Trojan Source attack is dangerous for compilers of most programming languages

Trojan Source Attack

Scientists at the University of Cambridge, Ross Anderson and Nicholas Boucher, have published information about the Trojan Source attack concept (CVE-2021-42574), which can be used to inject malicious code into legitimate applications through comment fields. The PoC exploit is already available on GitHub.

The attack is based on the use of bidirectional control characters in source code comments. Such characters, known as BiDi (“bidirectional”), are Unicode control characters that are used within a text string to signal the transition from LTR (left to right) to RTL (right to left) mode and vice versa.

In practice, these characters are used exclusively for software applications and are invisible to humans, since they are only used to embed text with a different reading direction in large blocks of text (for example, to insert lines in Arabic or Hebrew).

Researchers have found that most compilers and code editors have no protocols for handling BiDi symbols or signalling their presence in source comments.

According to experts, attackers can insert BiDi control characters into comments that people cannot see, and upon compilation, they will move text from the comment field into executable code or move code in comments, thereby exposing applications to attacks and bypassing security checks.

Trojan Source Attack

We have verified that this attack works against C, C++, C#, JavaScript, Java, Rust, Go and Python, and we suspect that it will work against most modern languages.the researchers write.

In addition to compilers, several code editors and hosting services, as listed in the table below, are also reported to be affected.

Trojan Source Attack

In addition, according to experts, source code compilers are vulnerable to another problem (CVE-2021-42694) related to homoglyphs. During such attacks, classic Latin letters are replaced with similar characters from other alphabets.

The researchers write that the second attack can be used to create two different functions that look the same to the human eye but are actually different. Anderson and Boucher claim that in this way, an attacker can covertly add malicious code to a project.

Trojan Source Attack

The researchers summarize that compilers and editors should detect bidirectional control characters and homoglyphs and be sure to communicate them to people. So far, however, only the developers behind the official Rust compiler have released the update.

Let me remind you that I also wrote that Expert hacked 70% of Wi-Fi networks in Tel Aviv for research.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *