The SafeBreach study reveals serious risks in converting file paths.
A new study has found vulnerabilities in the process of converting DOS to NT paths in the Windows operating system, which can allow attackers to hide files, mimic directories and processes, acquiring capabilities similar to those usually provided by rootkits. The results of the study were presented at the recent Black Hat Asia Conference, held in Singapore on April 16-19.
A researcher from SafeBreach, Or Yair, noted that when performing functions in Windows, where the argument is the path to a file or folder, it is converted from DOS to NT format. There is a known problem in this process: the function removes dots at the ends of path elements and spaces at the end of the last path element.
The issue, codenamed "MagicDot", provides functionality similar to rootkits, accessible even to unprivileged users, allowing attackers to perform many malicious actions without administrator rights, while remaining undetected.
Among the possible actions of hackers are hiding files and processes, influencing the analysis of preload files, misleading users of Task Manager and File Explorer about the authenticity of executable files, as well as completely disabling Windows Explorer using a denial of service (DoS) vulnerability.
As a result of the analysis, four security vulnerabilities were identified, three of which have already been fixed by Microsoft:
Yair stressed that this study clearly shows how seemingly innocuous problems can be used to develop vulnerabilities that pose a serious security risk.
He also noted that the results of the study are relevant not only for Microsoft Windows, but also for all developers of any software, who often do nothing from version to version with known problems.
A new study has found vulnerabilities in the process of converting DOS to NT paths in the Windows operating system, which can allow attackers to hide files, mimic directories and processes, acquiring capabilities similar to those usually provided by rootkits. The results of the study were presented at the recent Black Hat Asia Conference, held in Singapore on April 16-19.
A researcher from SafeBreach, Or Yair, noted that when performing functions in Windows, where the argument is the path to a file or folder, it is converted from DOS to NT format. There is a known problem in this process: the function removes dots at the ends of path elements and spaces at the end of the last path element.
The issue, codenamed "MagicDot", provides functionality similar to rootkits, accessible even to unprivileged users, allowing attackers to perform many malicious actions without administrator rights, while remaining undetected.
Among the possible actions of hackers are hiding files and processes, influencing the analysis of preload files, misleading users of Task Manager and File Explorer about the authenticity of executable files, as well as completely disabling Windows Explorer using a denial of service (DoS) vulnerability.
As a result of the analysis, four security vulnerabilities were identified, three of which have already been fixed by Microsoft:
- A privilege escalation vulnerability that allows you to delete files without the appropriate permissions (the ID has not yet been assigned, the vulnerability will be fixed in a future update).
- Privilege escalation vulnerability that allows you to write files without the necessary permissions by manipulating the process of restoring a previous version from a shadow copy (CVE-2023-32054, CVSS rating: 7.3).
- A remote code execution vulnerability that can be used to create a specially designed archive that leads to code execution when extracting files in any location chosen by the attackers (CVE-2023-36396, CVSS rating: 7.8).
- A denial-of-service vulnerability that affects Windows Explorer when starting a process with a 255-character executable file without a file extension (CVE-2023-42757, CVSS score not yet determined).
Yair stressed that this study clearly shows how seemingly innocuous problems can be used to develop vulnerabilities that pose a serious security risk.
He also noted that the results of the study are relevant not only for Microsoft Windows, but also for all developers of any software, who often do nothing from version to version with known problems.
