/UploadPic/2018-11/2018112320816784. png)
Then, the researchers have registered an SSL certificate to make the IDN spoofing look more real and perfect. Researchers found that Chrome / Firefox / Edge browser is to use punycode to display the domain name, but Safari is not.
! [](/Article/UploadPic/2018-11/2018112320816744. png)
! [](/Article/UploadPic/2018-11/2018112320816745. png)
Note: Punycode is the one according to RFC 3492 criteria and develop the coding system,is mainly used for the domain name from the local language using Unicode encoding conversion become available for the DNS system of coding. Punycode can prevent the so-called IDN spoofing.
Test results
The researchers tested found throughout the cheat process is totally viable, so an attacker can fool all contain the letter d of the domain. In the Google Top 10K domain, about 25%contain the letter d in the domain can be successfully deceived. Includes:
• linkedin.com• baidu.com• jd.com• adobe.com• wordpress.com• dropbox.com• godaddy.com• reddit.com• …
POC video
http://iclouꝱ.com/CVE-2018-4277.mov
The Apple Patch
! [](/Article/UploadPic/2018-11/2018112320817399. png)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.005 Low
EPSS
Percentile
74.7%