This article uncovers a novel attack surface in Windows by exploiting the Best-Fit character conversion feature, enabling practical attacks such as Path Traversal, Argument Injection, and Remote Code Execution (RCE) across multiple popular applications. The research reveals how this systemic issue stems from Windows APIs, C runtime behaviors, and developer practices, impacting many widely-used applications and frameworks. #Windows #PHP #Python #CuckooSandbox #ElFinder #MicrosoftExcel
Keypoints
- Windows’ Best-Fit character conversion feature, used when converting UTF-16 to ANSI, maps unsupported characters to visually similar but different ANSI characters, causing unpredictable behavior.
- This Best-Fit behavior enables new attack techniques including Filename Smuggling, Argument Splitting, and Environment Variable Confusion, which can lead to Path Traversal, Bypass of input sanitization, and RCE.
- CVE-2024-4577 exploits this behavior in PHP-CGI on East Asian code pages (Japanese, Simplified and Traditional Chinese), bypassing argument parsing protections with encoded characters.
- Case studies include vulnerabilities in Cuckoo Sandbox (Python 2.7), ElFinder’s use of Windows built-in tar.exe, Microsoft Excel (CVE-2024-49026), and multiple CLI tools vulnerable via argument manipulation.
- Best-Fit mappings vary by system locale and code page, increasing the attack surface in global Windows deployments.
- The vulnerability is deeply rooted in Windows design, CRT usage, and compiler-generated code calling ANSI APIs, making mitigation challenging and requiring wide adoption of Unicode (Wide Character) APIs.
- Several vendors such as Curl, Perl, and Microsoft have been notified, with some dismissing it as a Windows “feature” and others not planning immediate fixes.
MITRE Techniques
- [T1204.002] User Execution: Malicious File – Filename Smuggling exploits Best-Fit conversion to craft malicious filenames causing Path Traversal and RCE (e.g., “AAAA¥..¥..¥conf¥cuckoo.conf” triggers access to sensitive Cuckoo Sandbox files).
- [T1059.004] Command and Scripting Interpreter: Command Injection – Argument Splitting uses Best-Fit converted characters (fullwidth quotes, Yen sign) to inject additional command-line arguments in executables like wget.exe and tar.exe (“aaa" "–use-compress-program=calc" "bbb.tar” injects arbitrary commands).
- [T1204.003] Exploitation for Client Execution: Bypass Protection Mechanism – Environment Variable Confusion exploits Best-Fit behavior in environment variables to bypass input filtering and enable LFI or WAF bypass on PHP-CGI and CGI scripts (“PATH_INFO” manipulated with Best-Fit characters to evade access restrictions).
Indicators of Compromise
- [File Names] Malicious Unicode filenames exploiting Best-Fit, e.g., “AAAA¥..¥..¥conf¥cuckoo.conf” (Path Traversal in Cuckoo Sandbox), “aaa" "–use-compress-program=calc" "bbb.tar” (tar.exe injection).
- [HTTP Request Paths] Encoded query strings bypassing argument parsing protections, e.g., “?%ADs” used in PHP-CGI CVE-2024-4577 attacks, “/index.php/..¥..¥windows/win.ini/foo” used in LFI bypass on PHP-CGI.
- [Environment Variables] Manipulated PATHINFO or QUERYSTRING environment variables with Best-Fit characters enabling WAF bypass or LFI (e.g., substitution of “admin” with à in Code Page 1250).
- [Executable Arguments] Argument payloads including fullwidth double quotes (U+FF02), Yen sign (U+00A5), and Won sign (U+20A9) used to split or inject malicious command arguments.
Read more: https://devco.re/blog/2025/01/09/worstfit-unveiling-hidden-transformers-in-windows-ansi/