In Windows systems, path and filename normalization routines have some interesting quirks. In his upcoming ShmooCon presentation, Core's Dan Crowley will demonstrate how these quirks can be used to bypass filters and access control mechanisms, evade IDS detection, alter the way that files are handled and processed, and make brute force attacks to enumerate files easier.
Some of you may be aware of my upcoming "Windows File Pseudonyms" presentation at Shmoocon, but perhaps you don’t know what it’s all about, or maybe you haven’t got a ticket (and you don’t want to spend $600 on one from eBay that may turn out to be a barcode pulled off a box of Pwny-Os cereal [breakfast of 31337++ champions]).
Well, that’s OK, because this blog post is going to be a super-sweet sneak preview! In summary, Windows systems will accept a wide range of different variations on the same file name and still serve up the same file. Some of these are well known and documented, some are known but not documented, and some are documented but not terribly well known. My research focuses on four different quirks in the way that Windows handles file names, and in this post I’ll share some interesting tidbits about one of those quirks – but not how these tidbits can be used in exploitation. [I leave that up to the reader to figure out, and we can compare notes after you see my presentation! ;)] So, if you’ve spent some time working with Windows systems, you know what DOS device files are. For those who don’t, DOS device files are files which don’t actually exist on the filesystem, but can be referenced as if they did and allow for data exchange with certain devices. Examples include:
-CON, used to interface with standard input and output
-PRN, used to communicate with the first parallel printer connected to the computer
-COM1, used to communicate with the first serial port on the computer
-NUL, a bit bucket like /dev/null What you probably DIDN’T know is that these technically exist in EVERY directory on the entire machine. They can be referenced even with an absolute path, so long as everything in the path up to the name of the special file actually exists. These files can also be accessed by anyone, with standard identical permissions regardless of what directory they reside in, even if that directory is restricted to the user! Also, they can have any file extension and will still refer to devices, so “CON” is the same as “CON.thisIsALongAndArbitraryFileExtension”.
I’m sure that the more advanced readers out there are already scratching their beards, scheming up ways that these funny little quirks could be used, but if you want to see how I’M using them (and hear some amazing security haikus), you’ll just have to wait until Friday at ShmooCon and come see! And BTW, as winner of the "Gringo Warrior" lock bypass competition at last year's ShmooCon, I'll of course be back to defend my title. So if you think you've got what it takes to pick some choice locks and abuse an innocent dummy all in a matter of minutes, see you there. Keep fighting the good fight, info-warriors.