.NET Bestfit Unicode Conversion for P/Invoke

When performing a standard p/invoke method call in which a .NET string must be converted to an unmanaged LPSTR (char*), the .NET runtime performs a “bestfit” conversion.  This means some Unicode characters will be converted down to ASCII characters based on some mapping information.  This “bestfit” conversion can allow an attacker to bypass input validation filters.  For example, a filename might be checked to make sure it does not contain a backslash (“\”) character, or two periods (“..”).  By using Unicode characters an attacker could by pass those checks by providing a Unicode character that will be converted to the required ASCII character during the marshaling of the string.

Full article with character map.

~ by meddington on January 21, 2008.

5 Responses to “.NET Bestfit Unicode Conversion for P/Invoke”

  1. I was wondering if you graduated from Lakota HS in West Chester, 1988. I had a friend named Michael Eddington, are you him?

  2. FxCop has a security rule for this situation:
    http://msdn2.microsoft.com/en-us/library/ms182319.aspx

  3. FxCop has a security rule for this situation:
    http://msdn2.microsoft.com/en-us/library/ms182319.aspx

  4. Andrew: nope, thats not me.

  5. Andrew: nope, thats not me.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.