The Security of Emojis

uh so my name is adrian justice and today i'm going to be talking to you about the security of emojis and looking into a bit of what happens when we put them in places they're not really intended to go so hopefully everyone's had a few beers at lunch and is ready for some slightly less serious presentations uh before we start diving into what we can do with emojis we should understand what they actually are and where they come from so the idea of emojis sort of originally came around in like sort of the late 90s with just a basic symbol set created just to sort of represent things like what the current weather is and things

like that in 27 2007 google started petitioning the unicode consortium to get emojis sort of incorporated into unicode so that they'll be sort of available for everything and in 2010 that was actually accepted all the updates after that were just sort of expanding unicode the emoji sort of character set out to include different colors for all of the emojis different genders different food because they worked out there was no emoji for taco but there was like six different types of sushi and people got sick of that i'm gonna skip over what how we encode emojis and stuff like that i'll just leave it at it's utf-8 and 16 magic because i was supposed to remove this line

forgot about it all right so if we want to start playing with emojis in windows we're going to need to be able to type them uh to do that we've sort of got two basic options option one you can use a website like getamoji.com search for what you want copy and paste it into your text field uh it works but it's not a great option option two is we can use the built-in windows emoji keyboard uh if you push windows key period or semicolon it'll pop up the window down the bottom there and then any emojis you click will be typed into your selected text field so now that we can type emojis let's have a play around with them in the most

basic form of a windows application a terminal according to the most trusted of sources stack overflow the windows default console host or conhost does not support unicode whereas the newer windows terminal which can be pulled down from the windows app store does so i put this to the test up the top we've got command prompt and power powershell both running on top of conhost and both can't render emojis instead displaying a little square with a question mark in it down the bottom we've got the newer windows terminal based version of command prompt and powershell and it's really hard to see up there i'm now realizing but the little coloured bits are emojis so just take my word for it

uh how about applications that output emojis so on the screen now we've got a small application i wrote that just outputs a random emoji and surprise surprise the conhost-based ones still just output question marks and the windows terminal based ones do successfully work so we've covered a few bonus places you can shove emojis here you can also obviously use them in file paths and file names and just for the hell of it i put it into the metadata for the file as well so just editing the visual studio project it quite happily did it onto something a little bit more useful now can you make your windows domain name contain emojis or can you name your

computer host with emojis absolutely so up here we've got a computer named diamond dc hazard sign so that's nice and easy the full computer name or we can see our domain is emoji called with some flames the less obvious thing here is that the word emoji call is actually written in emojis as well there's not a whole lot of use for this but i mean i guess you can mess with someone a little bit so here we've got just a windows 10 machine being added to our new emoji called domain and it does work perfectly fine you'll also see that this machine is called finance with some emojis either side of it of a dollar

sign and lastly just another place you can actually see the mach the domain you're connected up to the interesting thing here is on the left we've got a black and white the sort of version of the emojis like black outline and on the right we've got the colorized version uh it seems or just based personally on what i've seen it seems like as microsoft's rewriting sort of gooey aspects of windows they're moving towards the newer version but anything that's been around for a while tends to still use the older black outline not everything supports emojis so windows 7 just straight up has no clue what to do with it you can still clearly actually add it to an

emoji-based domain it's just you can have a really bad time if you actually try to do anything because nothing's going to render you're just going to get squares everywhere uh while you're setting up a domain controller or creating a new domain that uses emojis when you get to the net file stage it'll pre-fill it with sort of a squashed version of what your selected forest name is and in our case that contains emojis if you continue to click through it all it's fine with it until you get to the very last step where it tries to verify things and it'll throw up the arrow down the bottom saying you've used a non-approved character essentially you have to use ascii for

your net bios name for your windows machine and this last one is a bit of a late addition to the talk that i came up with just before i sort of came up here uh microsoft actually decided to create their own emojis that aren't part of the standard set and if you decide to use them for your domain name you'll get this error pop-up saying that the emojis you've selected don't match any like or will have a different meaning on another host essentially so introducing the non-standard emojis uh on the left we've got ninja cat and stunt cat that's a screenshot of what they look like on my windows machine on the right we've got uh just the text

field where i've typed the same emojis in on my windows machine but i'm presenting on a mac at the moment so it has no clue what to do with them instead printing a cat with a person and a cat with a bike which i guess makes sense for ninja cat and stunt cat unfortunately i found them a little bit too late to test them out and see what they actually would do with other security tools if we started testing things across platforms but that could be an interesting thing for the future so back to the window side uh one of the first things i wanted to try when i started playing with emojis was making

