ShaunR Posted December 31, 2021 Report Share Posted December 31, 2021 CVE-2021-42694 Quote An issue was discovered in the character definitions of the Unicode Specification through 14.0. The specification allows an adversary to produce source code identifiers such as function names using homoglyphs that render visually identical to a target identifier. Adversaries can leverage this to inject code via adversarial identifier definitions in upstream software dependencies invoked deceptively in downstream software. CVE-2021-42574 Quote An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers. Quote Link to comment
Gribo Posted December 31, 2021 Report Share Posted December 31, 2021 LabVIEW enjoys security by obscurity right now. I am sure that the entire stack (Run time, Visa, DAQmx, whatever other services NI installs) have tons of holes and exploits. Quote Link to comment
ShaunR Posted January 1, 2022 Author Report Share Posted January 1, 2022 17 hours ago, Gribo said: LabVIEW enjoys security by obscurity right now. I am sure that the entire stack (Run time, Visa, DAQmx, whatever other services NI installs) have tons of holes and exploits. It's a lot worse than that. It affects all text languages that use a unicode compiler (Python, C++, Delphi et.al) and is undetectable by visual inspection of the source code. It isn't a programmers application with a bug - you can't trust the source code is doing what you think it is doing. Quote Link to comment
Gribo Posted January 3, 2022 Report Share Posted January 3, 2022 There was a page full of evil VIs that played tricks on the poor programmer trying to read them, I don't remember where I saw it. Quote Link to comment
JKSH Posted January 3, 2022 Report Share Posted January 3, 2022 2 hours ago, Gribo said: There was a page full of evil VIs that played tricks on the poor programmer trying to read them, I don't remember where I saw it. Not the example you were thinking of, but this one was hilarious: https://forums.ni.com/t5/LabVIEW/Compiler-is-Too-Smart-for-My-Own-Good/td-p/4188524 Quote Link to comment
ShaunR Posted January 3, 2022 Author Report Share Posted January 3, 2022 15 hours ago, Gribo said: There was a page full of evil VIs that played tricks on the poor programmer trying to read them, I don't remember where I saw it. If it is what I think you are referencing then it is when the VI is run (run when opened), rather than the source code itself. It is also detectable by inspection but double clicking on the VI runs it. This is why most of us place a new, unknown, VI on a diagram or run something like this. Tags Detect.vi Quote Link to comment
X___ Posted January 3, 2022 Report Share Posted January 3, 2022 3 hours ago, ShaunR said: If it is what I think you are referencing then it is when the VI is run (run when opened), rather than the source code itself. It is also detectable by inspection but double clicking on the VI runs it. This is why most of us place a new, unknown, VI on a diagram or run something like this. Tags Detect.vi 12.61 kB · 3 downloads Why is the "RunOnOpened" PN in the loop and why are persistent tags suspicious? Quote Link to comment
jacobson Posted January 4, 2022 Report Share Posted January 4, 2022 On 1/1/2022 at 10:11 AM, ShaunR said: It's a lot worse than that. It affects all text languages that use a unicode compiler (Python, C++, Delphi et.al) and is undetectable by visual inspection of the source code. It isn't a programmers application with a bug - you can't trust the source code is doing what you think it is doing. VSCode's October update changed it so directional formatting characters are displayed by default. https://code.visualstudio.com/updates/v1_62 GitHub also added a warning if you are looking at a file with these characters so hopefully more IDEs are being updated to make this vulnerability more obvious. Quote Link to comment
ShaunR Posted January 5, 2022 Author Report Share Posted January 5, 2022 On 1/3/2022 at 8:50 PM, X___ said: Why is the "RunOnOpened" PN in the loop Copyright reasons. On 1/3/2022 at 8:50 PM, X___ said: why are persistent tags suspicious? You can put a lot of stuff in a VI and unpack it when run. On 1/4/2022 at 5:57 PM, jacobson said: GitHub also added a warning if you are looking at a file with these characters so hopefully more IDEs are being updated to make this vulnerability more obvious. I dare say it will be addressed in time. I was just commenting on LabVIEW being one of the few not touched by it-for obvious reasons. Quote Link to comment
hooovahh Posted January 6, 2022 Report Share Posted January 6, 2022 On 1/3/2022 at 12:29 PM, ShaunR said: If it is what I think you are referencing then it is when the VI is run (run when opened), rather than the source code itself. By the way LabVIEW 2021 now warn you about VIs that are set to run when opened. Years ago I made a LabVIEW Tray Launcher that takes over the file extension, and allowed to select what version to open a file in. I added a feature there that would also open it without running it. I haven't updated it in a while so no idea if it still works right. Quote Link to comment
X___ Posted January 6, 2022 Report Share Posted January 6, 2022 23 hours ago, ShaunR said: You can put a lot of stuff in a VI and unpack it when run. That was what the Advanced Plotting Toolkit was doing, storing a minimal Python exe as a string constant and running it as soon as started. But that was not as a tag, which I still don't see what it can do besides store stuff (not just strings). Quote Link to comment
ShaunR Posted January 7, 2022 Author Report Share Posted January 7, 2022 2 hours ago, X___ said: That was what the Advanced Plotting Toolkit was doing, storing a minimal Python exe as a string constant and running it as soon as started. But that was not as a tag, which I still don't see what it can do besides store stuff (not just strings). Storing hidden programs is not unusual for you? It's highly suspicious to me. As separate operations, Run When Opened isn't common and storing hidden programs even less so. Both together start alarms bells ringing for me. Quote Link to comment
hooovahh Posted January 7, 2022 Report Share Posted January 7, 2022 13 hours ago, ShaunR said: Storing hidden programs is not unusual for you? It's highly suspicious to me. As separate operations, Run When Opened isn't common and storing hidden programs even less so. Both together start alarms bells ringing for me. I mean it is a programming technique for making code more portable, by including small external dependencies. But I agree that having embedded programs AND having Run When Open is concerning. I mean other than the Abort All VIs from AQ, I can't think of a good reason a file downloaded would be set to run when opened. I did see in a controlled environment, Run When Opened was being used in place of making an EXE. Operators would just double click the Main.vi shortcut, it would open it in LabVIEW because they had the full IDE, and then it would run. It wasn't a good practice to have and I advised against it. But those are the only two cases I can think of where it could be used. Edit: I do remember embedding a VI as a block diagram constant too. In my LabVIEW Tray Launcher there is an Abort All VIs, which needs to be saved in the oldest version of LabVIEW supported. If the VI was a static reference the application builder would resave it, but then I couldn't do an Open VI Reference on other versions of LabVIEW. So I saved it as a constant, then when needed it would get saved to a temp location and ran. But again this wasn't a Run When Open situation. Quote Link to comment
JKSH Posted January 28, 2022 Report Share Posted January 28, 2022 (edited) On 1/2/2022 at 12:11 AM, ShaunR said: undetectable by visual inspection of the source code. It isn't a programmers application with a bug - you can't trust the source code is doing what you think it is doing. Perfectly doable in LabVIEW too! Edited January 30, 2022 by JKSH 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.