Incorrect DOS paths in the file name nomenclature in Windows can be used to hide malicious content, files, and processes. A researcher from SafeBreach, Or Yair, identified a problem related to the process of converting a DOS path to NT format in Windows.
Attackers gain rootkit capabilities to hide their malicious activities, which poses a huge risk to businesses.
Or Yair focused on four vulnerabilities related to the problem, which the researcher called "MagicDot". The MagicDot problem group exists because Windows replaces DOS paths with NT paths.
In order for a user to open a file or folder on their computer, Windows uses the path where the file exists. This path is usually the DOS path, which is represented in the format "C:\Users\User\Documents\example.txt". However, another basic function called NtCreateFile is used to perform the file opening operation. It requests the NT path, not the DOS one. Therefore, Windows converts the familiar DOS path visible to users to the NT path before calling NtCreateFile to perform the operation.
In the process of converting paths, Windows automatically removes all dots and extra spaces in DOS paths, which is why the problem occurs.
DOS paths look like this:
C:\example\example.
C:\example\example..
C:\example\example<space bar>
All of them are converted to"\??\C:\example\example" as the NT path.
Op Yair pointed out that automatic character deletion allows cybercriminals to create specially designed DOS paths that will be converted to NT paths of their choice to hide malicious content or actions, or to render files unusable.
A number of post-exploitation techniques can be used by intruders due to the "MagicDot" issues, which will allow hackers to remain secretive.
The researcher said that by putting a simple dot at the end of the malicious file name or naming a file or directory only with dots and / or spaces, an attacker can make all programs that use the normal interface inaccessible to the user and administrator.
During the Op session, Yair added that the technique can be used to hide files or directories inside archives. All you need to do is end the file name with a dot in the archive, so that Explorer can't view or extract it.
The third attack method involves disguising malicious content as legitimate file paths.
The specialist explained that if there is a harmless file called "benign" in the directory, a hacker, using path conversion from DOS to NT, can also create a malicious file with the same name there.
This approach can be used to simulate folders and even broader Windows processes. As a result, when a user reads a malicious file, the contents of the original harmless file are returned instead, and the victim does not even know that they are actually opening malicious content.
The researcher reported that these manipulations with MagicDot paths can provide attackers with rootkit capabilities without administrator rights and without interfering with the API call chain.
Cybercriminals gain the ability to hide files and processes, hide files in archives, influence the analysis of prefetched files, make users of Task Manager and Process Explorer think that the malware file is a verified executable file published by Microsoft, disable Process Explorer using a denial of service (DoS) vulnerability, and much more.
Or Yair warned about the importance of the threat in the world of cybersecurity and reminded about the importance of developing methods and rules for detecting unprivileged rootkits.
Security researcher Or Yair discovered four different vulnerabilities related to the main problem in the course of his research on the MagicDot paths. Three of them have already been fixed by Microsoft.
Using the remote code execution (RCE) vulnerability (CVE-2023-36396, CVSS 7,8) in the new Windows archive extraction logic for all new supported archive types, attackers create a malicious archive that, after extraction, is written to any location on the remote computer, which leads to code execution.
In an interview with Dark Reading, Or Yair says that, for example, a user downloads an archive from GitHub, which is not an executable file, and extracts it, which is considered a completely safe action. But now the extraction itself can run the code on the computer.
The next bug is the privilege escalation (EoP) vulnerability (CVE-2023-32054, CVSS 7.3), which allows attackers to write to files without privileges by manipulating the process of restoring the previous version from a shadow copy.
The third vulnerability is an unprivileged DOS anti-analysis tool called Process Explorer, for which CVE-2023-42757 is reserved.
The latest bug related to EoP allows unprivileged attackers to delete files. Microsoft has confirmed that such a vulnerability exists, but has not yet fixed it.
Microsoft fixed the vulnerabilities presented by the researcher, but still the automatic deletion of dots and spaces when converting paths from DOS to NT remains. This is the root cause of the vulnerability.
Or Yair explained that this creates the potential to discover new vulnerabilities and post-exploitation techniques that can be much more dangerous than the current ones.
The problem is relevant not only for Microsoft, but also for all software manufacturers.
The specialist recommended that software developers use NT paths instead of DOS, as they avoid the conversion process and ensure that the provided path is the same path that is actually used.
