Re: Long path exploit on NTFS

From: Hans Somers (hans.somers@hccnet.nl)
Date: 02/04/02


Date: 4 Feb 2002 10:26:10 -0000
From: Hans Somers <hans.somers@hccnet.nl>
To: bugtraq@securityfocus.com


('binary' encoding is not supported, stored as-is)

In-Reply-To: <OFADFDE497.D1849058-ONC1256B51.002E7352@abnamro.com>

Several reply's on this posting revealed the following
additional information on this behaviour.

Possible Reason/Explination:
There are several API's one can use when accessing
file-systems. Of these API's there are ANSI-versions,
where filenames might be limited to MAX_PATH
characters, and UniCode-versions where filenames
can take up to 32.000 characters.
For reference: check the info on the CreateFile()
function:
>>Windows NT/2000/XP: In the ANSI version of this
function, the name is
>>limited to MAX_PATH characters. To extend this
limit to nearly 32,000
>>wide characters, call the Unicode version of the
function and prepend
>> "\\?\" to the path. For more information, see File
Name Conventions.

BTW, The Fine Manual can be found at
http://msdn.microsoft.com/library/en-
us/fileio/filesio_7wmd.asp?frame=true

It seems that the source of this behaviour lies within
the backwards-compatablity to "provide" (Microsoft)
and "use" (several vendors) the ANSI-versions of
these API-functions.

Possible solitions:
- change the application to use the Unicode-version
of the API's. This may cause an application to loose
its backwards compatability to Windows9x/ME. This
is a issue for each vendor of the vunerable
application.
- change the ANSI-version of the API (if possible).
This may cause other applications to react differently,
since the expect the return/output of the old/current
version. This is a issue for Microsoft.

Vunerability report:
The following applications have been reported as
unable to access a path that exceeds the normal
limitation.
The list is far from complete and serves just as a
general guide.
----------------------------------- ----------------------------------
----------
Platform
        Application
----------------------------------- ----------------------------------
----------
Vunerable:
----------
NT4
        Explorer.exe, CMD.exe
Windows2000
        Explorer.exe, CMD.exe
WindowsXP
        Explorer.exe, CMD.exe
NT4 SP6a
        Mc Afee V4.5.1 SP1 with Engine 4.160
Windows 2000 Advanced Server SP2 AntiVirus
eXpert Professional ver 5.9.3
Windows NT 4.0 SP4
        Norton AntiVirus 5.0
Windows NT 4.0 SP6a
        Norton AntiVirus 7.5.1
*1
        Norton Antivirus Corporate 7.60.926
Windows 2000 Professional SP2
        Norton Antivirus 8.00.58
Windows XP Pro
        Norton Antivirus 8.00.58
*1
        Legato Networker 6.1.1

Not Vunerable:
--------------
*1
        Sophos Anti-Virus v3.53
Win2000 SP2
        Sophos AV, January edition (Engine build
2.7)
NT4
        NTBACKUP.EXE
Win2000
        NTBACKUP.EXE
NT4
        Seagate BackupExec 6.11
NT4
        Veritas BackupExec 8.6
----------------------------------------------------------------------
----------
*1 = Platform used when checking the given
application was not reported.
----------------------------------------------------------------------
----------



Relevant Pages

  • Re: EOF location?
    ... *> Get a directory report on the file... ... It would appear that there are three more characters than we actually input. ... Windows reports the file as 11 bytes; yet only 8 characters were input... ... the two characters which indicate EOF ARE ...
    (comp.lang.cobol)
  • Re: EOF location?
    ... at the END of the file, sir! ... *> Get a directory report on the file... ... It would appear that there are three more characters than we actually ... Windows reports the file as 11 bytes; yet only 8 characters were input... ...
    (comp.lang.cobol)
  • Re: IE6 Wont let me See Graphics
    ... Thanks for sending me the report. ... Microsoft Online Partner Support ... The CAB file will be generated for your convenience in the ... Insert the Windows installation CD in your CD-ROM drive. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Explicitly specializing std::min() on VC++ 2005 Express Edition
    ... asking to reopen the report if the problem persists: ... Open a new case on connect, referencing the original feedback and adding ... You need an account with Microsoft in order to report a problem to them, ... (includes Windows Presentation, Communication and Workflow Foundation) ...
    (microsoft.public.vc.language)
  • [Full-disclosure] Re: What A Click! [Internet Explorer]
    ... > tell your windows to open .HTA files in notepad. ... > (since there are more ways to cover windows with malicious lookalikes). ... >> Using custom Microsoft Agent characters it is possible to cover any kind ... including security or download dialogs. ...
    (Full-Disclosure)