Cybersecurity Experts Discuss Unicode to ASCII Conversion Vulnerabilities in Windows Systems

In this video, cybersecurity experts Orange and Speline from the Defc Research team present fascinating research on vulnerabilities related to the conversion of Unicode characters to ASCII characters on Windows systems, a phenomenon they call "worst fit." They begin with a humorous anecdote where they pretend to have hacked a bank and modified their bank balance using the infinity symbol, which led to unexpected results and motivated their research. The presenters explain that Windows uses several methods to represent characters, including UCS2, UTF-16, and UTF-8 (still in beta phase). They show how data can be stored in Unicode format but retrieved in ASCII format, which can lead to unpredictable behaviors. For example, the infinity symbol can be converted to the digit "8" during conversion, which can have unexpected consequences in applications. They then introduce the concept of "best fit," where Unicode characters are converted to ASCII characters in a way that they visually resemble each other. However, this conversion can vary depending on the system's language configuration. For example, the Japanese yen symbol can be converted to a backslash in certain configurations, which can be exploited for directory traversal attacks. Orange and Speline present several attack cases based on this vulnerability. The first attack involves file names and file paths. By using specific Unicode characters, they show how it is possible to create file names that, after conversion, allow directory traversal. They demonstrate this attack on Cuckoo Sandbox, a malware analysis platform, by exploiting an old version of Python to download sensitive files. The second attack involves command lines. They explain how command arguments can be manipulated using Unicode characters that convert to specific ASCII characters, thus allowing argument injection. They show how this vulnerability can be exploited in common applications like OpenSSL, Subversion, and Perl, and demonstrate an attack on the web application lfinder. The third attack involves environment variables, often used in CGI programs to transmit data such as query strings and HTTP headers. By manipulating these variables with Unicode characters, they show how it is possible to bypass security restrictions and access sensitive files. They demonstrate this attack on PHP CGI and show how it can be used for local file inclusion and remote code execution. The presenters also discuss the practical implications of these vulnerabilities. They highlight that many applications are vulnerable by default due to the way they retrieve command arguments and environment variables. They recommend that developers use the Unicode versions of Windows APIs to avoid these issues. In conclusion, Orange and Speline emphasize the importance of awareness of these vulnerabilities and encourage developers to adopt secure coding practices. They also mention that the best mitigation for users is to switch their system language to UTF-8, which can help mitigate some of these risks. For more information, watch the full video at the following address: https://www.youtube.com/watch?v=sKH8283CFzs