'MagicDot' Windows Weakness Allows Unprivileged Rootkit Activity

Malformed DOS paths in file-naming nomenclature in Windows could be used to conceal malicious content, files, and processes.

Colorful abstract illustrated design of dots
Source: Robert Adrian Hillman via Alamy Stock Vector

BLACK HAT ASIA – Singapore – A known issue associated with the DOS-to-NT path conversion process in Windows opens up significant risk for businesses by allowing attackers to gain rootkit-like post-exploitation capabilities to conceal and impersonate files, directories, and processes.

That's according to Or Yair, security researcher at SafeBreach, who outlined the issue during a session here this week. He also detailed four different vulnerabilities related to the issue, which he dubbed "MagicDot" - including a dangerous remote code-execution bug that can be triggered simply by extracting an archive.

Dots & Spaces in DOS-to-NT Path Conversion

The MagicDot group of problems exist thanks to the way that Windows changes DOS paths to NT paths.

When users open files or folders on their PCs, Windows accomplishes this by referencing the path where the file exists; normally, that's a DOS path that follows the "C:\Users\User\Documents\example.txt" format. However, a different underlying function called NtCreateFile is used to actually perform the operation of opening the file, and NtCreateFile asks for an NT path and not a DOS path. Thus, Windows converts the familiar DOS path visible to users into an NT path, prior to calling NtCreateFile to enable the operation.

The exploitable problem exists because, during the conversion process, Windows automatically removes any periods from the DOS path, along with any extra spaces at the end. Thus, DOS paths like these:

  • C:\example\example.   

  • C:\example\example… 

  • C:\example\example<space>    

are all converted to "\??\C:\example\example" as an NT path.

Yair discovered that this automatic stripping out of erroneous characters could allow attackers to create specially crafted DOS paths that would be converted to NT paths of their choice, which could then be used to either render files unusable or to conceal malicious content and activities.

Simulating an Unprivileged Rootkit

The MagicDot issues first and foremost create the opportunity for a number of post-exploitation techniques that help attackers on a machine maintain stealth.

For instance, it's possible to lock up malicious content and prevent users, even admins, from examining it. "By placing a simple trailing dot at the end of a malicious file name or by naming a file or a directory with dots and/or spaces only, I could make all user-space programs that use the normal API inaccessible to them ... users would not be able to read, write, delete, or do anything else with them," Yair explained in the session.

Then, in a related attack, Yair found that the technique could be used to hide files or directories within archive files.

"I simply ended a file name in an archive with a dot to prevent Explorer from listing or extracting it," Yair said. "As a result, I was able to place a malicious file inside an innocent zip — whoever used Explorer to view and extract the archive contents was unable to see that file existed inside."

A third attack method involves masking malicious content by impersonating legitimate file paths.

"If there was a harmless file called 'benign,' I was able to [use DOS-to-NT path conversion] to create a malicious file in the same directory [also named] benign," he explained, adding that the same approach could be used to impersonate folders and even broader Windows processes. "As a result, when a user reads the malicious file, the content of the original harmless file would be returned instead," leaving the victim none the wiser that they were actually opening malicious content.

Taken together, manipulating MagicDot paths can grant adversaries rootkit-like abilities without admin privileges, explained Yair, who published detailed technical notes on the attack methods in tandem with the session.

"I found I could hide files and processes, hide files in archives, affect prefetch file analysis, make Task Manager and Process Explorer users think a malware file was a verified executable published by Microsoft, disable Process Explorer with a denial of service (DoS) vulnerability, and more," he said — all without admin privileges or the ability to run code in the kernel, and without intervention in the chain of API calls that retrieve information.

"It's important that the cybersecurity community recognize this risk and consider developing unprivileged rootkit detection techniques and rules," he warned.

A Series of "MagicDot" Vulnerabilities

During his research into the MagicDot paths, Yair also managed to uncover four different vulnerabilities related to the underlying issue, three of them since patched by Microsoft.

One remote code execution (RCE) vulnerability (CVE-2023-36396, CVSS 7.8) in Windows's new extraction logic for all newly supported archive types allows attackers to craft a malicious archive that would write anywhere they choose on a remote computer once extracted, leading to code execution.

"Basically, let's say you upload an archive to your GitHub repository advertising it as a cool tool available for download," Yair tells Dark Reading. "And when the user downloads it, it's not an executable, you just extract the archive, which is considered a completely safe action with no security risks. But now, the extraction itself is able to run code on your computer, and that is seriously wrong and very dangerous."

A second bug is an elevation of privilege (EoP) vulnerability (CVE-2023-32054, CVSS 7.3) that allows attackers to write into files without privileges by manipulating the restoration process of a previous version from a shadow copy.

The third bug is Process Explorer unprivileged DOS for anti-analysis bug, for which CVE-2023-42757 has been reserved, with details to follow. And the fourth bug, also an EoP issue, allows unprivileged attackers to delete files. Microsoft confirmed that the flaw led to "unexpected behavior" but hasn't yet issued a CVE or a fix for it.

"I create a folder inside the demo folder called …<space> and inside, I write a file named c.txt," Yair explained. "Then when an administrator attempts to delete the …<space> folder, the entire demo folder is deleted instead."

Potentially Wider "MagicDot" Ramifications

While Microsoft addressed Yair's specific vulnerabilities, the DOS-to-NT path conversion auto-stripping of periods and spaces persists, even though that's the root cause of the vulnerabilities.

"That means there might be many more potential vulnerabilities and post-exploitation techniques to find using this issue," the researcher tells Dark Reading. "This issue is still exists and can lead to many more issues and vulnerabilities, which can be much more dangerous than the ones we know about."

He adds that the problem has ramifications beyond Microsoft.

"We believe the implications are relevant not only to Microsoft Windows, which is the world's most widely used desktop OS, but also to all software vendors, most of whom also allow known issues to persist from version to version of their software," he warned in his presentation.

Meanwhile, software developers can make their code safer against these types of vulnerabilities by utilizing NT paths rather than DOS paths, he noted.

"Most high-level API calls in Windows support NT paths," Yair said in his presentation. "Using NT paths avoids the conversion process and ensures the provided path is the same path that is being actually operated on."

For businesses, security teams should create detections that look for rogue periods and spaces within file paths.

"There are pretty easy detections that you can develop for these, to look for files or directories, that have trailing dots or spaces in them, because if you find those, on your computer, it means that someone did it on purpose because it's not that easy to do," Yair tells Dark Reading. "Normal users can't just create a file with ends with a dot or space, Microsoft will prevent that. Attackers will need to use a lower API that is closer to the kernel, and will need some expertise to accomplish this."

Read more about:

Black Hat News

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights