BOSTON -- Functionality in Microsoft Windows that allows for backwards compatibility can allow an attacker to bypass file restrictions or network security defenses such as intrusion detection systems, a security researcher said today at SOURCE Boston 2010.
Dan Crowley, a tech support engineer at Core Security Technologies, presented several means of bypassing these protections in the Windows versions of four Web servers: Nginx; Cherokee; Mongoose; and LightTPD. The most glaring is through the use of 8.3 aliases in Windows. These aliases are DOS-compatible aliases created every time a file is created in Windows. Both
The 8.3 filesystem pseudonym vulnerability was reported in February by Core Security.
8.3 aliases are eight-character filenames followed by a three-character file extension name. In Windows, these are the first six characters of a filename, followed by a tilde, a digit, a period and the file extension (exampl~1.txt). All other characters in the filename are truncated by Windows. This greatly increases the effectiveness of brute-force attacks because the time and resources needed to guess a filename would be greatly reduced, Crowley said. Theoretically, an attacker could call a file via its alias, view source code, manipulate it by uploading malware, and the next time the file is called legitimately, the system would be owned.
He added that all of his testing was done on Web-based platforms, but he said any application that accepts user input would be vulnerable as well.
"Applications do string-based analysis of filepaths," Crowley said. "This is done to decide how to handle files, deny access or determine if input is malicious. These alternate file names, or even mangled file names, can bypass or break a lot of things. The operating system interacts with the file system, not the application. Because of this, it does a string-based analysis and passes that on to the file system if it is satisfied with what it sees, rather than asking the file system if this is OK."
Problems arise with IDS rules, for example, if they are tuned to look for example.php, exampl~1 would not be flagged. An attacker would be able to access files or send remote code.
Crowley says one mitigation technique is to disable the use of 8.3 aliases.
Ideally, he said, the best mitigation is to stop the practice of string-based analysis of filepaths, acknowledging the performance hit other techniques would impose on systems.