{"id":1203,"date":"2024-12-12T18:20:26","date_gmt":"2024-12-12T18:20:26","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1203"},"modified":"2024-12-12T18:20:26","modified_gmt":"2024-12-12T18:20:26","slug":"microsoft-windows-best-fit-character-conversion-ripe-for-exploitation","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1203","title":{"rendered":"Microsoft Windows \u2018Best Fit\u2019 character conversion \u2018ripe for exploitation\u2019"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Security researchers have outlined a novel attack vector that exploits the \u201cBest Fit\u201d character conversion technology built into Windows.<\/p>\n<p>The technology comes into play in string conversions, particularly when characters cannot be directly represented in a target character set.<\/p>\n<p>However, application security experts Orange Tsai and Splitline Huang from Taiwanese firm DEVCORE used a presentation at <a href=\"https:\/\/www.csoonline.com\/article\/3482049\/black-hat-latest-news-and-insights.html\">Black Hat<\/a> to demonstrate how Best Fit character conversion from a Unicode string to an ANSI string might be abused.<\/p>\n<p>The Windows ANSI API contains a hidden trap leading to security bugs, the two researchers warn. More specifically, the conversion process can be manipulated to perform argument injection, which can lead to arbitrary code execution.<\/p>\n<p>Exploitation of Best Fit mappings can allow attackers to inject malicious arguments into command-line executions.<\/p>\n<p>These hidden transformers in Windows ANSI constitute a new attack surface, which the researchers have dubbed <a href=\"https:\/\/www.blackhat.com\/eu-24\/briefings\/schedule\/index.html#worstfit-unveiling-hidden-transformers-in-windows-ansi-42637\">WorstFit<\/a>. The issue affects path \/ file name, command line, and environment variables.<\/p>\n<p>Various technologies, including Microsoft Office, cURL, PHP, and Windows executables that indirectly use vulnerable command line tools, such as pip, composer, and git, are all potentially vulnerable.<\/p>\n<p>For example, the <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-4577\">CVE-2024-4577<\/a> issue in PHP stems from this class of vulnerability. Developers have published suggested mitigations but the flaw remains under evaluation and unresolved.<\/p>\n<p>Patches have however been developed to address <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-49026\">CVE-2024-49026<\/a> \u2014 a Microsoft Excel vulnerability. Everything else remains vulnerable, Orange Tsai told CSO.<\/p>\n<p>The presentation highlighted the importance of vigilance in software development practices, particularly in how character sets are handled and sanitized.<\/p>\n<p>In response to the issue, developers should use the WideChar Windows API as much as possible while users should switch their language options to UTF-8.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Security researchers have outlined a novel attack vector that exploits the \u201cBest Fit\u201d character conversion technology built into Windows. The technology comes into play in string conversions, particularly when characters cannot be directly represented in a target character set. However, application security experts Orange Tsai and Splitline Huang from Taiwanese firm DEVCORE used a presentation [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":1204,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1203","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1203"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1203"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1203\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1204"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1203"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1203"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1203"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}