04-22-2024, 10:20 PM
Windows has succeeded again.
Yet another rootkit has been discovered by reaearchers
So how does it work?
Ah .... So , user space API's remove trailing dots and any white spaces from the path element.. How does this turn into root like privileges?
Ohh.. so, the path, if crafted correctly, allows any unprivileged user to do things that only administrator's can do, remain undetected, what else?
So, you can hide files, processes, affect prefetch analysis, make your program completely untouchable, make task manager thing an executable is verified by Microsoft, Prevent process explorer from working (what about process hacker?) AND More? "all without admin privileges or the ability to run code in the kernel, and without intervention in the chain of API calls that retrieve information."
Let's explain a little bit on how it works.
So, also software can be vulnerable not just windows
https://thehackernews.com/2024/04/resear...flaws.html
https://www.darkreading.com/vulnerabilit...ed-rootkit
https://www.malwarebytes.com/blog/news/2...rabilities
Yet another rootkit has been discovered by reaearchers
Quote:"When a user executes a function that has a path argument in Windows, the DOS path at which the file or folder exists is converted to an NT path,"SafeBreach security researcher Or Yair said
So how does it work?
Quote:"During this conversion process, a known issue exists in which the function removes trailing dots from any path element and any trailing spaces from the last path element. This action is completed by most user-space APIs in Windows."
Ah .... So , user space API's remove trailing dots and any white spaces from the path element.. How does this turn into root like privileges?
Quote:These so-called MagicDot paths allow for rootkit-like functionality that's accessible to any unprivileged user, who could then weaponize them to carry out a series of malicious actions without having admin permissions and remain undetected.
Ohh.. so, the path, if crafted correctly, allows any unprivileged user to do things that only administrator's can do, remain undetected, what else?
Quote:the ability to "hide files and processes, hide files in archives, affect prefetch file analysis, make Task Manager and Process Explorer users think a malware file was a verified executable published by Microsoft, disable Process Explorer with a denial of service (DoS) vulnerability, and more
Quote:"By placing a simple trailing dot at the end of a malicious file name or by naming a file or a directory with dots and/or spaces only, I could make all user-space programs that use the normal API inaccessible to them ... users would not be able to read, write, delete, or do anything else with them," Yair explained in the session.
So, you can hide files, processes, affect prefetch analysis, make your program completely untouchable, make task manager thing an executable is verified by Microsoft, Prevent process explorer from working (what about process hacker?) AND More? "all without admin privileges or the ability to run code in the kernel, and without intervention in the chain of API calls that retrieve information."
Quote:The underlying issue within the DOS-to-NT path conversion process has also led to the discovery of four security shortcomings, three of which have since been addressed by Microsoft -
An elevation of privilege (EoP) deletion vulnerability that could be used to delete files without the required privileges (to be fixed in a future release)
An elevation of privilege (EoP) write vulnerability that could be used to write into files without the required privileges by tampering with the restoration process of a previous version from a volume shadow copy (CVE-2023-32054, CVSS score: 7.3)
A remote code execution (RCE) vulnerability that could be used to create a specially crafted archive, which can lead to code execution when extracting the files on any location of the attacker's choice (CVE-2023-36396, CVSS score: 7.8)
A denial-of-service (DoS) vulnerability impacting the Process Explorer when launching a process with an executable whose name is 255 characters long and is without a file extension (CVE-2023-42757)
Let's explain a little bit on how it works.
Quote:When users open files or folders on their PCs, Windows accomplishes this by referencing the path where the file exists; normally, that's a DOS path that follows the "C:\Users\User\Documents\example.txt" format. However, a different underlying function called NtCreateFile is used to actually perform the operation of opening the file, and NtCreateFile asks for an NT path and not a DOS path. Thus, Windows converts the familiar DOS path visible to users into an NT path, prior to calling NtCreateFile to enable the operation.
The exploitable problem exists because, during the conversion process, Windows automatically removes any periods from the DOS path, along with any extra spaces at the end. Thus, DOS paths like these:
C:\example\example.
C:\example\example…
C:\example\example<space>
are all converted to "\??\C:\example\example" as an NT path.
Yair discovered that this automatic stripping out of erroneous characters could allow attackers to create specially crafted DOS paths that would be converted to NT paths of their choice, which could then be used to either render files unusable or to conceal malicious content and activities.
Quote:"I simply ended a file name in an archive with a dot to prevent Explorer from listing or extracting it," Yair said. "As a result, I was able to place a malicious file inside an innocent zip — whoever used Explorer to view and extract the archive contents was unable to see that file existed inside."
So, also software can be vulnerable not just windows
Quote:"We believe the implications are relevant not only to Microsoft Windows, which is the world's most widely used desktop OS, but also to all software vendors, most of whom also allow known issues to persist from version to version of their software," he warned in his presentation.
Meanwhile, software developers can make their code safer against these types of vulnerabilities by utilizing NT paths rather than DOS paths, he noted.
https://thehackernews.com/2024/04/resear...flaws.html
https://www.darkreading.com/vulnerabilit...ed-rootkit
https://www.malwarebytes.com/blog/news/2...rabilities
Buffer Overlord
Deploying Precision in Every Line.
PGP Fingerprint: C1F5 5935 4992 A77B 69E1 B626 7556 1F6B 453C B36F
https://pastebin.com/raw/6k1RJQie
Deploying Precision in Every Line.
PGP Fingerprint: C1F5 5935 4992 A77B 69E1 B626 7556 1F6B 453C B36F
https://pastebin.com/raw/6k1RJQie
