New analysis has discovered that the DOS-to-NT path conversion course of could possibly be exploited by risk actors to realize rootkit-like capabilities to hide and impersonate recordsdata, directories, and processes.
“When a user executes a function that has a path argument in Windows, the DOS path at which the file or folder exists is converted to an NT path,” SafeBreach safety researcher Or Yair stated in an evaluation, which was introduced on the Black Hat Asia convention final week.
“During this conversion process, a known issue exists in which the function removes trailing dots from any path element and any trailing spaces from the last path element. This action is completed by most user-space APIs in Windows.”
These so-called MagicDot paths enable for rootkit-like performance that is accessible to any unprivileged person, who might then weaponize them to hold out a collection of malicious actions with out having admin permissions and stay undetected.
They embody the power to “hide files and processes, hide files in archives, affect prefetch file analysis, make Task Manager and Process Explorer users think a malware file was a verified executable published by Microsoft, disable Process Explorer with a denial of service (DoS) vulnerability, and more.”
The underlying difficulty throughout the DOS-to-NT path conversion course of has additionally led to the invention of 4 safety shortcomings, three of which have since been addressed by Microsoft –
- An elevation of privilege (EoP) deletion vulnerability that could possibly be used to delete recordsdata with out the required privileges (to be fastened in a future launch)
- An elevation of privilege (EoP) write vulnerability that could possibly be used to write down into recordsdata with out the required privileges by tampering with the restoration technique of a earlier model from a quantity shadow copy (CVE-2023-32054, CVSS rating: 7.3)
- A distant code execution (RCE) vulnerability that could possibly be used to create a specifically crafted archive, which might result in code execution when extracting the recordsdata on any location of the attacker’s selection (CVE-2023-36396, CVSS rating: 7.8)
- A denial-of-service (DoS) vulnerability impacting the Course of Explorer when launching a course of with an executable whose identify is 255 characters lengthy and is with no file extension (CVE-2023-42757)
“This research is the first of its kind to explore how known issues that appear to be harmless can be exploited to develop vulnerabilities and, ultimately, pose a significant security risk,” Yair defined.
“We believe the implications are relevant not only to Microsoft Windows, which is the world’s most widely used desktop OS, but also to all software vendors, most of whom also allow known issues to persist from version to version of their software.”
