Peter Hinchley

Learning in Public

✪ Right-to-Left-Override Unicode Character

Unicode is a character encoding standard that supports most of the world's written languages. To support such a broad character set with a standard US keyboard, individual Unicode characters can be entered on a Windows computer by holding down the Alt key, and then entering the numeric code of the required character, for example, Alt+0036 for $.

Many of the characters in the Unicode set are control characters (non-printing instructions). One such example is the right-to-left-override (RLO) character (Alt+202E) that is used to reverse a character sequence from "left-to-right" to "right-to-left" (as is required for languages like Arabic).

Unfortunately, this necessary feature can also be used for nefarious purposes, such as obfuscating the extension of a file. For example, let's take a file named annfdp.exe. By placing the RLO character immediately before the f, we create a file that appears to be a PDF named annexe.pdf, when in fact, it's really an executable (with potentially nasty code).

Short of using Software Restriction Policies (SRP), AppLocker, or a technology like Windows File Screening to prevent users from creating files which include the RLO character, this can be a difficult threat to mitigate.