usernames and passwords that had emojis in them uh incidentally i accidentally used stunt cat here and didn't actually realize it was a non-standard emoji at the time but it worked perfectly fine for what i was doing after creating your account naturally you're going to want to log in i went to type in the password and you can't actually open the windows emoji keyboard on the logon screen you also can't do option 1 to copy and paste emojis so we've made an account that can't actually be logged into from a physical keyboard those that are paying attention though might have noticed there is an emoji in the username so how was that typed in if you can't type an emoji on the logon

screen well there's more than one way to log onto a machine we can connect to it remotely via something like rdp and if you're doing rdp or run as or anything else that's sort of happening from an already established session you've got full access to the emoji keyboard and stuff like that so we have made an account that can't be used from a physical machine it can only be used by a remote connection not the most useful thing but i guess it sort of counts as security and you could mess with someone a bit with it uh one thing to keep in mind though is that rdp is not only open to you it's open to pen testers and other

people depending on how well you've set up your network and they can connect just as easily well almost as easily here we've got a kali box trying to connect to by domain controller you'll see at the very top we've got the diamond dc hazard sign again and then the flame but what the hell's the rest of it well it turns out that the actual pictures for emojis aren't part of the standard you've probably noticed this if you've seen like an ios device or an android device and compare the emojis they they do look slightly different so the unicode spec may say that say code 1234 is the flag for australia uh but that doesn't stop one platform from

using the actual australian flag picture whilst another one uses the au picture or the au sign and absolutely none of that stops our media from using the flag codes to spell out their domain name all of this is a really roundabout way of saying we are seeing the same emojis but rendered completely different between platforms so despite all that it does work perfectly fine if an actor or decided to type this in and hit connect they would get the certificate details and then wonder what the hell they're looking at but if like any good person they just click through the message they will actually be able to connect so despite looking completely different they are functionally identical

password complexity so one of the best parts about using emojis and passwords is we've got a massively increased character set to pull from ascii gives us sort of less than 100 characters we can actually type on a standard keyboard whereas as of september 2020 uh there's around three and a half thousand emojis available so good luck cracking a password if someone picks some decently random emojis unfortunately microsoft doesn't agree uh if we try and set a password on a standard domain using an emoji we'll get a warning saying it's not complex enough if we take a look in group policy and see what actually counts as a complexity we'll see we have to meet four three of

the following four categories an uppercase a lowercase letter a number and a special symbol we've got uppercase we've got lowercase we don't have a number but i would have thought diamond is a special symbol but all i can think from this message is it counts as a to z for some reason anyway we can get past the old-fashioned way by adding a one to the end all right so we've got our super strong emoji enhanced password now let's see if we can crack it i will put a disclaimer out here i'm not very good at password cracking so uh first up tried hash cat using a word list that actually had the password in it

uh and it was no luck next i gave john a try and still had no luck i did mess around with this for about an hour and just got nowhere um i'm pretty sure it's at least possible with uh hashcat because uh cracking an emoji based password is effectively the same as cracking a password that has any other non-english character in it that's you know based in unicode uh i just apparently aren't very good at this but in all fairness when's the last time any of the pen testers in the room actually mutated their password list with emojis i'm going to speed things up a little bit now and start having a look at just

how a few other tools handle emojis since we're talking red team tools let's have a look at nmap uh map will happily scan our domain controller that is full of emojis and we'll just make absolutely no attempt at rendering any of the emojis instead printing out the hex characters for the emoji values i've decoded the top three of them down the bottom uh just to sort of show what's coming out interestingly and you're not going to be able to read it because it's so small up there the top value is actually the net bios name for the host that we scanned which is diamond dc hazard sign and yet previously when we were setting up a

domain we weren't allowed to use emojis in our net bios domain half of the domain so for some reason we're not allowed to do it on a windows domain but we are allowed to do it for hosts so just a little bit weird not every part of nmap works so gracefully uh parts of it do just have a bit of a freak out and just replace everything with an asterisk sign but functionally it does work uh how about metasploit so metasploit handles things fairly well there's a few uh rendering issues like the one in the middle of the screen there i have no idea what the hell that is but it does work perfectly if you just hit

enter to get past it uh printing out the system information works but doesn't quite get the host name right uh but if you print out a process listing you might be able to see down the very bottom there is the user that is hacker with emojis either side of it so all in all metasploit is fairly usable next up we'll take a look at wireshark like nmap wireshark just won't attempt to render the emojis instead similar to metasploit printing out question marks there's not a lot of interesting stuff you can do with wireshark like it was either gonna crash or it's just gonna display boring stuff we did manage to generate a few uh male form dns packets i'm assuming this

