lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 1 Jan 2018 17:16:09 -0500
From: debug <debug.net@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] "." (period) in file extension(s) in windows

So I tried to rename a file to something like "hi..." and it would revert
back to "hi" no matter how many periods i put after the name (last
character must be a period for this to work). This got me to wonder if I
was to create a file using POSIX software or say by mounting the drive in
Linux and creating the file on the drive directly; what could one do?
Because of the way Windows handles extensions differently than the name of
the file itself, extensions cannot contain a period and therefore the file
when specially created, becomes inaccessible through any builtin windows
methods. This could be exploited by hiding data on a windows system in
plain sight and making it impossible to delete unless one deletes the
entire folder it is in (rd /q/s works great in my test). This could still
be defeated by using bash from Cygwin or any Linux distro mounting the
drive directly but if one works in a business environment where external
tools are not allowed and a system is exploited then this could frustrate
administrators until they are able to get approval for external software to
fix the issue. Or this could cause other issues if something is being
referred to by this "invalid" name (Windows reports it as missing or
inaccessible), so if a certain service keeps track of what files names are
changed to while the operating system is up an running and its name is
changed to this "invalid" format, a system could be DoS or other vectors of
compromise.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists