Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-42694 PoC — Unicode 安全漏洞

Source
https://github.com/k271266/CVE-2021-42694
Associated Vulnerability
Title:Unicode 安全漏洞 (CVE-2021-42694)
Description:An issue was discovered in the character definitions of the Unicode Specification through 14.0. The specification allows an adversary to produce source code identifiers such as function names using homoglyphs that render visually identical to a target identifier. Adversaries can leverage this to inject code via adversarial identifier definitions in upstream software dependencies invoked deceptively in downstream software. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard (all versions). Unless mitigated, an adversary could produce source code identifiers using homoglyph characters that render visually identical to but are distinct from a target identifier. In this way, an adversary could inject adversarial identifier definitions in upstream software that are not detected by human reviewers and are invoked deceptively in downstream software. The Unicode Consortium has documented this class of security vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms.
Readme
# CVE-2021-42694
这个脚本实现了一个同形文字(Homoglyph)检测工具,主要用于检测代码中可能存在的 CVE-2021-42694 漏洞。让我详细解释一下它的主要功能:
核心功能:
检测代码中的同形文字替换攻击
扫描 Python 文件中的变量名、函数名等标识符
识别视觉上相似但实际不同的 Unicode 字符
主要组件:
HomoglyphDetector 类:主要的检测器类
数据获取:从 Unicode 官网获取 Confusables 数据
文件扫描:支持扫描单个文件或整个目录
工作流程:
首次运行时自动下载 Unicode Confusables 数据
解析数据并建立同形文字对照表
扫描代码文件中的标识符
检查每个标识符中是否存在同形文字
生成详细的检测报告
具体检测过程:
Apply to homoglyph_de...
   # 例如检测这样的代码:
   user_name = "John"  # 正常代码
   usеr_name = "John"  # 包含同形文字的代码(е 是西里尔字母)
输出结果:
显示可疑的文件路径
显示可疑的标识符
显示具体的同形文字对(例如:n -> η)
安全特性:
自动更新 Unicode 数据
本地缓存机制
详细的错误处理
这个工具的主要用途是帮助开发者发现代码中可能存在的同形文字攻击,这种攻击可能导致:
代码混淆
安全漏洞
维护困难
潜在的恶意代码注入
通过使用这个工具,开发者可以:
确保代码中使用的标识符是安全的
防止同形文字替换攻击
提高代码的可维护性和安全性
File Snapshot

 [4.0K]  /data/pocs/820a01575e29285acc53d120a07c447f624609c5
├── [4.0K]  homoglyph_detector.py
├── [ 11K]  LICENSE
├── [1.5K]  README.md
└── [  17]  requirements.txt

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →