RE: Long path exploit on NTFS

From: Gavin Lowe (gavin@vanderwell.com)
Date: 01/30/02 

From: "Gavin Lowe" <gavin@vanderwell.com>
To: "BugTraq" <bugtraq@securityfocus.com>
Date: Wed, 30 Jan 2002 11:39:12 -0700

> Long path exploit on NTFS
> =====================
> The filesystem NTFS seems to be a hiding place for virusses if you use
a file path which
> exceeds 256 charaters.
>
> What is the case?
> The filepath (drive + folderpath + filename) theoraticly can take up
to 32000 charaters if
> the filesystem in use is NTFS. However, the way in wich Windows NT >
(4.0, 2000 and > XP)
> access this filesystem a maximum of 256 characters is in place. If you
try to go
> deeper, you will experience a "Path too long" error.
>
> In these Operating System there is a way to substitute a long
folderpath, using
> the "SUBST" command. If you change your current drive to the
substituted
> drive, the pathlength is reset to 3 (Q:\ e.g.) and Windows NT allows
you to
> create an even deeper path.

Yes, I tried this on my XP Pro and you are able to hide files within the
folder. The command prompt will display a directory listing, but not
access the files that are contained within this directory
C:\TEMP\1234567890\1234567890\1234567890\1234567890\1234567890\123456789
0\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\1234
567890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890
\123456789\1234567890\1234567890
Windows Explorer will not even display a listing.

Files that are further down in the tree, using the Subst method, are
completely invisible to the virus scanner (NAV Corporate 7.60,) command
prompt and Explorer until the subst is re-created.

The question that I have, is how would you execute the virus code
without SUBST'ing the path and having the virus scanner find it?

Gavin Lowe
gavin@vanderwell.com
Programmer / Network Administrator

No trees were killed in the sending of this message. However a large
number of electrons were terribly inconvenienced.

 

Relevant Pages

  • TIP #228: Tcl Filesystem Reflection API
    ... TIP #228: TCL FILESYSTEM REFLECTION API ... This document describes an API which reflects the Filesystem Driver API ... ('Add a chan command') ... Channel Transformation Reflection API'. ...
    (comp.lang.tcl)
  • Re: ADS Usage
    ... Well, I'm glad I did actually manage to benefit you in some small way in this thread, with the 'command prompt here' link. ... "Jon" wrote: ... > Yeah but my gripe is that whilst XP may run in an NTFS environment, ... > And I suspect it's because of the paucity of support for NTFS> functinality ...
    (microsoft.public.windowsxp.general)
  • Re: Windows and Maildir
    ... Windows NT with NTFS has both file streams and extended ... > NT whose performance with large directories is better than that of FAT. ... And there won't be much of a difference between FAT and NTFS. ... because the problem is in the filesystem format and not in the ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Server application error. Again.
    ... It's whether your *file system* is NTFS or not. ... from a command window in the same directory fusion.dll is in. ... and select the Security tab so you can assign permissions.. ...
    (microsoft.public.dotnet.framework.aspnet)
  • [Full-Disclosure] FreeBSD Security Advisory FreeBSD-SA-04:01.mksnap_ffs
    ... For general information regarding FreeBSD Security Advisories, ... Mounted filesystems can have a variety of flags set on them. ... The mksnap_ffscommand creates a `snapshot' of a filesystem. ...
    (Full-Disclosure)