Recent investigations reveal that the conversion procedure from DOS to NT paths in Windows could be manipulated by malicious entities to attain capabilities akin to rootkits, facilitating the concealing and mimicking of files, directories, and processes.
“In Windows, when a user executes a function with a path argument, the DOS path of the file or folder is transformed into an NT path,” expounded SafeBreach security researcher Or Yair during an analysis presented at the Black Hat Asia conference.
“Throughout this conversion process, a recognized flaw emerges wherein the function eradicates trailing dots from any path component and trailing spaces from the final path component. This operation is executed by most user-space APIs in Windows.”
Dubbed MagicDot paths, these pathways enable rootkit-like functionalities accessible to any unprivileged user, enabling them to weaponize these avenues for executing a series of malevolent actions sans administrative privileges, thus eluding detection.
These capabilities encompass the capacity to “conceal files and processes, conceal files within archives, influence prefetch file analysis, mislead Task Manager and Process Explorer users into believing that a malware file is a verified executable released by Microsoft, incapacitate Process Explorer via a denial-of-service (DoS) vulnerability, and more.”
The fundamental flaw within the DOS-to-NT path conversion process has also unveiled four security deficiencies, three of which have since been remedied by Microsoft:
An elevation of privilege (EoP) deletion vulnerability enabling the deletion of files without requisite privileges (to be rectified in a forthcoming release) An elevation of privilege (EoP) write vulnerability allowing writing into files without necessary privileges by interfering with the restoration process of a previous version from a volume shadow copy (CVE-2023-32054, CVSS score: 7.3) A remote code execution (RCE) vulnerability permitting the creation of a meticulously crafted archive, leading to code execution upon extracting the files at any location chosen by the attacker (CVE-2023-36396, CVSS score: 7.8) A denial-of-service (DoS) vulnerability affecting Process Explorer when initiating a process with an executable name comprising 255 characters sans a file extension (CVE-2023-42757)
“This research marks the inaugural exploration into how seemingly innocuous known issues can be exploited to birth vulnerabilities and, ultimately, present a substantial security hazard,” elucidated Yair.
“We contend that the ramifications extend not only to Microsoft Windows, the preeminent desktop OS globally, but also to all software vendors, the majority of whom permit known issues to persist across iterations of their software.”
