MagicDot Windows Vulnerabilities Enable Stealthy Rootkit-like Activities

April 19, 2024

A security researcher at SafeBreach, Or Yair, has highlighted a significant cybersecurity risk associated with the DOS-to-NT path conversion process in Windows during a session at Black Hat Asia 2024. Yair has named this issue 'MagicDot', and it can potentially allow attackers to gain rootkit-like post-exploitation capabilities, including the ability to hide and impersonate files, directories, and processes.

The MagicDot problems arise due to the way Windows converts DOS paths to NT paths. During this conversion process, Windows automatically removes any periods and extra spaces at the end of the DOS path. This can potentially allow threat actors to create specially crafted DOS paths that would be converted to NT paths of their choice, and could be used to either render files unusable or to hide malicious activities.

Yair explained that by placing a simple trailing dot at the end of a malicious file name or by naming a file or a directory with dots and/or spaces only, he could make all user-space programs that use the normal API inaccessible to them. He further demonstrated that this technique could be used to hide files or directories within archive files.

In another attack method, Yair showed that the technique could be used to mask malicious content by impersonating legitimate file paths. He explained that manipulating MagicDot paths can grant adversaries rootkit-like abilities without admin privileges.

Yair also discovered four different vulnerabilities related to the MagicDot issue. One of them is a remote code execution (RCE) vulnerability (CVE-2023-36396, CVSS 7.8) that allows attackers to craft a malicious archive that would write anywhere they choose on a remote computer once extracted, leading to code execution. Another is an elevation of privilege (EoP) vulnerability (CVE-2023-32054, CVSS 7.3) that allows attackers to write into files without privileges by manipulating the restoration process of a previous version from a shadow copy. The third bug is a Process Explorer unprivileged DOS for anti-analysis bug, for which CVE-2023-42757 has been reserved, with details to follow. The fourth bug, also an EoP issue, allows unprivileged attackers to delete files.

Despite Microsoft addressing these specific vulnerabilities, the DOS-to-NT path conversion auto-stripping of periods and spaces, which is the root cause of the vulnerabilities, still persists. Yair warns that this issue could lead to many more potential vulnerabilities and post-exploitation techniques. He further adds that the problem has implications beyond Microsoft and is relevant to all software vendors.

Latest News

• MITRE Corporation's Network Breached by State-Backed Hackers Using Ivanti Zero-Days
• Ongoing Attacks Target 22,500 Palo Alto Firewalls Vulnerable to CVE-2024-3400
• Akira Ransomware Gang Amasses $42 Million; Expands Target to Linux Servers
• Active Exploitation of OpenMetadata Vulnerabilities in Kubernetes Clusters
• Cisco Reveals High-Severity IMC Vulnerability with Available Public Exploit Code