Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Challenge: What can you do with funky directory names? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Challenge: What can you do with funky directory names?

Good day readers!   I've been playing around with creating unusual file names for a while.   (http://vimeo.com/9484706 , http://pauldotcom.com/2011/12/looking-for-stealth-ads-stream.html)   For example, did you know you can create a ".. "  (dot dot space) directory on Windows just like you can in Linux?   Want to try it?   Open up a command prompt and type this:

That's interesting.   Notice that our ".. " (dot dot space) directory is indistinguishable from the normal parent directory and is easily overlooked.   Attackers have been hiding in the "dot dot space" directory for a long time on the Linux platform.   Now try this from an administrative command prompt:

We created a ". "  (dot space) directory with a ".. " (dot dot space) subdirectory.  Then we put a copy of netcat in it.  (Your path to nc.exe may be different from this example).  As you see from the image above you can still execute netcat without any problems if you use a symbolic link.    Now try and browse to the c:\temp\  directory using the Windows Explorer GUI.   You will notice the SHORTCUT to NC.EXE in our c:\temp directory.    Double click on the ". " (dot space) directory.   You might expect that it take you into a directory containing our ".. " (dot dot space)  directory, but it doesn't!   Instead we are still in the c:\temp directory with our shortcut to nc.exe!   Double click the ". " (dot space) directory again.   This time we DO change to the directory containing ".. " (dot dot space).   Weird!    Now, Double click your ".. " (dot dot space) directory.   Where will that take you?  It takes you to the following error message:

Interesting.  Now try this.  Open your command prompt and change directories to the path "c:\temp\2628~1\45AA~1\" and do a directory listing.  This strange directory name has been consistent in my limited testing.  Is it the same for you?  There is your copy of nc.exe!   What the heck is that?

Your mission, should you choose to accept it, is to tell me what you can do with this.   What causes this behavior?  Post a comment!

HEY! I'm teaching SANS SEC560 BOOTCAMP Style in Augusta GA June 11th - 16th.   Sign up today!  http://www.sans.org/community/event/sec560-augusta-jun-2012

 

Mark

81 Posts
ISC Handler
Microsoft has many issues with paths. I remember when people where using the device names.
Another good one is, on a Citrix server where there is no access to C: - Just launch your cygwin Bash, and using the POSIX subsystem you can access C without any trouble.
Povl H.

71 Posts
c:\temp\2628~1\45AA~1\ here. Quite consistent behavior on WinXP.

The interesting part is that you can set NTFS short name by using fsutil:

C:\temp>copy c:\windows\system32\ipconfig.exe .
C:\temp>ren ipconfig.exe ipconfig.txt
C:\temp>fsutil file setshortname ipconfig.txt i.exe

C:\temp>dir
[...]
2011.03.25 11:27 55.808 ipconfig.txt
C:\temp>i

Windows IP Configuration
[...]

The good part that setting of the short name requires high privileges, and can be disabled altogether by use of fsutil or corresponding registry key.
Tomas

4 Posts
C:\temp\02E2~1\7173~1 actually. sorry for copy-paste errors :(
Tomas

4 Posts
02e2~1 and 7173~1 :)
Tomas

4 Posts
forgive me for my ignorance but what is 2628~1? it looks like a Nibble with ~1 on the end as a flag i am guessing?

Thanks,
http://mjddesign.wordpress.com
Matthew

15 Posts
Tomas is on the trail... 2e is hex for ascii ".".
Steven

42 Posts
@Matthew. Good question. What is that 2628~1? The ~1 is usually used to indicate the use of the backwards compatible 8.3 naming convention. No idea where the 2628 comes from. I'm hoping our readers will tell me.

@Stephen. The directory names created for me didn't seem to be related to ASCII in any way. Additionally, the same directory name ". " (dot space) seem to produce different directory names.
Mark

81 Posts
ISC Handler
Just a quick note:
C:\temp>dir /x (shows the short name for the dir)
C:\temp>dir /s (still works to show you the subdirectories)
~Of course, these can be combined in to a single command...
John

10 Posts
One more note: wikipedia have good summary on 8dot3 name generation at http://en.wikipedia.org/wiki/8.3_filename#Overview

~1 is not actually the indication of 8.3 name, but rather index in case long name shortened to the same 8.3 name
Tomas

4 Posts
Perhaps I missed something, but where did the relative path "2628~1\45AA~1\" come from? As someone else posted above, I had the same instinct to consider that the values are ASCII hex (i.e. & ( E ª), though I don't see an obvious correlation here. Back in the DOS days, we used to hide directories in a similar fashion. We would create a directory with the name being a space only using alt +ASCII decimal value on the keypad. It was a great place to hide things, especially without Windows or file browsing utilities :)
Tomas
6 Posts
It's also easy to use similar file name tricks to make your malicious binary appear to be Microsoft signed. Name your malware file "svchost.exe " (note trailing space) and put it in the same folder as the legitimate file. Attempted reads of your malicious file will "miss" your file and instead hit the legitimate (and signed) binary. (This is because win32 will auto-remove the trailing space.)

The nice thing about CreateProcess is that it launches the malicious process just fine. ;-)
Tomas
2 Posts

Sign Up for Free or Log In to start participating in the conversation!