In enterprises, security departments should develop tools to detect illegal dots and spaces in file paths.
Attackers gain rootkit capabilities to hide their malicious activities, which poses a huge risk to businesses.
Or Yair focused on four vulnerabilities related to the problem, which the researcher called "MagicDot". The MagicDot problem group exists because Windows replaces DOS paths with NT paths.
In order for a user to open a file or folder on their computer, Windows uses the path where the file exists. This path is usually the DOS path, which is represented in the format "C:\Users\User\Documents\example.txt". However, another basic function called NtCreateFile is used to perform the file opening operation. It requests the NT path, not the DOS one. Therefore, Windows converts the familiar DOS path visible to users to the NT path before calling NtCreateFile to perform the operation.
In the process of converting paths, Windows automatically removes all dots and extra spaces in DOS paths, which is why the problem occurs.
DOS paths look like this:
C:\example\example.
C:\example\example..
C:\example\example<space bar>
All of them are converted to"\??\C:\example\example" as the NT path.
Op Yair pointed out that automatic character deletion allows cybercriminals to create specially designed DOS paths that will be converted to NT paths of their choice to hide malicious content or actions, or to render files unusable.
A number of post-exploitation techniques can be used by intruders due to the "MagicDot" issues, which will allow hackers to remain secretive.
The researcher said that by putting a simple dot at the end of the malicious file name or naming a file or directory only with dots and / or spaces, an attacker can make all programs that use the normal interface inaccessible to the user and administrator.
During the Op session, Yair added that the technique can be used to hide files or directories inside archives. All you need to do is end the file name with a dot in the archive, so that Explorer can't view or extract it.
The third attack method involves disguising malicious content as legitimate file paths.
The specialist explained that if there is a harmless file called "benign" in the directory, a hacker, using path conversion from DOS to NT, can also create a malicious file with the same name there.
This approach can be used to simulate folders and even broader Windows processes. As a result, when a user reads a malicious file, the contents of the original harmless file are returned instead, and the victim does not even know that they are actually opening malicious content.
The researcher reported that these manipulations with MagicDot paths can provide attackers with rootkit capabilities without administrator rights and without interfering with the API call chain.
Cybercriminals gain the ability to hide files and processes, hide files in archives, influence the analysis of prefetched files, make users of Task Manager and Process Explorer think that the malware file is a verified executable file published by Microsoft, disable Process Explorer using a denial of service (DoS) vulnerability, and much more.
Or Yair warned about the importance of the threat in the world of cybersecurity and reminded about the importance of developing methods and rules for detecting unprivileged rootkits.
Security researcher Or Yair discovered four different vulnerabilities related to the main problem in the course of his research on the MagicDot paths. Three of them have already been fixed by Microsoft.
Using the remote code execution (RCE) vulnerability (CVE-2023-36396, CVSS 7,8) in the new Windows archive extraction logic for all new supported archive types, attackers create a malicious archive that, after extraction, is written to any location on the remote computer, which leads to code execution.
In an interview with Dark Reading, Or Yair says that, for example, a user downloads an archive from GitHub, which is not an executable file, and extracts it, which is considered a completely safe action. But now the extraction itself can run the code on the computer.
The next bug is the privilege escalation (EoP) vulnerability (CVE-2023-32054, CVSS 7.3), which allows attackers to write to files without privileges by manipulating the process of restoring the previous version from a shadow copy.
The third vulnerability is an unprivileged DOS anti-analysis tool called Process Explorer, for which CVE-2023-42757 is reserved.
The latest bug related to EoP allows unprivileged attackers to delete files. Microsoft has confirmed that such a vulnerability exists, but has not yet fixed it.
Microsoft fixed the vulnerabilities presented by the researcher, but still the automatic deletion of dots and spaces when converting paths from DOS to NT remains. This is the root cause of the vulnerability.
Or Yair explained that this creates the potential to discover new vulnerabilities and post-exploitation techniques that can be much more dangerous than the current ones.
The problem is relevant not only for Microsoft, but also for all software manufacturers.
The specialist recommended that software developers use NT paths instead of DOS, as they avoid the conversion process and ensure that the provided path is the same path that is actually used.
In enterprises, security departments should develop tools to detect illegal dots and spaces in file paths.
