The RTLO unicode hole - sequence manipulation as an attack vector
A while ago one of our researchers read about a Chinese trojan being spammed out using a unicode trick that would actually reverse some characters in the filename, thus making the file appear to not have executable extension.
We have now received some such trojans, and have investigated this issue in more detail.
The files appear in email attachments like the one below:
In this filename there are some apparently standard alphabetical characters, and some Han-Chinese pictograms. The email client tested in this case, Lotus Notes, experienced no problem with this, which is probably true also for other modern email clients.
When the file is saved to disk, Explorer sees this:
Actually, no unicode-capable viewers view the file names differently; even Notepad interprets this string of characters as shown above. There appears to be nothing bad here.
However, when looking at the disk from a CMD prompt, a different picture appears:
The last bit of the file name has been reversed.
Now we are looking at an EXE file, just as outlined in the blogpost mentioned in the beginning of this article.
In order to find out which unicode character that enabled this, the file name was copied to Notepad and saved as unicode. The actual string is:
0000000000: FEFF 0025 xxxx xxxx │ xxxx xxxx xxxx xxxx xxxx
0000000010: xxxx xxxx xxxx xxxx │ xxxx xxxx xxxx xxxx
0000000020: xxxx xxxx xxxx 202B │ 202E 0063 006F 0064 cod
0000000030: 002E 0065 0078 0065 │ .exe
The offending unicode characters are 0x202E - right-to-left override and 0x202B - right-to-left embedding. They coexist with their siblings 0x202D - left-to-right override and 0x202A - left-to-right embedding. These are general unicode punctuation codes..
Does this mean that any filename substring can be reversed, and back again?
To test this theory, the standard Windows program, NOTEPAD.EXE, was copied into a series of mangled filenames:
[RTLO]cod.stnemucodtnatropmi.exe
[RTLO]cod.yrammusevituc[LTRO]n1c[LTRO].exe
[RTLO]gpj.!nuf_stohsnee[LTRO]n1c[LTRO].scr
These are all clickable and executable in the email client Lotus Notes as well as in Explorer. Note how there is no need for a visible executable extension anywhere for this to happen. Basically any file "name" can be executable in this scenario. The presence of extensions like PDFs and EXEs can be hidden using as many LTROs and RTLOs as needed to completely obfuscate the extension. If you look closely you will however see that Windows understands the real file type.
Mitigating factors
Vulnerable versions of Windows
This issue is by default apparently only present in Windows Vista and Windows 7. In Windows XP you need to install support for right-to-left languages for this to work.
Vulnerable email clients
Based on our tests, different email clients seem to handle this issue differently.
- Some email clients do not support Unicode, and the type of attack outlined will then obviously not function. Older email clients are typically of this type.
- Since the attack is based on how a file is displayed only, email clients configured to block executables will also block attachments manipulated to be displayed in certain ways.
Conclusion
Do not rely on any file attachment or file on any device to be safe based on its file name.
Some references
- RIGHT TO LEFT OVERRIDE UNICODE CAN BE USED FOR MULTIPLE SPOOFING CASES (by Jordi Chancel)
- Using unicode to trick users to install malware (Blog item by Avi Turiel, Commtouch Café)
