A recognized difficulty related to the DOS-to-NT path conversion course of in Home windows opens up vital danger for companies, by permitting attackers to realize rootkit-like post-exploitation capabilities to hide and impersonate recordsdata, directories, and processes.
That is in response to Or Yair, safety researcher at SafeBreach, who outlined the problem throughout a session at Black Hat Asia 2024 in Singapore this week. He additionally detailed 4 completely different vulnerabilities associated to the problem, which he dubbed “MagicDot“–including a harmful distant code-execution bug that may be triggered just by extracting an archive.
Dots & Areas in DOS-to-NT Path Conversion
The MagicDot group of issues exist due to the way in which that Home windows adjustments DOS paths to BT paths.
When customers open recordsdata or folders on their PCs, Home windows accomplishes this by referencing the trail the place the file exists; usually, that is a DOS path that follows the “C:UsersUserDocumentsexample.txt” format. Nonetheless, a special underlying operate referred to as NtCreateFile is used to truly carry out the operation of opening the file; and NtCreateFile asks for an NT path and never a DOS path. Thus, Home windows converts the acquainted DOS path seen to customers into an NT path, previous to calling NtCreateFile to allow the operation.
The exploitable drawback exists as a result of, through the conversion course of, Home windows robotically removes any intervals from the DOS path, together with any additional areas on the finish. Thus, DOS paths like these:
-
C:exampleexample.
-
C:exampleexample<area>
…are all transformed to “??C:exampleexample” as an NT path.
Yair found that this automated stripping out of misguided characters may permit attackers to create specifically crafted DOS paths that might be transformed to NT paths of their alternative – which may then be used to both render recordsdata unusable, or to hide malicious content material and actions.
Simulating an Unprivileged Rootkit
The MagicDot points initially create the chance for quite a lot of post-exploitation methods that assist attackers on a machine preserve stealth.
As an illustration, it is attainable to lock up malicious content material and stop customers, even admins, from analyzing it. “By putting a easy trailing dot on the finish of a malicious file title or by naming a file or a listing with dots and/or areas solely, I may make all user-space applications that use the conventional API inaccessible to them…customers wouldn’t have the ability to learn, write, delete, or do the rest with them, Yair defined within the session.
Then, in a associated assault, Yair discovered that the method may very well be used to cover recordsdata or directories inside archive recordsdata.
“I merely ended a file title in an archive with a dot to forestall Explorer from itemizing or extracting it,” Yair mentioned. “Consequently, I used to be capable of place a malicious file inside an harmless ZIP—whoever used Explorer to view and extract the archive contents was unable to see that file existed inside.”
A 3rd assault methodology includes masking malicious content material by impersonating reputable file paths.
“If there was a innocent file referred to as ‘benign,’ I used to be capable of [use DOS-to-NT path conversion] to create a malicious file in the identical listing [also named] benign,” the researcher defined, including that the identical strategy may very well be used to impersonate folders and even broader Home windows processes. “Consequently, when a person reads the malicious file, the content material of the unique innocent file can be returned as an alternative,” leaving the sufferer none the wiser that they had been really opening malicious content material.
Taken collectively, manipulating MagicDot paths can grant adversaries rootkit-like talents with out admin privileges, defined Yair, who revealed detailed technical notes on the assault strategies in tandem with the session.
“I discovered I may disguise recordsdata and processes, disguise recordsdata in archives, have an effect on prefetch file evaluation, make Activity Supervisor and Course of Explorer customers assume a malware file was a verified executable revealed by Microsoft, disable Course of Explorer with a denial of service (DoS) vulnerability, and extra,” he mentioned—all with out admin privileges or the flexibility to run code within the kernel, and with out intervention within the chain of API calls that retrieve info.
“It’s necessary that the cybersecurity neighborhood acknowledge this danger and think about growing unprivileged rootkit detection methods and guidelines,” he warned.
A Collection of ‘MagicDot’ Vulnerabilities
Throughout his analysis into the MagicDot paths, Yair additionally managed to uncover 4 completely different vulnerabilities associated to the underlying difficulty, three of them since patched by Microsoft.
One distant code execution (RCE) vulnerability (CVE-2023-36396, CVSS 7.8) in Home windows’s new extraction logic for all newly supported archive varieties permits attackers to craft a malicious archive that might write wherever they select on a distant laptop as soon as extracted, resulting in code execution.
“
Mainly, to illustrate you add an archive to your GitHub repository promoting it as a cool device obtainable for obtain,” Yair tells Darkish Studying. “And when the person downloads it, it isn’t an executable, you simply extract the archive, which is taken into account a totally secure motion with no safety dangers. However now, the extraction itself is ready to run code in your laptop, and that’s critically improper and really harmful.”
A second bug is an elevation of privilege (EoP) vulnerability (CVE-2023-32054, CVSS 7.3) that permits attackers to jot down into recordsdata with out privileges by manipulating the restoration strategy of a earlier model from a shadow copy.
The third bug is Course of Explorer unprivileged DOS for anti-analysis bug, for which CVE-2023-42757 has been reserved, with particulars to observe. And the fourth bug, additionally an EoP difficulty, permits unprivileged attackers to delete recordsdata. Microsoft confirmed that the flaw led to “surprising conduct,” however hasn’t but issued a CVE or a repair for it.
“I create a folder contained in the demo folder referred to as …<area> and inside, I write a file named c.txt,” defined Yair. “Then when an administrator makes an attempt to delete the …<area> folder, your complete demo folder is deleted as an alternative.”
Probably Wider ‘MagicDot’ Ramifications
Whereas Microsoft addressed Yair’s particular vulnerabilities, the DOS-to-NT path conversion auto-stripping of intervals and areas persists – regardless that that is the foundation reason for the vulnerabilities.
“Meaning there could be many extra potential vulnerabilities and post-exploitation methods to search out utilizing this difficulty,” the researcher warns. “This difficulty continues to be exists and might result in many extra points and vulnerabilities, which may be far more harmful than those we learn about.”
He provides that the issue has ramifications past Microsoft.
“We imagine the implications are related not solely to Microsoft Home windows, which is the world’s most generally used desktop OS, but additionally to all software program distributors, most of whom additionally permit recognized points to persist from model to model of their software program,” he warned.
In the meantime, software program builders could make their code safer in opposition to a lot of these vulnerabilities by using NT paths slightly than DOS paths, he famous.
“Most high-level API calls in Home windows help NT paths,” Yair mentioned. “Utilizing NT paths avoids the conversion course of and ensures the offered path is identical path that’s being really operated on.”
For companies, safety groups ought to create detections that search for rogue intervals and areas inside file paths.
“There are fairly simple detections which you could develop for these, to search for recordsdata or directories, which have trailing dots or areas in them, as a result of when you discover these, in your laptop, it implies that somebody did it on function as a result of it isn’t that simple to do,” Yair explains. “Regular customers cannot simply create a file with ends with a dot or area, Microsoft will forestall that. Attackers might want to use a decrease API that’s nearer to the kernel, and can want some experience to perform this.”