Black Hat | Magicdot: A Hacker's Magic Show of Disappearing Dots and Spaces @BlackHatOfficialYT | Uploaded 1 month ago | Updated 26 minutes ago
Backwards compatibility is a key element in Windows. To support that, some known issues stay unfixed for years. We encountered such an issue when we ended a file name with a dot using the NT API. Surprisingly, we couldn't delete, write or rename it. Then, we created a similarly named file without the dot, and like magic, file operations on the first file, affected the new file. Microsoft's documentation revealed they advise to avoid ending a file name with dots or spaces.
We set a goal to reverse the magic and create even greater magic tricks. While we read past research and dove into debugging, we realized that trailing dots and spaces are removed when Windows converts normal paths to NT paths.
This was a perfect primitive for new tricks for our magic show. Without any control over API or system calls, we managed to hide files and processes, hide files in archives, completely disable ProcExp with a DOS vulnerability, affect prefetch file analysis to report false information, and even make Task Manager and ProcExp users think a malware is a verified executable published by Microsoft. We had rootkit-like abilities as unprivileged users.
For the biggest magic trick, we hypnotized a remote computer to run our code. Using the disappearing dot, we found an RCE vulnerability in Windows' new extraction logic for all newly supported archive types including RAR, 7ZIP, TAR, and more!
Moreover, we found two more vulnerabilities that allowed us to escalate both deletion and writing privileges.
In this talk, We'll present the MagicDot magic show - A set of vulnerabilities and unprivileged rootkit techniques that are all possible thanks to disappearing dots and spaces. A full attack chain starting from remote code execution, to concealments, and privilege escalation. In this magic show you'll also learn the tricks.
By:
Or Yair | Security Research Team Lead, SafeBreach
Full Abstract & Presentation Materials:
blackhat.com/asia-24/briefings/schedule/#magicdot-a-hackers-magic-show-of-disappearing-dots-and-spaces-36561
Backwards compatibility is a key element in Windows. To support that, some known issues stay unfixed for years. We encountered such an issue when we ended a file name with a dot using the NT API. Surprisingly, we couldn't delete, write or rename it. Then, we created a similarly named file without the dot, and like magic, file operations on the first file, affected the new file. Microsoft's documentation revealed they advise to avoid ending a file name with dots or spaces.
We set a goal to reverse the magic and create even greater magic tricks. While we read past research and dove into debugging, we realized that trailing dots and spaces are removed when Windows converts normal paths to NT paths.
This was a perfect primitive for new tricks for our magic show. Without any control over API or system calls, we managed to hide files and processes, hide files in archives, completely disable ProcExp with a DOS vulnerability, affect prefetch file analysis to report false information, and even make Task Manager and ProcExp users think a malware is a verified executable published by Microsoft. We had rootkit-like abilities as unprivileged users.
For the biggest magic trick, we hypnotized a remote computer to run our code. Using the disappearing dot, we found an RCE vulnerability in Windows' new extraction logic for all newly supported archive types including RAR, 7ZIP, TAR, and more!
Moreover, we found two more vulnerabilities that allowed us to escalate both deletion and writing privileges.
In this talk, We'll present the MagicDot magic show - A set of vulnerabilities and unprivileged rootkit techniques that are all possible thanks to disappearing dots and spaces. A full attack chain starting from remote code execution, to concealments, and privilege escalation. In this magic show you'll also learn the tricks.
By:
Or Yair | Security Research Team Lead, SafeBreach
Full Abstract & Presentation Materials:
blackhat.com/asia-24/briefings/schedule/#magicdot-a-hackers-magic-show-of-disappearing-dots-and-spaces-36561