is because we're we're using dns on against a domain that has non-ascii characters in it and dns is not really meant to do that you're meant to do something like puny code if you're going to do non ascii so i will talk a little bit more about puny code in a second but yeah besides being able to break the filter a little a bit it doesn't really do much interesting next up volatility so for those that haven't looked at uh don't know what volatility is it's a memory forensics program written in python and as i'm sure anyone that's actually tried to write python before especially python 3 for parsing binary streams back into strings it can be an absolute to deal with

and you'll be constantly getting error messages about like having a character that's not in the characters that you're dealing with so pretty high hopes that we were going to be able to crash volatility unfortunately all that broke was my terminal so the you'll notice the h on the right hand side is slightly sitting on top of the uh the first emoji there all i can think is that this terminal is using a fixed character width for everything and the emojis are slightly larger so nothing really broke so so far everything's kind of handled emojis and i sort of really wanted to actually break some stuff for this presentation so let's sort of change that but so when you install exchange

it defaults to using your domain name which in our case is emoji call written in flags uh and as you can see exchange isn't real happy about that if we check the error log for it you'll there we can see that an exception was thrown saying that we've got an invalid fully qualified domain name uh so yeah straight up exchange server does not work uh so that's one major microsoft service broken how about iis so iis for those that don't know is microsoft's web server it can be installed on any windows server or workstation and after it's installed you can access your web server using your fully qualified domain name which is in our case is the emoji call one holy

crap that is small up there uh all right on the left hand side the weird bits that don't look like letters are emojis that are the black outline version for internet explorer whereas chrome has the colorized version i did no research whatsoever into what actually causes that all i can assume is that something's using a newer renderer or api or something uh if we hit enter to trigger the actual navigation first of all it works so we can actually use a navigate to a page based on emojis but if you look at the address bar all the emojis are gone now and said replaced with ascii characters so what's actually happened well the emojis have been translated

into puny code and i mentioned that briefly in the wireshark section that uh puny code itself could be an entire talk so i'm going to be very high level here but it's a way of converting uh essentially non-ascii characters back into ascii for being out i used to be used with things like dns uh so if you see anything that in a url that begins with xn hyphen hyphen you're going to know that you're dealing with puny code so how about accessing a resource so this time we've got our fully qualified domain name back in there but on the right hand side we're trying to access classes.htm if we hit enter to go again we get our

punycode back and the page loads but the glasses are actually still there so it seems like the domain name part of a url does not support emojis and will end up with puny code whereas the resource name does support it and you're free to do whatever you want so after seeing that iis worked i had pretty high hopes that sharepoint was going to work given you know it all sits on top of iis the initial setup was promising are you even happily connected to my database server that was diamond dc has its own however once i started to log in things went downhill you can see up the top we do still have our puny code url so we are connecting

to it based on the emoji url however the logon screen is less than happy with just a heap of question marks in it if you try and log into this it'll sit there thinking for a second and then just kick you straight back out to the log on screen having a look in the windows error logs we can see that it's effectively trying to resolve that name i don't know if it's literally trying to resolve question mark.dc but either way i never managed to actually get it to work with emojis as a side note you'll notice the computer name down the bottom is printing with emojis so event viewer does work with emoji so that's that's nice

after playing around i did manage to actually actually log into sharepoint but if you look up the top you'll see one key difference i'm using an ip address instead of the url so the ip domain name so it seems like it just doesn't work for some all reason so we're getting towards the end now and i'm just going to try and show a few heap of places that we can cram emojis just for the hell of it so the whole idea of looking at emojis came weirdly enough from looking through some iis blogs or a co-worker looking through some iis logs and then just losing it laughing and when i came over i saw someone had

run a network scan against this thing with the poop emoji as the user agent so as the professionals we are we decided to work out how to find poop emojis that were used for user agents and we found yeah quite happily works with it uh that sort of spawned the whole idea of going through this tolerance anywhere else we could cram emojis so we can thank that random person that scanned something if you want to do any form of coding involving emojis we've got a couple of different options if you want to be able to use emojis as like variable names and things you're sort of limited to java javascript and swift might be a few others uh if you want to

be able to display emojis then pretty much anything that supports utf uh sorry unicode will work fine uh so here we've got some perfectly valid switch code so if you want to write the next ios or mac os app you are welcome to use that next we've got some javascript minified of course because all javascript should be minified and disgusting to read this will work perfectly fine and we've got a bit of a special one at the end this is emoji code which as you can see is a language by itself that everything or all syntax is just replaced with emojis i've never written anything in this but if anyone's writing a ctf out there that

