February 1st, 2002, 09:21 AM
M$ Windows NTFS File Hiding Vulnerability
There exists a condition in Microsoft Windows operating systems using NTFS that may allow for files to be hidden. Though the NTFS filesystem allows for a 32000 character path, Microsoft Windows operating systems (NT4, 2000 and XP) enforce a 256 character limit. Any attempt to create, traverse or otherwise operate on a path longer than 256 chatacters will fail.
Using drives mapped to directories created with 'SUBST', it is possible to create directory paths longer than 256 characters. This can be accomplished by creating directories on the 'SUBST' drive. The directories on the drive will be subdirectories in the tree to which the drive is mapped. Creating these directories may result in the total absolute path exceeding the 256 character limit.
If the absolute path of a directory created on a 'SUBST' mapped drive exceeds 256 characters, any files within will be inaccessible through traversing the full path. The files may still be accessed through the paths on the mapped drive. If the drive is deleted, the files may be completely inaccessible unless a drive is re- mapped to the same position in the directory tree.
This vulnerability poses a serious risk to programs which scan the filesystem, such as antivirus software. When attempting to traverse the long path, Norton Antivirus and Kaspersky Antivirus fail to scan files in the long directory trees due to the Windows path restrictions. Furthermore, if a virus executes, they do not scan the disk image because it is inaccessible. Exploitation of this vulnerability may allow for viruses to remain undetected on filesystems. Attackers may also be able to hide files using this vulnerability, as Explorer and any other utility cannot traverse the paths where they are stored.
Exploit realesed at:
February 1st, 2002, 10:34 AM
Good post sOnIc !
p.s change the link to "http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=exploit&id=3989" .
Another way of hiding files would be in "streams". Its aint as easy to exploit as the example above though.
Several Windows file-wiping utilities fail to completely wipe some files on WinNT, Win2000 or WinXP that use NTFS file systems. Standard programs, like Word or Excel, do not use the secondary data streams - where file remnants might be left even after data has been securely deleted.
In any case, wiping a disk entirely will destroy such data. but information contained within the alternate data stream which is attached to a file (such as the thumbnail of an image) or directory remains intact on the hard drive data, when the file or directory is wiped.
It's unlikely that users store sensitive information using alternate data streams (which must be "explicitly created", as the advisory points out). However alternate data streams can provide a location where attack tools, snippets of virus code or the like can reside; and few virus scanners look there for malicious code, unless specifically configured to do so.
This is less bad than it may seem at first because viruses would have to go out of "stealth mode" to cause any harm.
Users can workaround the problem of data inadvertently stored in alternate data streams by using the "wipe free space" feature present in most secure file deletion utilities, but this is time-consuming. Encrypting disc partitions also creates an effective barrier for the recovery of data, though this is not bullet proof.
Other sources of information:
February 1st, 2002, 12:14 PM
good post sOnIc.