Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Long path exploit on NTFS
From: Hans Somers <hans.somers () hccnet nl>
Date: 4 Feb 2002 10:26:10 -0000


In-Reply-To: <OFADFDE497.D1849058-ONC1256B51.002E7352 () abnamro com>

Several reply's on this posting revealed the following 
additional information on this behaviour.

Possible Reason/Explination:
There are several API's one can use when accessing 
file-systems. Of these API's there are ANSI-versions,
where filenames might be limited to MAX_PATH 
characters, and UniCode-versions where filenames 
can take up to 32.000 characters.
For reference: check the info on the CreateFile() 
function:
Windows NT/2000/XP: In the ANSI version of this 
function, the name is
limited to MAX_PATH characters. To extend this 
limit to nearly 32,000
wide characters, call the Unicode version of the 
function and prepend
"\\?\" to the path. For more information, see File 
Name Conventions.

BTW, The Fine Manual can be found at 
http://msdn.microsoft.com/library/en-
us/fileio/filesio_7wmd.asp?frame=true

It seems that the source of this behaviour lies within 
the backwards-compatablity to "provide" (Microsoft)
and "use" (several vendors) the ANSI-versions of 
these API-functions.

Possible solitions:
- change the application to use the Unicode-version 
of the API's. This may cause an application to loose
its backwards compatability to Windows9x/ME. This 
is a issue for each vendor of the vunerable 
application.
- change the ANSI-version of the API (if possible). 
This may cause other applications to react differently, 
since the expect the return/output of the old/current 
version. This is a issue for Microsoft.

Vunerability report:
The following applications have been reported as 
unable to access a path that exceeds the normal 
limitation.
The list is far from complete and serves just as a 
general guide.
----------------------------------- ----------------------------------
----------
Platform                                
        Application
----------------------------------- ----------------------------------
----------
Vunerable:
----------
NT4                                     
        Explorer.exe, CMD.exe
Windows2000                             
        Explorer.exe, CMD.exe
WindowsXP                               
        Explorer.exe, CMD.exe
NT4 SP6a                                
        Mc Afee V4.5.1 SP1 with Engine 4.160
Windows 2000 Advanced Server SP2        AntiVirus 
eXpert Professional ver 5.9.3
Windows NT 4.0 SP4              
        Norton AntiVirus 5.0
Windows NT 4.0 SP6a             
        Norton AntiVirus 7.5.1
*1                                      
        Norton Antivirus Corporate 7.60.926
Windows 2000 Professional SP2   
        Norton Antivirus 8.00.58
Windows XP Pro                  
        Norton Antivirus 8.00.58
*1                                      
        Legato Networker 6.1.1

Not Vunerable:
--------------
*1                                      
        Sophos Anti-Virus v3.53
Win2000 SP2                             
        Sophos AV, January edition (Engine build 
2.7)
NT4                                     
        NTBACKUP.EXE
Win2000                         
        NTBACKUP.EXE
NT4                                     
        Seagate BackupExec 6.11
NT4                                     
        Veritas BackupExec 8.6
----------------------------------------------------------------------
----------
*1 = Platform used when checking the given 
application was not reported.
----------------------------------------------------------------------
----------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault