Security researchers have outlined a novel attack vector that exploits the “Best Fit” character conversion technology built into Windows.The technology comes into play in string conversions, particularly when characters cannot be directly represented in a target character set.However, application security experts Orange Tsai and Splitline Huang from Taiwanese firm DEVCORE used a presentation at Black Hat to demonstrate how Best Fit character conversion from a Unicode string to an ANSI string might be abused.The Windows ANSI API contains a hidden trap leading to security bugs, the two researchers warn. More specifically, the conversion process can be manipulated to perform argument injection, which can lead to arbitrary code execution.Exploitation of Best Fit mappings can allow attackers to inject malicious arguments into command-line executions.These hidden transformers in Windows ANSI constitute a new attack surface, which the researchers have dubbed WorstFit. The issue affects path / file name, command line, and environment variables.Various technologies, including Microsoft Office, cURL, PHP, and Windows executables that indirectly use vulnerable command line tools, such as pip, composer, and git, are all potentially vulnerable.For example, the CVE-2024-4577 issue in PHP stems from this class of vulnerability. Developers have published suggested mitigations but the flaw remains under evaluation and unresolved.Patches have however been developed to address CVE-2024-49026, a Microsoft Excel vulnerability. Everything else remains vulnerable, Orange Tsai told CSO.The presentation highlighted the importance of vigilance in software development practices, particularly in how character sets are handled and sanitized.In response to the issue, developers should use the WideChar Windows API as much as possible while users should switch their language options to UTF-8.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3623569/microsoft-windows-best-fit-character-conversion-ripe-for-exploitation.html
