A known issue associated with the DOS-NT path conversion process in Windows poses significant risks to businesses by allowing attackers to gain rootkit-like post-exploitation capabilities to hide and impersonate files, directories, and processes.
That’s according to Or Yair, security researcher at SafeBreach, who outlined the problem during a session at Black Hat Asia 2024 in Singapore this week. He also detailed four different vulnerabilities related to the issue, which he nicknamed “MagicDot“–including a dangerous remote code execution bug that can be triggered simply by extracting an archive.
Dots and spaces in path conversion from DOS to NT
The MagicDot problem group exists thanks to the way Windows changes DOS paths to BT paths.
When users open files or folders on their PCs, Windows does this by referencing the path where the file exists; normally, this is a DOS path that follows the format “C:\Users\User\Documents\example.txt”. However, to actually perform the file open operation a different underlying function called NtCreateFile is used; and NtCreateFile requires an NT path and not a DOS path. Therefore, Windows converts the familiar DOS path visible to users to an NT path, before calling NtCreateFile to enable the operation.
The exploitable problem exists because, during the conversion process, Windows automatically removes any periods from the DOS path, along with any additional spaces at the end. Therefore, DOS paths like these:
-
C:\example\example.
-
C:\example\example
…they are all converted to “\??\C:\example\example” as the NT path.
Yair found that this automatic deletion of bad characters could allow attackers to create specially crafted DOS paths that would be converted to NT paths of their choosing, which could then be used to render files unusable or to hide malicious content and activity.
Simulation of an unprivileged rootkit
The MagicDot issues first create the opportunity for a variety of post-exploitation techniques that help attackers maintain stealth on a machine.
For example, you can block harmful content and prevent users, even administrators, from reviewing it. “By placing a simple trailing period at the end of a malicious filename or naming a file or directory with only periods and/or spaces, I could make all user-space programs that use the normal API inaccessible… users would not being able to read, write, erase or do anything else with them, Yair explained during the session.
Later, in a related attack, Yair discovered that the technique could be used to hide files or directories within archive files.
“I simply terminated the name of a file in an archive with a period to prevent Explorer from listing or extracting it,” Yair said. “As a result, I managed to insert a malicious file into an innocent ZIP file – anyone who used Explorer to view and extract the contents of the archive was unable to see that the file existed inside.”
A third attack method involves disguising malicious content by impersonating legitimate file paths.
“If there was a harmless file called ‘benign,’ I could do it [use DOS-to-NT path conversion] to create a malicious file in the same directory [also named] benign,” the researcher explained, adding that the same approach could be used to impersonate even larger Windows folders and processes. “As a result, when a user reads the malicious file, the contents of the original harmless file will be returned,” without letting the victim realize that they were actually opening malicious content.
Taken together, manipulation of MagicDot paths can grant adversaries rootkit-like abilities without administrator privileges, explained Yair, who posted detailed technical notes about attack methods in tandem with the session.
“I found that I could hide files and processes, hide files in archives, influence the analysis of preload files, make Task Manager and Process Explorer users believe that a malware file was a verified executable published by Microsoft, disable Process Explorer with a denial of service (DoS) vulnerability and more,” he said, all without administrator privileges or the ability to execute code in the kernel and without intervention in the chain of API calls that retrieve information.
“It is important that the cybersecurity community recognizes this risk and considers developing techniques and rules for detecting unprivileged rootkits,” he warned.
A set of “MagicDot” vulnerabilities.
During his research into the MagicDot routes, Yair also managed to discover four different vulnerabilities related to the underlying issue, three of which have been fixed by Microsoft.
A remote code execution (RCE) vulnerability (CVE-2023-36396CVSS 7.8) in the new Windows extraction logic for all new supported archive types allows attackers to create a malicious archive that would be written anywhere they choose on a remote computer once extracted, leading to code execution.
“
Basically, let’s say you upload an archive to your file GitHub repository advertising it as a cool tool available for download,” Yair tells Dark Reading. “And when the user downloads it, it’s not an executable, they just extract the archive, which is considered a completely safe action with no security risks safety. But now the extraction itself is capable of running code on your computer, and this is seriously wrong and very dangerous.”
A second bug concerns the elevation of privilege (EoP) vulnerability (CVE-2023-32054CVSS 7.3) that allows attackers to write to files without privileges by manipulating the process of restoring a previous version from a shadow copy.
The third bug is the Process Explorer DOS unprivileged anti-parsing bug, for which CVE-2023-42757 has been reserved, with details to follow. And the fourth bug, also an EoP issue, allows unprivileged attackers to delete files. Microsoft confirmed that the flaw led to “unexpected behavior,” but has not yet released a CVE or fix to address it.
“I create a folder inside the demo folder called…
Potentially wider “MagicDot” ramifications
Although Microsoft has addressed the Yair-specific vulnerabilities, automatic removal of periods and spaces in DOS-NT path conversion persists, even though this is the root cause of the vulnerabilities.
“This means there could be many more potential vulnerabilities and post-exploitation techniques to discover using this issue,” the researcher warns. “This problem still exists and can lead to many more problems and vulnerabilities, which can be much more dangerous than we are aware of.”
He adds that the problem has ramifications beyond Microsoft.
“We believe the implications are relevant not only to Microsoft Windows, which is the most widely used desktop operating system in the world, but also to all software vendors, most of which also allow known issues to persist from version to version. more of their software,” he warned. .
In the meantime, he noted, software developers can make their code more secure against these types of vulnerabilities by using NT routes rather than DOS routes.
“Most high-level API calls in Windows support NT paths,” Yair said. “Using NT paths avoids the conversion process and ensures that the path provided is the same one it is actually used on.”
For enterprises, security teams should create detections that look for unauthorized periods and spaces within file paths.
“There are fairly simple detections you can develop for these, to look for files or directories, which have trailing dots or spaces, because if you find them, on your computer, it means someone did it on purpose because it’s not that easy to do,” explains Yair. “Normal users can’t just create a file that ends with a period or a space, Microsoft will prevent this. Attackers will have to use a Lower API which is closer to the kernel and will need some experience to achieve this.”