The document discusses various aspects of Windows file naming conventions and their potential security implications, particularly focusing on 8.3 aliases, special device files, and the ways applications may misinterpret file paths. It emphasizes how these features can lead to vulnerabilities such as authentication bypass, denial-of-service, and buffer overflow attacks. Through poetic haikus, the author highlights the complexities and quirks of Windows file systems, demonstrating that filenames can significantly impact security in web applications.

1. Windows File PseudonymsStrange Filenames and HaikuOR:Pwnage and PoetryDan CrowleyCore Security Technologiesdcrowley@coresecurity.com

2. A quick disclaimer Most of the techniques presented here are demonstrated on web-based technologies. HOWEVER, the techniques and principles explained should apply to any application which takes a file path or name of any sort from user input which will be used on a Windows system.(Furthermore, I will provide a bottle of delicious beer to anyone who finds a use for these techniques which isn’t in this presentation!)Each slide of this talk ~ Shall hence be accompanied ~ By clever haiku

3. The Big Problem ™Applications tend to do string-based analysis of file pathsOften, to decide how to handle filesOr whether or not files should be servedOr whether the file path may be malicious in natureWe can reference one file or directory with many different equivalent stringsApplications may not expect some of these stringsThe OS interacts with the filesystem, not the appDevelopers may not even be aware that their application will accept such names!Some of these names are based on undocumented featuresOne cannot expect ~ To judge books by their covers ~ And find success

4. 8.3 Aliases8 dot 3 formatIt’s self explanatory…only to a point

5. 8.3 AliasesIn DOS, file names must conform to the 8.3 format, meaning:A basename of (max) 8 charactersFollowed by one periodFollowed by a (max) three character extensionWindows likes backwards compatibilityEach file (and directory!) created on default Windows installations has a DOS-compatible nameIf the name isn’t 8.3 compatible, a second name (an 8.3 alias or short file name [SFN]) is madeSimplified, they are generated as follows:Remove some characters (0x80-0xff) and convert some characters to underscores (like + and space)Start with the first six charactersAdd a tildeAnd a digit to distinguish from other files starting with the same charactersAdd a periodAnd up to the first three characters of the file extensionWindows might as well ~ Be backwards-compatible ~ With the abacus

6. Why do I (audience) care?Because “highlight.php” != “HIGHLI~1.PHP”If your IDS is looking for the old PHPBB highlight command exec flaw, it may not find itBecause “.htpasswd” != “HTPASS~1”Your forbidden files may no longer be forbiddenFile type may be determined by user inputWhatever follows the last dot is the file extensionSo perhaps you can upload file.phPWNEDAnd request FILE~1.PHPUse removed characters to force an extension <3 charsAnd you will know me ~ By the trail of characters ~ After the last dot

7. Web App Authentication BypassConsider the following scenario:Admin.php checks for authenticationIf authenticated, several external scripts can be called through Admin.php at the whim of the userDeleteUser.php, AddUser.php, UpdateWebPage.phpThese external scripts cannot be called directlyif($_SERVER[‘PHP_SELF’] == ‘/admin/DeleteUser.php’){ die(‘O RLY?’);}else{ do_something_privileged(); }YA RLY‘/admin/DeleteUser.php’ != ‘/admin/DELETE~1.PHP’I’m taking a break ~ From sensible haiku now ~ Tonsillectomy

8. But wait, there’s more!Long file namesMaximum length: 255Approx. char set size: 63000Approx. possible names:63000^255 = 6.78E+1223Short file names (8.3 aliases)Maximum length: 12 (-1 for dot)Approx. char set size: 59Approx. possible names:59^11 = 3.01E+18 If every file on a Windows box has an 8.3 compatible name (and by default, this is the case) we can immensely reduce the time and resources needed to guess filenames when trying to enumerate file names by brute-force. This can be further reduced if the file extension is known, reducing the complexity to 59^8 = 1.46E+14, or approx. 146,000,000,000,000 possibilities!Huge complexities ~ Collapsing conveniently ~ To simplicity

9. Discarded trailing characters“Let’s get rid of stuffAt the end of filenames!”Must have once been said.

10. Discarded trailing charactersCertain characters at the end of file names/paths are silently discarded by Windows!In Windows API calls, the following items are discarded:PeriodsSpacesThe Windows shell will also allow, in specific configurations:Double quotes (as long as they are closed properly)Angle brackets (only in certain configurations)Extraneous current directory markers (“/.”)Extraneous parent directory markers with arbitrary items (fake or real)Trailing characters ~ Of certain varieties: ~ Removed, silently.

11. Equivalent file path examplesAll of the following paths are valid and equivalent when given to the Windows shell:file.txtfile.txt.....file.txt<spaces>file.txt””””file.txt<<<>><><file.txt/././././.nonexistant/../file.txtDifferent technique, similar use“highlight.php” != “highlight.php.”“restricted.txt” != “restricted.txt<space>”Flexibility ~ In Windows nomenclature ~ Borders on silly

12. DOS special device filesAncient dinosaursUsed to redirect dataWith some devices

13. DOS special device filesSimilar to device files on *nixAllows file operations to be performed on devicesExamples include:CON, the consolePRN, a parallel printerCOM1, the first serial portNUL, a bit bucket (/dev/null equivalent)Pretty well known already, BUT…When you speak to me ~ I redirect all of it ~ To slash-dev-slash-null.

14. DOS special files quirk #1They exist “everywhere”Can be accessed from any path, even:In directories which you are denied access toWith an existing file as a “directory” which “contains” the fileExamples of equivalent paths to CON:CONC:CONC:\CONC:\..\..\..\..\..\CONC:\restricted_dir\CONC:\existing_file.txt\CONLike apparitions ~ They exist in every place ~ And yet in no place

15. DOS special files quirk #2They can have any file extension, it’s ignoredThe following examples are equivalent:CONCON.batCON.phpCON.confCON.thisisalongandarbitraryfileextensionCON.<1000x”A”>Mr. Shakespeare knows ~ A rose by another name ~ Still smells just as sweet

16. Denial-of-ServiceA theoretical application accepts file names and reads the associated filesThis application blocks any file named “CON”, “AUX”, “PRN” etc. to prevent DoSApplications will generally pause to read from a file until EOFEOF may never arrive from devices like AUXIt does NOT block files named, for instance, “AUX.txt”Which we know is equivalent to AUX…And while we’re at it, ~ Since we’re speaking of Shakespeare… ~ All’s well that ends well!

17. Buffer overflowA Windows application takes in a file nameThe file is verified as existingIf it exists, the program does something with the file nameAnd might trust that it doesn’t exceed NTFS limitationsWhat if the file name is “CON.<‘A’x1000>”?Technically, it exists……but not in the filesystem, so it’s not bound to NTFS limitationsWhy one needs all this ~ DOS file extension stuff ~ Is just beyond me

18. You should know better!Microsoft Windows ~ Hoist upon its own petard ~ You should know better!

19. Defeating Windows file permissionsNormal users have access to CONBut not C:\denied_dir\denied_file.txtC:\denied_dir\non_existent_file.txt\CONNo accessC:\denied_dir\denied_file.txt\CONAccess to consoleNow you can check the existence of files which you cannot read in directories you cannot read!It is easiest ~ To acquire forgiveness ~ And not permission

20. TOOL:SFNBRUTE.PYEnumerationFilenames found through brute forceDespite permissions

21. Controlling file handlingDon’t forget:You can use ANY extension!Files are often handled based on extensionDOS special files, then, can often be handled as ANYTHING YOU CHOOSE!http://www.example.com/com1.phpWhat if COM1 was attached to a serial modem?…Or more likely, a Bluetooth dongle?A riddle for you… ~ When is a CON not a CON? ~ When it’s a dot-jar!

