what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ntdlldll.txt

ntdlldll.txt
Posted May 21, 2006
Authored by Mario Ballano | Site 48Bits.com

Microsoft Windows NTDLL.DLL is prone to an incorrect path conversion vulnerability. This flaw could be successful exploited by malicious users in order to bypass protection mechanisms implemented by certain antivirus and antispyware products.

tags | advisory
systems | windows
SHA-256 | 32b4fc18480ffd4736b0b9a081bcb44188f975ffcfc4700bcb0597e3cae461a5

ntdlldll.txt

Change Mirror Download
Hi,

Microsoft Windows NTDLL.DLL is prone to an incorrect path conversion
vulnerability. This flaw could be successful exploited by malicious users
in order to bypass protection mechanisms implemented by certain antivirus
and antispyware products.

Advisory can also be located at -> https://www.48bits.com/advisories/rtldospath.pdf

Regards,

Mario Ballano Bárcena


**** 48Bits Advisory: Path conversion design flaw in NTDLL -=- www.48bits.com


There is a design flaw in the way that NTDLL performs path conversion between
DOS style path names and NT syle path names. Although many attack vectors are
possible, in this paper some proof of concept cases are covered.

(*) Vulnerability details:


The vulnerability is located in the exported function RtlDosPathNameToNtPathName_U
which converts from unicode DOS path names to unicode NT path names.

RtlDosPathNameToNtPathName_U internally checks if the given path name is already in
NT style or is in DOS style, calling respectively RtlpWin32NTNameToNtPathName_U or
RtlGetFullPathName_Ustr. Is in these functions where each proper syntax (NT and DOS styles)
are checked.

When a given path name ends with one or more space characters, RtlpWin32NTNameToNtPathName_U
keeps them in the returned path, RtlpWin32NTNameToNtPathName_U instead, removes them, here is
where the design flaw comes into play, because space finished DOS style paths given won´t
return the real NT style path when indeed is possible to create such NT style file names.


(*) Affected software:


Any program that relies on RtlDosPathNameToNtPathName_U the conversion between DOS paths
to NT paths, are prone to unproperly handle such files. The following Operating System
files import and use the function:

acledit.dll
ADVAPI32.DLL
cscdll.dll
CSRSRV.DLL
dskquoui.dll
EVENTLOG.DLL
GDI32.DLL
ifsutil.dll
KERNEL32.DLL
LSASRV.DLL
ntmarta.dll
OLE32.DLL
perfproc.dll
query.dll
rshx32.dll
scesrv.dll
sdbapiu.dll
setupdll.dll
sfc.dll
SHELL32.DLL
shim.dll
srvsvc.dll
trkwks.dll
ulib.dll
wow32.dll
AUTOCHK.EXE
autoconv.exe
autofmt.exe
NTVDM.EXE
os2srv.exe
posix.exe
regsvc.exe
SERVICES.EXE
smss.exe
WINLOGON.EXE

Usually, third party applications for Windows environment, use KERNEL32.DLL or
intermediate Dynamic Link Libraries,like MSVCRT.DLL, for file managing tasks.

The following KERNEL32.DLL functions make use of RtlDosPathNameToNtPathName_U:

GetShortPathNameW
CopyFileW
MoveFileW
MoveFileExW
ReplaceFileW
CreateMailslotW
GetFileAttributesW
FindFirstFileExW
CreateFileW
GetVolumeInformationW
DeleteFileW
GetDriveTypeW
GetFileAttributesExW
CreateDirectoryW
FindFirstChangeNotificationW
GetBinaryTypeW
CreateNamedPipeW
SetFileAttributesW
MoveFileWithProgressW
GetVolumeNameForVolumeMountPointW
GetDiskFreeSpaceW
CreateDirectoryExW
DefineDosDeviceW
PrivMoveFileIdentityW
GetCompressedFileSizeW
SetVolumeLabelW
CreateHardLinkW
RemoveDirectoryW

As we can see there are involved lot of important functions, which are used
for tasks like create a new file, delete a file, etc ... although the
vulnerability is located in ntdll, third party applications are affected
as well as Windows applications like explorer.


(*) Attack Vectors:


As well as there can be many vector attacks, some perhaps more dangerous,
i have successfully exploited two of them:

- Not accessible or erasable file:

A file with a name like:

NT Filename: "\\?\C:\test "

Wont be accessed or erased by calling KERNEL32.DLL APIs giving the DOS path name:

DOS FIlename: "C:\test "


- Redirecting files:

Suppose we have a file like this

NT FileName: "\\?\C:\test"

And in the same directory another file like this:

NT FileName: "\\?\C:\test "

All operations performed by vulnerable APIs to the DOS path name:

DOS FileName: "C:\test "

Will be done to the first file.


(*) Affected Platforms


Tested on W2kSP4 and WXPSP2 but others might be vulnerable.


(*) Real life affected software:


The attack vectors explained before, usually don´t pose a threat for the
end user, one exception is security software, and more precisely antivirus
and antispyware software. I have tested the not accessible or erasable
proof of concept file, containing inside malware testing signatures, with the
latest versions of some of them and here are the results:

Vulnerable antivirus:

* BitDefender:
- Resident shield unable to detect and disinfect
- On demand unable to detect and disinfect.

* Norman:
- Resident shield unable to detect and disinfect.
- On demand unable to detect and disinfect.

* Norton antivirus (2006):

- Resident shield able to detect, unable to desinfect.
- On demand unable to detect and disinfect.

* Antivir XP:
- Resident shield able to detect (but doesn´t show an alert), unable to desinfect.
- On demand unable to detect and disinfect.

* F-Prot:

- Resident shield able to detect but unable to disinfect
- On demand unable to detect and disinfect.

* Nod32:

- Resident shield able to detect but unable to disinfect
- On demand unable to detect and disinfect

* AVG:

- Resident shield able to detect but unable to disinfect
- On demand unable to detect and disinfect.

* Avast:

- Resident shield able to detect but unable to disinfect
- On demand unable to detect and disinfect.


* Kaspersky (Personal 5):
- Resident shield able to detect and disinfect
- On demand unable to detect and disinfect


Vulnerable AntiSpyware:

* SpySweeper:

- Unable to detect and disinfect.

* Spybot search and destroy:

- Unable to detect and disinfect.

* Ad-Aware:

- Unable to detect and disinfect.

Not Vulnerable:

* Panda
* Macaffe

(*) Proof of concept:


There is no need for complex code here ;-), just take a look at what
happens when you type the following in a cmd.exe:


echo X5O!P%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* > "\\?\C:\malware.exe "

and play around this file :-)


(*) Vulnerability discovered and analysis Performed by:

Mario Ballano Bárcena -=- mballano[4t]gmail.com



--
48Bits.com [I+D Team]

www.48Bits.com
blog.48bits.com

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close