Noroboto: Lying Fonts and Mitigation in Rust (tritium.legal)
21 points by piker 2 days ago
PufPufPuf 20 minutes ago
Wouldn't ligatures be a more effective attack vector for the "Maryland -> Delaware" case? That's all that ligatures do -- render a specific sequence of characters as something else.
stavros 10 minutes ago
Came here to say this, I saw the initial video and thought they used ligatures, and then I was surprised the actual post was much more complicated.
echoangle 44 minutes ago
At that point you can just paste a screenshot of your doc into word and celebrate.
Also, the mitigation can probably be fooled with ligatures since they are only verifying the letters alone as far as I skimmed.
I don’t even understand the threat model. Is my opponent in a court case going to use this on the PDF they give the court? Surely the judge will be pretty annoyed since you can’t even ctrl+f in the files then.
piker 42 minutes ago
That's true for the full obfuscation, but not for the replacement. For replacement there's really nothing like it. We just shared the full obfuscation as just a PoC.
[Edit: The point here is not to prove some massive "gotcha", but rather demonstrate that there are a whole class of vulnerabilities that these pipelines are subject to. There will be follow-up posts that pack much more punch.]
echoangle 40 minutes ago
Assuming you’re the author since you also posted it: I just stealth-edited my comment, could you maybe talk about the threat model a bit more? I am not a lawyer so I don’t really see when I would want to do this.
Also, I hope the „lame exploit“ I just edited out was not too offensive, it’s always great when people try to find attacks to make systems more safe.
piker 34 minutes ago
mproud 43 minutes ago
Someone could also just make a font file that swaps all of the characters around. So like an A looks like a Z, and a Z looks like an A.
piker 42 minutes ago
Covered in the post! It's the more aggressive approach for sure.