'MagicDot' Windows-svaghed tillader uprivilegeret rootkit-aktivitet

BLACK HAT ASIA – Singapore – A known issue associated with the DOS-to-NT path conversion process in Windows opens up significant risk for businesses by allowing attackers to gain rootkit-like post-exploitation capabilities to conceal and impersonate files, directories, and processes.

That’s according to Or Yair, security researcher at SafeBreach, who outlined the issue during a session here this week. He also detailed four different vulnerabilities related to the issue, which he døbt "MagicDot” – including a dangerous remote code-execution bug that can be triggered simply by extracting an archive.

Prikker og mellemrum i DOS-til-NT-stikonvertering

The MagicDot group of problems exist thanks to the way that Windows changes DOS paths to NT paths.

When users open files or folders on their PCs, Windows accomplishes this by referencing the path where the file exists; normally, that’s a DOS path that follows the “C:UsersUserDocumentsexample.txt” format. However, a different underlying function called NtCreateFile is used to actually perform the operation of opening the file, and NtCreateFile asks for an NT path and not a DOS path. Thus, Windows converts the familiar DOS path visible to users into an NT path, prior to calling NtCreateFile to enable the operation.

Det udnyttelige problem eksisterer, fordi Windows under konverteringsprocessen automatisk fjerner alle punktummer fra DOS-stien sammen med eventuelle ekstra mellemrum i slutningen. Således DOS-stier som disse:

are all converted to “??C:exampleexample” as an NT path.

Yair discovered that this automatic stripping out of erroneous characters could allow attackers to create specially crafted DOS paths that would be converted to NT paths of their choice, which could then be used to either render files unusable or to conceal malicious content and activities.

Simulering af et uprivilegeret rootkit

MagicDot-problemerne skaber først og fremmest muligheden for en række post-udnyttelsesteknikker, der hjælper angribere på en maskine med at bevare stealth.

For instance, it’s possible to lock up malicious content and prevent users, even admins, from examining it. “By placing a simple trailing dot at the end of a malicious file name or by naming a file or a directory with dots and/or spaces only, I could make all user-space programs that use the normal API inaccessible to them … users would not be able to read, write, delete, or do anything else with them,” Yair explained in the session.

I et relateret angreb fandt Yair derefter ud af, at teknikken kunne bruges til at skjule filer eller mapper i arkivfiler.

“I simply ended a file name in an archive with a dot to prevent Explorer from listing or extracting it,” Yair said. “As a result, I was able to place a malicious file inside an innocent zip — whoever used Explorer to view and extract the archive contents was unable to see that file existed inside.”

En tredje angrebsmetode involverer maskering af ondsindet indhold ved at efterligne legitime filstier.

“If there was a harmless file called ‘benign,’ I was able to [use DOS-to-NT path conversion] to create a malicious file in the same directory [also named] benign,” he explained, adding that the same approach could be used to impersonate folders and even broader Windows processes. “As a result, when a user reads the malicious file, the content of the original harmless file would be returned instead,” leaving the victim none the wiser that they were actually opening malicious content.

Tilsammen kan manipulation af MagicDot-stier give modstandere rootkit-lignende evner uden administratorrettigheder, forklarede Yair, der udgav detaljerede tekniske noter på angrebsmetoderne i takt med sessionen.

“I found I could hide files and processes, hide files in archives, affect prefetch file analysis, make Task Manager and Process Explorer users think a malware file was a verified executable published by Microsoft, disable Process Explorer with a denial of service (DoS) vulnerability, and more,” he said — all without admin privileges or the ability to run code in the kernel, and without intervention in the chain of API calls that retrieve information.

"Det er vigtigt, at cybersikkerhedssamfundet erkender denne risiko og overvejer at udvikle uprivilegerede rootkit-detektionsteknikker og regler," advarede han.

A Series of “MagicDot” Vulnerabilities

I løbet af sin forskning i MagicDot-stierne lykkedes det Yair også at afdække fire forskellige sårbarheder relateret til det underliggende problem, hvoraf tre siden er blevet rettet af Microsoft.