could be a an interesting challenge to give someone on to macos so mac has a built-in emoji keyboard just like windows uh it's accessible through the edit menu in most applications or was that command option space or something i don't know my mac shortcut keys it works reasonably well just same as windows click what you want and it types where your cursor is uh it does have the same issue that we saw previously with volatility that the quote of the over the snowflake is sort of rendered on top of it so i guess it's fixed character width again but yeah functionally it is all there linux was a little less functioning specifically ubuntu in this case because

you know everything in linux can be customized but you can open the emoji keyboard by right clicking in a text field and choosing insert emoji uh that brings up the really tiny emoji keyboard on the right that can't be expanded and half the time when i clicked an emoji i got a different one so it wasn't real good to use you also can't open it from a terminal so to type in a terminal you have to type into a random text field then copy and paste it out of there back into the terminal but once you've got them working it does print them out perfectly fine if you get sick of crappy wi-fi puns for

your home ssid you can use emojis in it uh one thing to keep in mind i did actually have something like this for a while for my iot crap and i got an ip camera that had to connect via holding a qr code of your your username sid and password in front of it and it just refused to connect to it so depending on what you're doing it may break some things and last but not least if you're a die-hard emoji user you can buy a full emoji keyboard using this likely won't get around the issue that i had previously with typing in windows passwords as it does require some special software to run which likely won't be running prior

to you logging in that's what i got for you got any questions

thanks adrian that was great i have to admit your talk title was a tester of a lot of things we use for b-sides like our crm and our website i was very happy to see it worked in the brochure and i was very disappointed the badge didn't display talk details i wanted to see someone render that yeah yeah we didn't quite get the schedule into the badge this year but that would have been a good test as well so we have a few questions um ajd has asked are there any emojis which have multiple possible bite sequencing coatings and could there be potential bugs around this i do definitely did not go deep enough for that

i will say that in theory if they're part of the standard it should be no if you're doing weird like the microsoft custom ones maybe but maybe there can be an advanced one of this for 2022. did you report any of the bugs you found with the emojis they are not bugs they're features just because you crash something does not make you a bug i think a lot of it is just it's not designed to work with unicode essentially uh a lot of the things that did break are either just weird rendering issues or it's uh generally things to do with domain names that are just not supposed to work with unicode so maybe they'll change it one day maybe

they'll open dns up to be full unicode supported because they'll get sick of having every url that contains emojis and unicode looking like a malicious url but we'll see what happens with that um alex mason has asked any idea how the right to left markers etc would affect things no and someone i had not even considered that until someone bought it off at the speaker dinner last night and yeah i i think it would very much just depend on each individual application i don't know what happens if you mix left to right and right to left if it just has a freak out and collides in the middle or what most of the things probably wouldn't change

too much though the rendering issues could be a bit more interesting but the dns issues likely would just crash the same way [Music] boba t has asked did you discover any working emoji exploits or vons example xss i definitely didn't get anything like that it would be very cool to be able to just throw a poop emoji and get a shell out of it but i i considered building a webshell or something that used emojis at least just to show some form of actual attacking using it but uh unfortunately the 20 minute time slot turned out to be a bit too constrained for that so mainframe mcgee has asked would something written in emoji code be more

or less secure than other common languages that depends everyone can hack every program you make do you think some dude that made a random programming language is going to do any better but it's probably going to be the same as any other custom language that if you actually look at it you'll probably find something but yeah i have no idea what's under the hood of it i literally just saw it and thought that looks like a cool thing to throw in so gt has asked for the physical machine log on to windows um is it possible to use alt codes to enter unicode characters not as far as i could find i couldn't find anything that would allow you to

essentially it seems like when you've got that specific text field open selected none of the special things you could normally do on a keyboard work can't copy you can't paste i never got anywhere with all codes or anything

i think i've covered off all of them i may have missed some let me just check um yep one last one from dan would an ad password containing emojis work for domain joined nick's box no idea i mean it definitely works on the windows side so if it doesn't work on linux it's open source to fix it yourself but it should because the main thing here is there's nothing special about it being an emoji in theory if your password could contain any non-english character uh it should be functionally the same as it being an emoji so i would think it should work there should be a big enough you know international base of users that

someone's going to have tried to type in a chinese character or something into their password um yeah i don't know but there's pretty good odds that it would work awesome and that's all can we give another big round of applause to abram thank you