RE: Long path exploit on NTFS

["Gavin Lowe" <gavin () vanderwell com>]

> Long path exploit on NTFS
> =====================
> The filesystem NTFS seems to be a hiding place for virusses if you use
a file path which
> exceeds 256 charaters.
>
> What is the case?
> The filepath (drive + folderpath + filename) theoraticly can take up
to 32000 charaters if
> the filesystem in use is NTFS. However, the way in wich Windows NT >
(4.0, 2000 and > XP)
> access this filesystem a maximum of 256 characters is in place. If you
try to go
> deeper, you will experience a "Path too long" error.
>
> In these Operating System there is a way to substitute a long
folderpath, using
> the "SUBST" command. If you change your current drive to the
substituted
> drive, the pathlength is reset to 3 (Q:\ e.g.) and Windows NT allows
you to 
> create an even deeper path.



Yes, I tried this on my XP Pro and you are able to hide files within the
folder.  The command prompt will display a directory listing, but not
access the files that are contained within this directory
C:\TEMP\1234567890\1234567890\1234567890\1234567890\1234567890\123456789
0\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\1234
567890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890
\123456789\1234567890\1234567890
Windows Explorer will not even display a listing.

Files that are further down in the tree, using the Subst method, are
completely invisible to the virus scanner (NAV Corporate 7.60,) command
prompt and Explorer until the subst is re-created.

The question that I have, is how would you execute the virus code
without SUBST'ing the path and having the virus scanner find it?


Gavin Lowe
gavin () vanderwell com
Programmer / Network Administrator


No trees were killed in the sending of this message.  However a large
number of electrons were terribly inconvenienced.