Én sårbarhed ved fjernudførelse af kode (RCE) (CVE-2023-36396, CVSS 7.8) i Windows's nye udtrækslogik for alle nyligt understøttede arkivtyper gør det muligt for angribere at lave et ondsindet arkiv, der vil skrive hvor som helst, de vælger på en ekstern computer, når det først er udtrukket, hvilket fører til kodeudførelse.

“Basically, let’s say you upload an archive to your GitHub repository reklamerer for det som et sejt værktøj, der kan downloades,” fortæller Yair til Dark Reading. “Og når brugeren downloader det, er det ikke en eksekverbar fil, man udpakker bare arkivet, hvilket betragtes som en fuldstændig sikker handling uden sikkerhedsrisici. Men nu er udtrækningen i sig selv i stand til at køre kode på din computer, og det er alvorligt forkert og meget farligt."

En anden fejl er en sårbarhed over forhøjelse af privilegier (EoP) (CVE-2023-32054, CVSS 7.3), der tillader angribere at skrive ind i filer uden privilegier ved at manipulere gendannelsesprocessen af ​​en tidligere version fra en skyggekopi.

The third bug is Process Explorer unprivileged DOS for anti-analysis bug, for which CVE-2023-42757 has been reserved, with details to follow. And the fourth bug, also an EoP issue, allows unprivileged attackers to delete files. Microsoft confirmed that the flaw led to “unexpected behavior” but hasn’t yet issued a CVE or a fix for it.

“I create a folder inside the demo folder called …<space> and inside, I write a file named c.txt,” Yair explained. “Then when an administrator attempts to delete the …<space> folder, the entire demo folder is deleted instead.”

Potentially Wider “MagicDot” Ramifications

While Microsoft addressed Yair’s specific vulnerabilities, the DOS-to-NT path conversion auto-stripping of periods and spaces persists, even though that’s the root cause of the vulnerabilities.

“That means there might be many more potential vulnerabilities and post-exploitation techniques to find using this issue,” the researcher tells Dark Reading. “This issue is still exists and can lead to many more issues and vulnerabilities, which can be much more dangerous than the ones we know about.”

Han tilføjer, at problemet har konsekvenser ud over Microsoft.

“We believe the implications are relevant not only to Microsoft Windows, which is the world’s most widely used desktop OS, but also to all software vendors, most of whom also allow known issues to persist from version to version of their software,” he warned in his presentation.

I mellemtiden kan softwareudviklere gøre deres kode mere sikker mod disse typer af sårbarheder ved at bruge NT-stier i stedet for DOS-stier, bemærkede han.

“Most high-level API calls in Windows support NT paths,” Yair said in his presentation. “Using NT paths avoids the conversion process and ensures the provided path is the same path that is being actually operated on.”

For virksomheder bør sikkerhedsteams oprette registreringer, der leder efter slyngelstater og mellemrum inden for filstier.

“There are pretty easy detections that you can develop for these, to look for files or directories, that have trailing dots or spaces in them, because if you find those, on your computer, it means that someone did it on purpose because it’s not that easy to do,” Yair tells Dark Reading. “Normal users can’t just create a file with ends with a dot or space, Microsoft will prevent that. Attackers will need to use a lavere API der er tættere på kernen og vil have brug for noget ekspertise for at opnå dette."

• SEO Powered Content & PR Distribution. Bliv forstærket i dag.
• PlatoData.Network Vertical Generative Ai. Styrk dig selv. Adgang her.
• PlatoAiStream. Web3 intelligens. Viden forstærket. Adgang her.
• PlatoESG. Kulstof, CleanTech, Energi, Miljø, Solenergi, Affaldshåndtering. Adgang her.
• PlatoHealth. Bioteknologiske og kliniske forsøgs intelligens. Adgang her.
• Kilde: https://www.darkreading.com/vulnerabilities-threats/magicdot-windows-weakness-unprivileged-rootkit