HostSplit: Exploitable Antipatterns in Unicode Normalization

Presented at Black Hat USA 2019, Aug. 8, 2019, 3:50 p.m. (50 minutes)

This talk demonstrates new exploit techniques that leverage Unicode normalization behavior to bypass URL security filters and, in some cases, allow one domain to impersonate another. Where previous attacks against internationalized domain names relied on visual spoofing, these attacks fool software with URL strings that are parsed as belonging to one hostname but resolved as belonging to a different host name.

The vulnerabilities that enable these attacks are widespread, because they result from practical compromises in implementing IDNA standards. The author of this talk identified several new CVE's which will be discussed, including vulnerabilities in Edge/IE, .NET, Python, Java, Office 365, and Gmail. A more general exploit pattern against OAuth is also explained.

Although some platform-level problems have already been corrected, many of the fixes for these vulnerabilities will need to be made at an application level. It is likely that there are still many software packages with Unicode normalization vulnerabilities of this type.

This talk discusses methods to test for these vulnerabilities as well as coding and design best practices for preventing them.


Presenters:

  • Jonathan Birch - Senior Security Software Engineer, Microsoft
    Jonathan Birch is a Senior Security Software Engineer at Microsoft, where he provides security guidance and penetration testing for the development of Microsoft Office. He has previously presented at Microsoft's BlueHat Security Conference on research he conducted regarding serialization security (2017) and unintended authentication (2016).

Links:

Similar Presentations: