“MagicDot” Flaw Opens Windows to Rootkit-Like Attacks

A recent study has unveiled vulnerabilities in the Windows operating system’s process of converting DOS to NT paths, potentially allowing malicious actors to conceal files, mimic directories and processes, and gain capabilities akin to those offered by rootkits. The findings were presented at the Black Hat Asia conference, held in Singapore from April 16-19.

Researcher Or Yair from SafeBreach pointed out that when Windows functions require a file or folder path as an argument, it undergoes a transformation from DOS to NT format. A known issue within this process is the removal of dots at the ends of path elements and spaces at the end of the last path element.

Dubbed “MagicDot,” this problem provides functionality similar to rootkits, accessible even to non-privileged users, allowing malicious actors to perform a multitude of harmful actions without administrative rights while remaining undetected.

Potential malicious activities include hiding files and processes, affecting the analysis of pre-boot files, misleading users of Task Manager and File Explorer about the authenticity of executable files, and completely disabling Windows Explorer through a Denial of Service (DoS) vulnerability.

The analysis identified four security vulnerabilities, three of which have already been addressed by Microsoft:

1. A privilege escalation vulnerability that allows file deletion without proper permissions (an identifier has not yet been assigned, and the vulnerability will be addressed in a future update).
2. A privilege escalation vulnerability that permits file writing without the necessary rights by manipulating the process of restoring a previous version from a shadow copy (CVE-2023-32054, CVSS score: 7.3).
3. A remote code execution vulnerability that could be exploited by creating a specially crafted archive, leading to code execution when files are extracted at a location chosen by attackers (CVE-2023-36396, CVSS score: 7.8).
4. A Denial of Service vulnerability affecting Windows Explorer when running a process with an executable file named with 255 characters and no file extension (CVE-2023-42757, CVSS score not yet determined).

Yair emphasized that this research demonstrates how seemingly innocuous issues can be leveraged to develop vulnerabilities posing serious security risks.

He also noted that the findings are pertinent not only to Microsoft Windows but to all software developers who frequently overlook known issues from version to version.