Security researchers Orange Tsai and Splitline Huang have discovered a significant vulnerability in Windows systems that could allow attackers to bypass security controls and achieve remote code execution.
Dubbed "WorstFit," the vulnerability affects multiple widely used applications and stems from Windows' Best-Fit character conversion feature.
The researchers found that Windows' ANSI API, which handles character encoding conversions, contains a hidden " Best-Fit " mechanism that automatically transforms certain Unicode characters into their closest ANSI equivalents.
While intended to maintain backward compatibility, this feature can be exploited in three different ways: Filename Smuggling, Argument Splitting, and Environment Variable Confusion.
The vulnerability affects numerous popular applications, including PHP-CGI (CVE-2024-4577), Microsoft Excel (CVE-2024-49026), Apache Subversion (CVE-2024-45720), and Perforce (CVE-2024-8067).
Microsoft Excel Remote Code Execution CVE-2024-49026
WorstFit Attack: Cuckoo Sandbox from LFI to RCE!
Here is a list of vendors researchers have tried to report so far:
The impact varies depending on the system's configured code page, with Western European, Eastern European, and Thai language settings being particularly vulnerable.
According to the researchers, the issue is especially concerning because it operates at the operating system level, making it difficult for individual applications to implement effective mitigations. The vulnerability can bypass even properly implemented security controls, such as argument escaping and input validation.
The researchers reported their findings to multiple vendors, including Microsoft, Curl, PostgreSQL, and various open-source projects. The response has been mixed, with some vendors implementing fixes while others consider it a Windows feature rather than a security vulnerability.
| Vendor | Status |
|---|---|
PHP - php-cgi.exe |
CVE-2024-4577 |
| Curl - Official Build | Won’t Fix |
Microsoft Tar - tar.exe |
Won’t Fix |
Microsoft Excel - excel.exe |
CVE-2024-49026 |
Microsoft PhoneBook - rasphone.exe |
Won’t Fix |
| GNU Wget | No Reply |
Apache Subversion - svn.exe |
CVE-2024-45720 |
PostgreSQL - psql.exe |
Won’t Fix |
Putty - plink.exe |
Fixed |
Perforce - p4.exe |
CVE-2024-8067 |
Oracle Java - java.exe |
Pending Fix |
Perl - perl.exe |
Won’t Fix |
OpenSSL - openssl.exe |
Other |
wkhtmltopdf - wkhtmltopdf.exe |
EOL |
Microsoft has acknowledged one variant of the vulnerability affecting Excel (CVE-2024-49026) but has classified other reported instances as not meeting their severity criteria. The company has added a warning to their GetCommandLineA API documentation, though researchers argue this is insufficient as other ANSI APIs remain affected.
As a temporary mitigation, users are advised to enable the beta UTF-8 option in Windows settings, though this may have compatibility implications.
To perform this open Control Panel > Clock and Region option. Under Region Section, click on Change date, time or number formats and a Region dialog box will appear. under the Administrative tab, click on Change System locale options. Now tick the check box - Use Unicode UTF-8 for worldwide language support.
Note: The Unicode UTF-8 for worldwide language support feature is in the Beta stage so it’s uncertain whether it will cause side effects or not.
Developers are strongly encouraged to transition to Wide Character APIs instead of ANSI APIs to prevent exploitation.
The researchers have created a dedicated website (worst.fit) where they plan to share additional technical details and updates about the vulnerability.