February 1st, 2002 09:21 AM
M$ Windows NTFS File Hiding Vulnerability
There exists a condition in Microsoft Windows operating systems using NTFS that may allow for files to be hidden. Though the NTFS filesystem allows for a 32000 character path, Microsoft Windows operating systems (NT4, 2000 and XP) enforce a 256 character limit. Any attempt to create, traverse or otherwise operate on a path longer than 256 chatacters will fail.
Using drives mapped to directories created with 'SUBST', it is possible to create directory paths longer than 256 characters. This can be accomplished by creating directories on the 'SUBST' drive. The directories on the drive will be subdirectories in the tree to which the drive is mapped. Creating these directories may result in the total absolute path exceeding the 256 character limit.
If the absolute path of a directory created on a 'SUBST' mapped drive exceeds 256 characters, any files within will be inaccessible through traversing the full path. The files may still be accessed through the paths on the mapped drive. If the drive is deleted, the files may be completely inaccessible unless a drive is re- mapped to the same position in the directory tree.
This vulnerability poses a serious risk to programs which scan the filesystem, such as antivirus software. When attempting to traverse the long path, Norton Antivirus and Kaspersky Antivirus fail to scan files in the long directory trees due to the Windows path restrictions. Furthermore, if a virus executes, they do not scan the disk image because it is inaccessible. Exploitation of this vulnerability may allow for viruses to remain undetected on filesystems. Attackers may also be able to hide files using this vulnerability, as Explorer and any other utility cannot traverse the paths where they are stored.
Exploit realesed at: