双向覆盖攻击
利用Unicode双向覆盖字符(U+202A–U+202E、U+2066–U+2069)伪装恶意文件名或代码的攻击,'readmefdp.exe'显示为'readmeexe.pdf'。
What is a Bidi Override?
A bidi override is a Unicode text manipulation technique that uses bidirectional (bidi) control characters to reverse or scramble the display order of characters on screen, making text appear different from what it actually contains. Because many writing systems — Arabic, Hebrew, Persian, Urdu, and others — are written right-to-left (RTL), Unicode includes a bidirectional algorithm (Unicode Standard Annex #9) and a set of invisible control characters to control text direction. Attackers exploit these characters to disguise the true content of filenames, URLs, source code, and messages.
The Bidirectional Algorithm
Unicode's Bidirectional Algorithm (UBA) determines the display order of characters in mixed-direction text. It works automatically for most text — Arabic runs right-to-left, Latin runs left-to-right, and they are visually arranged correctly. The bidi control characters allow authors to override or modify this automatic behavior.
The most dangerous characters for security purposes are:
| Character | Code Point | Name | Effect |
|---|---|---|---|
| RLO | U+202E | RIGHT-TO-LEFT OVERRIDE | Forces all following characters to display RTL |
| LRO | U+202D | LEFT-TO-RIGHT OVERRIDE | Forces all following characters to display LTR |
| RLE | U+202B | RIGHT-TO-LEFT EMBEDDING | Creates RTL embedding level |
| LRE | U+202A | LEFT-TO-RIGHT EMBEDDING | Creates LTR embedding level |
| U+202C | POP DIRECTIONAL FORMATTING | Ends the most recent override or embedding | |
| RLI | U+2067 | RIGHT-TO-LEFT ISOLATE | Isolates RTL section |
| LRI | U+2066 | LEFT-TO-RIGHT ISOLATE | Isolates LTR section |
Attack Scenarios
Filename spoofing (the classic attack) A malicious executable can be named to appear as a harmless document. For example, the actual filename might be stored as:
evil[RLO]fdp.exe
When rendered, the RLO character causes everything after it to display right-to-left. The screen shows: evil.pdf — the .exe extension is hidden and the fdp becomes pdf in the reversed display. Users believe they are opening a PDF file.
This attack was actively used in malware distribution, particularly in USB-spread worms and email attachments, and was exploited in targeted attacks against energy companies and government systems around 2011–2012.
Source code backdoors (CVE-2021-42574, "Trojan Source")
Described by researchers Nicholas Boucher and Ross Anderson at Cambridge in 2021, the Trojan Source attack embeds bidi override characters inside code comments or string literals. The source code renders differently in a text editor (which respects bidi) than it is actually interpreted by the compiler (which ignores bidi control characters in code). An attacker can make a security check appear to be inside an if block when it is actually outside, or hide an entire malicious code path inside what appears to be a comment.
URL obfuscation Bidi overrides in URLs displayed in browser status bars or email clients can make a malicious domain appear to be a legitimate one.
Mitigations
- Compilers and interpreters: After CVE-2021-42574, GCC, Clang, Rust, Go, Python, and others added warnings or errors for bidi override characters in source code
- Code editors: VS Code, Vim, and others added visual indicators for bidi control characters
- File managers: Modern operating systems show warnings for filenames containing bidi overrides
- Email clients: Display raw filenames or strip bidi characters from attachment names
Quick Facts
| Property | Value |
|---|---|
| Primary control character | U+202E RIGHT-TO-LEFT OVERRIDE (RLO) |
| Governing algorithm | Unicode Standard Annex #9 (UAX#9) |
| Notable CVE | CVE-2021-42574 (Trojan Source) |
| Trojan Source researchers | Boucher & Anderson, Cambridge, 2021 |
| Affected surfaces | Filenames, source code, URLs, messages |
| Compiler responses | GCC, Clang, Rust, Go, Python all patched in 2021 |
| Legitimate use | Displaying Arabic/Hebrew mixed with Latin text |
相关术语
安全 中的更多内容
Exploiting Unicode bidirectional control characters to disguise malicious code or filenames. The …
在域名中使用视觉上相似的Unicode字符来冒充合法网站的攻击,аpple.com(西里尔а)看起来像apple.com,浏览器通过Punycode显示规则加以防范。
Exploiting Unicode normalization to bypass security filters. Input validated before normalization may …
利用Unicode功能欺骗用户:同形字用于假冒域名,双向覆盖用于伪造文件扩展名,不可见字符用于隐藏文本。
来自不同文字系统但外观相同或非常相似的字符,如拉丁'a'与西里尔'а',用于网络钓鱼、欺骗和社会工程学攻击。
Unicode对视觉上可能混淆的字符对的官方术语,定义于confusables.txt(UCD),比同形字范围更广,包含仅仅相似而非完全相同的字符。
识别混合不同文字系统字符的文本(如拉丁文+西里尔文),是防御同形字攻击的主要手段,浏览器据此触发Punycode显示。
U+200D,请求相邻字符连接,是表情符号序列的关键(👩+ZWJ+💻=👩💻),在印度文字中请求形成连字,也可用于隐藏文本边界。
U+200C,阻止相邻字符连接,在波斯语/阿拉伯语中对正确字母形式是必需的,也用于梵文中阻止连字。