22. Namespace prefixesWhat an awful mess!I can’t write haiku aboutNamespace prefixes...

23. Namespace prefixesUsed when files can’t be referred to with normal pathsBecause they’re really devicesBecause they don’t exist on the local filesystemBecause they have strange namesA distant echo ~ Of a victim, falling dead ~ The hunter shouts “PWNED!”

24. Minimal parsing prefixAn invalid name or path can sometimes be used anywayMAX_PATH can be exceededSome restricted characters can be usedReserved basenames can be usedJust precede it with \\?\Must be an absolute pathNo current directory indicator ( ./ )No parent directory indicator ( ../ )You don’t like the rules? ~ Double wack, question mark, wack. ~ You’re welcome, buddy.

25. UNC (Short and Long)Used to refer to files on SMB sharesCan be used to refer to files across the Internet\\server_name_or_ip\share\fileThis is “Short UNC”Nothing terribly special\\?\UNC\server_name_or_ip\share\fileThis is “Long UNC”Allows for the use of the \\?\ prefix with UNC pathsWhat’s the best thing ~ About SMB traffic? ~ Credential replay!

26. NT device namespace prefixUsed to refer to device namespaceThese paths start with \\.\Examples include:\\.\airpcap00\An AirPcap card\\.\GLOBALROOT\Device\HarddiskVolume1\The first hard disk volume on the machineMight be equivalent to, for instance, C:\Doesn’t need an assigned drive letter!\\.\CdRom0\The first disc drive on the computerWinObj from Sysinternals will allow you to browse the NT device namespaceThe device namespace ~ Allows access to devices ~ Using file paths

27. NTLM credential captureWhen accessing SMB shares, authentication may be requestedIf an attacker runs the SMB server, you can bet it willThe SMB client machine will often send stored credentials automaticallyAnd as you may know these credentials can be replayed or crackedAnd we can trigger a machine to access an SMB share with a UNC path!A replay attack ~ With SMB credentials ~ Should not still succeed!

28. Directory traversal“C:\” doesn’t match:\\?\C:\\\127.0.0.1\C$\\\127.3.13.37\C$\\\?\UNC\127.0.0.1\C$\\\.\GLOBALROOT\Device\HarddiskVolume1\…but they’re all equivalent!I ought to mention ~ Directory traversal ~ Ed Skoudis said so!

29. Buffer overflowMinimal parsing prefix allows for the use of paths exceeding MAX_PATHSome developers don’t know you can exceed MAX_PATH…or assume that if the file exists that it can’t exceed MAX_PATHNOP NOPNOPNOPNOP ~ NOP NOPNOPNOPNOPShellcode ~ Pointer to NOP sled

30. Making Windows rootkits deadlierImagine that you’re a Windows sysadminSomeone creates a file named “CON” with the minimal parsing prefixYou try “type CON” at the command lineYour command prompt “hangs”None of your programs open it properlyWindows Explorer can’t delete itYou cryYou pretend it doesn’t existor convince yourself it really should be thereMy reaction to ~ “Undocumented feature” ~ Is unbridled rage.

31. Defeat AV systemsMake files with illegal names(“con.exe”, “lol.exe.”, etc.)Put something malicious in themExecute them???PROFIT!!!An AV system ~ Should reliably open ~ All suspect files

32. Client-side AttacksSwitching security zonesReference “C:\file.txt”NO THAT’S A LOCAL FILE BAD HACKERReference \\127.0.0.1\C$\file.txtA UNC path! I know these, they’re Intranet stuff. No prob, Bob.Check out “Internet Explorer turns your personal computer into a public file server” Jorge Luis Alvarez Medina, BH DC 2010How do I pwn thee? ~ Let me count the ways; No, wait: ~ Just one is enough!

33. DEMONSTRATION:nginx and php on windowsNow I understand,But I still don’t believe you.SHOW ME THE MONEY!

35. Questions?There’s no dumb question…“Is the computer plugged in?”Is pretty bad, though.Dan CrowleyCore Security Technologiesdcrowley@coresecurity.com