.NET Bestfit Unicode Conversion for P/Invoke

When performing a standard p/invoke method call in which a .NET string must be converted to an unmanaged LPSTR (char*), the .NET runtime performs a “bestfit” conversion.  This means some Unicode characters will be converted down to ASCII characters based on some mapping information.  This “bestfit” conversion can allow an attacker to bypass input validation filters.  For example, a filename might be checked to make sure it does not contain a backslash (“\”) character, or two periods (“..”).  By using Unicode characters an attacker could by pass those checks by providing a Unicode character that will be converted to the required ASCII character during the marshaling of the string.

Full article with character map.

~ by meddington on January 21, 2008.

Posted in Security

5 Responses to “.NET Bestfit Unicode Conversion for P/Invoke”

  1. I was wondering if you graduated from Lakota HS in West Chester, 1988. I had a friend named Michael Eddington, are you him?

    Andrew Baughman said this on February 27, 2008 at 4:36 pm | Reply

  2. FxCop has a security rule for this situation:
    http://msdn2.microsoft.com/en-us/library/ms182319.aspx

    Clint said this on March 5, 2008 at 7:08 am | Reply

  3. FxCop has a security rule for this situation:
    http://msdn2.microsoft.com/en-us/library/ms182319.aspx

    Clint said this on March 5, 2008 at 7:08 am | Reply

  4. Andrew: nope, thats not me.

    Michael Eddington said this on May 23, 2008 at 9:56 am | Reply

  5. Andrew: nope, thats not me.

    Michael Eddington said this on May 23, 2008 at 9:56 am | Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.