> Long path exploit on NTFS > ===================== > The filesystem NTFS seems to be a hiding place for virusses if you use a file path which > exceeds 256 charaters. > > What is the case? > The filepath (drive + folderpath + filename) theoraticly can take up to 32000 charaters if > the filesystem in use is NTFS. However, the way in wich Windows NT > (4.0, 2000 and > XP) > access this filesystem a maximum of 256 characters is in place. If you try to go > deeper, you will experience a "Path too long" error. > > In these Operating System there is a way to substitute a long folderpath, using > the "SUBST" command. If you change your current drive to the substituted > drive, the pathlength is reset to 3 (Q:\ e.g.) and Windows NT allows you to > create an even deeper path. Yes, I tried this on my XP Pro and you are able to hide files within the folder. The command prompt will display a directory listing, but not access the files that are contained within this directory C:\TEMP\1234567890\1234567890\1234567890\1234567890\1234567890\123456789 0\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\1234 567890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890 \123456789\1234567890\1234567890 Windows Explorer will not even display a listing. Files that are further down in the tree, using the Subst method, are completely invisible to the virus scanner (NAV Corporate 7.60,) command prompt and Explorer until the subst is re-created. The question that I have, is how would you execute the virus code without SUBST'ing the path and having the virus scanner find it? Gavin Lowe gavin@vanderwell.com Programmer / Network Administrator No trees were killed in the sending of this message. However a large number of electrons were terribly inconvenienced.
