Stéphane BortzmeyerJan 11, 2025

Si vous êtes informaticien·ne, je recommande la lecture intégrale de l'article sur la faille de sécurité #WorstFit, c'est bien écrit et expliqué. https://devco.re/blog/2025/01/09/worstfit-unveiling-hidden-transformers-in-windows-ansi/

Notamment le chapitre sur « qui aurait dû faire quoi » ("The Dusk–or Dawn–of the WorstFit"). La réponse de Microsoft est belle :-)

(Avec du @bagder dedans)

WorstFit: Unveiling Hidden Transformers in Windows ANSI! | DEVCORE 戴夫寇爾

The research unveils a new attack surface in Windows by exploiting Best-Fit, an internal charset conversion feature. Through our work, we successfully transformed this feature into several practical attacks, including Path Traversal, Argument Injection, and even RCE, affecting numerous well-known applications!

DEVCORE 戴夫寇爾
jfkJan 10, 2025

'worst-fit' attacks are the latest iteration of the classic "let's guess what the user wants" idea. This has always lead to issues down the line.

It will be really hard to reason about and fix for apps that rely on the affected Windows APIs.

https://blog.orange.tw/posts/2025-01-worstfit-unveiling-hidden-transformers-in-windows-ansi/

If you want a deep dive on the underlying mechanicss of these types of attacks, check out my colleague's blog post from a couple months ago: https://herolab.usd.de/en/the-security-risks-of-overlong-utf-8-encodings/

#WorstFit #ANSII #utf8 #pwn #rce #pentesting #hacking

WorstFit: Unveiling Hidden Transformers in Windows ANSI!

📌 This is a cross-post from DEVCORE. The research was first published at Black Hat Europe 2024. Personally, I would like to thank splitline, the co-author of this research & article, whose help

Orange Tsai
st1nger  🏴‍☠️  Jan 9, 2025
#WorstFit - Unveiling Hidden Transformers in #Windows ANSI ( Path Traversal, Argument Injection, #RCE ) https://blog.orange.tw/posts/2025-01-worstfit-unveiling-hidden-transformers-in-windows-ansi/
WorstFit: Unveiling Hidden Transformers in Windows ANSI!

📌 This is a cross-post from DEVCORE. The research was first published at Black Hat Europe 2024. Personally, I would like to thank splitline, the co-author of this research & article, whose help

Orange Tsai
Pi3cHDec 13, 2024

Great code page parser bug by @orange_8361 BestFit suffers from similar issue of NFKC/NFKD where the original character is converted to look a like. This can be misused to inject special characters that should be otherwise escaped. https://worst.fit.

There are so many other issues in Unicode. If you want to learn and practice these type of vulns, I've a free short course at https://learn.secdim.com/course/paypal-homograph/topic/introduction-visual-spoofing #unicode #worstfit #unicodesecurity

WorstFit!