<<< Date Index >>>     <<< Thread Index >>>

[48Bits.com Advisory] Path conversion design flaw in Microsoft NTDLL



Hi,

Microsoft Windows NTDLL.DLL is prone to an incorrect path conversion
vulnerability. This flaw could be successful exploited by malicious users
in order to bypass protection mechanisms implemented by certain antivirus
and antispyware products.

Advisory can also be located at -> 
http://www.48bits.com/advisories/rtldospath.pdf

Regards,

Mario Ballano Bárcena


**** 48Bits Advisory: Path conversion design flaw in NTDLL  -=-  www.48bits.com


There is a design  flaw in the way  that NTDLL performs path  conversion between
DOS style path names and NT syle path names. Although many attack vectors are
possible, in this paper some proof of concept cases are covered.

(*) Vulnerability details:


The vulnerability is located in the exported function 
RtlDosPathNameToNtPathName_U
which converts from unicode DOS path names to unicode NT path names.

RtlDosPathNameToNtPathName_U internally checks if the given path name is 
already in
NT style or is in DOS style, calling respectively RtlpWin32NTNameToNtPathName_U 
or
RtlGetFullPathName_Ustr. Is in these functions where each proper syntax (NT and 
DOS styles)
are checked.

When a given path name ends with one or more space characters, 
RtlpWin32NTNameToNtPathName_U
keeps them in the returned path, RtlpWin32NTNameToNtPathName_U instead, removes 
them, here is
where the design flaw comes into play, because space finished DOS style paths 
given won´t
return the real NT style path when indeed is possible to create such NT style 
file names.


(*) Affected software:


Any program that relies on RtlDosPathNameToNtPathName_U the conversion between 
DOS paths
to NT paths, are prone to unproperly handle such files. The following Operating 
System
files import and use the function:

acledit.dll
ADVAPI32.DLL
cscdll.dll
CSRSRV.DLL
dskquoui.dll
EVENTLOG.DLL
GDI32.DLL
ifsutil.dll
KERNEL32.DLL
LSASRV.DLL
ntmarta.dll
OLE32.DLL
perfproc.dll
query.dll
rshx32.dll
scesrv.dll
sdbapiu.dll
setupdll.dll
sfc.dll
SHELL32.DLL
shim.dll
srvsvc.dll
trkwks.dll
ulib.dll
wow32.dll
AUTOCHK.EXE
autoconv.exe
autofmt.exe
NTVDM.EXE
os2srv.exe
posix.exe
regsvc.exe
SERVICES.EXE
smss.exe
WINLOGON.EXE

Usually, third party applications for Windows environment, use KERNEL32.DLL or
intermediate Dynamic Link Libraries,like MSVCRT.DLL, for file managing tasks.

The following KERNEL32.DLL functions make use of RtlDosPathNameToNtPathName_U:

GetShortPathNameW
CopyFileW
MoveFileW
MoveFileExW
ReplaceFileW
CreateMailslotW
GetFileAttributesW
FindFirstFileExW
CreateFileW
GetVolumeInformationW
DeleteFileW
GetDriveTypeW
GetFileAttributesExW
CreateDirectoryW
FindFirstChangeNotificationW
GetBinaryTypeW
CreateNamedPipeW
SetFileAttributesW
MoveFileWithProgressW
GetVolumeNameForVolumeMountPointW
GetDiskFreeSpaceW
CreateDirectoryExW
DefineDosDeviceW
PrivMoveFileIdentityW
GetCompressedFileSizeW
SetVolumeLabelW
CreateHardLinkW
RemoveDirectoryW

As we can see there are involved lot of important functions, which are used
for tasks like create a new file, delete a file, etc ... although the
vulnerability is located in ntdll, third party applications are affected
as well as Windows applications like explorer.


(*) Attack Vectors:


As well as there can be many vector attacks, some perhaps more dangerous,
i have successfully exploited two of them:

- Not accessible or erasable file:

A file with a name like:

NT Filename: "\\?\C:\test "

Wont be accessed or erased by calling KERNEL32.DLL APIs giving the DOS path 
name:

DOS FIlename: "C:\test "


- Redirecting files:

Suppose we have a file like this

NT FileName:  "\\?\C:\test"

And in the same directory another file like this:

NT FileName: "\\?\C:\test "

All operations performed by vulnerable APIs to the DOS path name:

DOS FileName: "C:\test "

Will be done to the first file.


(*) Affected Platforms


Tested on W2kSP4 and WXPSP2 but others might be vulnerable.


(*) Real life affected software:


The attack vectors explained before, usually don´t pose a threat for the
end user, one exception is security software, and more precisely antivirus
and antispyware software. I have tested the not accessible or erasable
proof of concept file, containing inside malware testing signatures, with the
latest versions of some of them and here are the results:

Vulnerable antivirus:

* BitDefender:
  - Resident shield unable to detect and disinfect
  - On demand unable to detect and disinfect.

* Norman:
  - Resident shield unable to detect and disinfect.
  - On demand unable to detect and disinfect.

* Norton antivirus (2006):

  - Resident shield able to detect, unable to desinfect.
  - On demand unable to detect and disinfect.

* Antivir XP:
  - Resident shield able to detect (but doesn´t show an alert), unable to 
desinfect.
  - On demand unable to detect and disinfect.

* F-Prot:

  - Resident shield able to detect but unable to disinfect
  - On demand unable to detect and disinfect.

* Nod32:

  - Resident shield able to detect but unable to disinfect
  - On demand unable to detect and disinfect

* AVG:

  - Resident shield able to detect but unable to disinfect
  - On demand unable to detect and disinfect.

* Avast:

  - Resident shield able to detect but unable to disinfect
  - On demand unable to detect and disinfect.


* Kaspersky (Personal 5):
  - Resident shield able to detect and disinfect
  - On demand unable to detect and disinfect


Vulnerable AntiSpyware:

* SpySweeper:

  - Unable to detect and disinfect.

* Spybot search and destroy:

  - Unable to detect and disinfect.

* Ad-Aware:

  - Unable to detect and disinfect.

Not Vulnerable:

* Panda
* Macaffe

(*) Proof of concept:


There is no need for complex code here ;-), just take a look at what
happens when you type the following in a cmd.exe:


echo X5O!P%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* > 
"\\?\C:\malware.exe "

and play around this file :-)


(*) Vulnerability discovered and analysis Performed by:

Mario Ballano Bárcena  -=- mballano[4t]gmail.com



-- 
48Bits.com [I+D Team]

www.48Bits.com
blog.48bits.com