‘MagicDot’ Windows Weakness Allows Unprivileged Rootkit Activity

We Keep you Connected

‘MagicDot’ Windows Weakness Allows Unprivileged Rootkit Activity

A recognized factor related to the DOS-to-NT trail conversion procedure in Home windows opens up vital possibility for companies, by way of permitting attackers to realize rootkit-like post-exploitation functions to hide and impersonate recordsdata, directories, and processes.

That’s consistent with Or Yair, safety researcher at SafeBreach, who defined the problem all over a consultation at Dull Hat Asia 2024 in Singapore this generation. He additionally graphic 4 other vulnerabilities homogeneous to the problem, which he dubbed “MagicDot“–including a perilous far off code-execution computer virus that may be caused just by extracting an archive.

Dots & Areas in DOS-to-NT Trail Conversion

The MagicDot workforce of issues exist because of the way in which that Home windows adjustments DOS paths to BT paths.

When customers detectable recordsdata or folders on their PCs, Home windows accomplishes this by way of referencing the trail the place the document exists; usually, that’s a DOS trail that follows the “C:\Users\User\Documents\example.txt” layout. Alternatively, a special underlying serve as known as NtCreateFile is impaired to in fact carry out the operation of opening the document; and NtCreateFile asks for an NT trail and now not a DOS trail. Thus, Home windows converts the usual DOS trail optic to customers into an NT trail, previous to calling NtCreateFile to allow the operation.

The exploitable weakness exists as a result of, all over the conversion procedure, Home windows mechanically eliminates any sessions from the DOS trail, along side any residue areas on the finish. Thus, DOS paths like those:





…are all transformed to “\??\C:\example\example” as an NT trail.

Yair came upon that this computerized stripping out of inaccurate characters may just permit attackers to manufacture specifically crafted DOS paths that might be transformed to NT paths in their selection – which might after be impaired to both render recordsdata unusable, or to hide wicked content material and actions.

Simulating an Unprivileged Rootkit

The MagicDot problems at first manufacture the chance for numerous post-exploitation ways that support attackers on a gadget guard stealth.

As an example, it’s conceivable to fasten up wicked content material and prohibit customers, even admins, from inspecting it. “By placing a simple trailing dot at the end of a malicious file name or by naming a file or a directory with dots and/or spaces only, I could make all user-space programs that use the normal API inaccessible to them…users would not be able to read, write, delete, or do anything else with them, Yair explained in the session.

Then, in a related attack, Yair found that the technique could be used to hide files or directories within archive files.

“I merely ended a document title in an archive with a dot to prohibit Explorer from list or extracting it,” Yair said. “Consequently, I used to be ready to playground a wicked document inside of an blameless ZIP—whoever impaired Explorer to view and pull out the archive contents was once not able to look that document existed inside of.”

A third attack method involves masking malicious content by impersonating legitimate file paths.

“If there was once a risk free document known as ‘benign,’ I used to be ready to [use DOS-to-NT path conversion] to manufacture a wicked document in the similar listing [also named] benign,” the researcher defined, including that the similar means may well be impaired to impersonate folders or even broader Home windows processes. “As a result, when a user reads the malicious file, the content of the original harmless file would be returned instead,” depart the sufferer none the wiser that they have been in fact opening wicked content material.

Taken in combination, manipulating MagicDot paths can provide adversaries rootkit-like talents with out admin privileges, defined Yair, who revealed detailed technical notes at the assault modes in tandem with the consultation.

“I found I could hide files and processes, hide files in archives, affect prefetch file analysis, make Task Manager and Process Explorer users think a malware file was a verified executable published by Microsoft, disable Process Explorer with a denial of service (DoS) vulnerability, and more,” he mentioned—all with out admin privileges or the power to run code within the kernel, and with out intervention within the chain of API shouts that retrieve data.

“It’s important that the cybersecurity community recognize this risk and consider developing unprivileged rootkit detection techniques and rules,” he warned.

A Order of ‘MagicDot’ Vulnerabilities

Throughout his analysis into the MagicDot paths, Yair additionally controlled to discover 4 other vulnerabilities homogeneous to the underlying factor, 3 of them since patched by way of Microsoft.

One far off code execution (RCE) vulnerability (CVE-2023-36396, CVSS 7.8) in Home windows’s pristine extraction common sense for all newly supported archive varieties lets in attackers to craft a wicked archive that might scribble any place they make a selection on a far off laptop as soon as extracted, chief to code execution.

Mainly, let’s say you add an archive in your GitHub repository promoting it as a fab device to be had for obtain,” Yair tells Black Studying. “And when the user downloads it, it’s not an executable, you just extract the archive, which is considered a completely safe action with no security risks. But now, the extraction itself is able to run code on your computer, and that is seriously wrong and very dangerous.”

A 2nd computer virus is an elevation of privilege (EoP) vulnerability (CVE-2023-32054, CVSS 7.3) that permits attackers to put in writing into recordsdata with out privileges by way of manipulating the recovery means of a prior model from a silhoutte magazine.

The 3rd computer virus is Procedure Explorer unprivileged DOS for anti-analysis computer virus, for which CVE-2023-42757 has been reserved, with main points to practice. And the fourth computer virus, additionally an EoP factor, lets in unprivileged attackers to delete recordsdata. Microsoft showed that the flaw resulted in “unexpected behavior,” however hasn’t but issued a CVE or a recovery for it.

“I create a folder inside the demo folder called … and inside, I write a file named c.txt,” defined Yair. “Then when an administrator attempts to delete the … folder, the entire demo folder is deleted instead.”

Doubtlessly Wider ‘MagicDot’ Ramifications

Time Microsoft addressed Yair’s explicit vulnerabilities, the DOS-to-NT trail conversion auto-stripping of sessions and areas persists – despite the fact that that’s the foundation reason for the vulnerabilities.

“That means there might be many more potential vulnerabilities and post-exploitation techniques to find using this issue,” the researcher warns. “This issue is still exists and can lead to many more issues and vulnerabilities, which can be much more dangerous than the ones we know about.”

He provides that the weakness has ramifications past Microsoft.

“We believe the implications are relevant not only to Microsoft Windows, which is the world’s most widely used desktop OS, but also to all software vendors, most of whom also allow known issues to persist from version to version of their software,” he warned.

In the meantime, instrument builders can produce their code more secure in opposition to most of these vulnerabilities through the use of NT paths instead than DOS paths, he famous.

“Most high-level API calls in Windows support NT paths,” Yair mentioned. “Using NT paths avoids the conversion process and ensures the provided path is the same path that is being actually operated on.”

For companies, safety groups must manufacture detections that search for rogue sessions and areas inside of document paths.

“There are pretty easy detections that you can develop for these, to look for files or directories, that have trailing dots or spaces in them, because if you find those, on your computer, it means that someone did it on purpose because it’s not that easy to do,” Yair explains. “Normal users can’t just create a file with ends with a dot or space, Microsoft will prevent that. Attackers will need to use a decrease API this is nearer to the kernel, and can want some experience to perform this.”darkreading