Vulnerability in ‘MagicDot’ Windows Enables Unauthorized Rootkit Activity


Uncovering the Risks of DOS-to-NT Path Conversion in Windows: The MagicDot Vulnerabilities

Title: Windows Vulnerability Posit Significant Risk for Businesses

A security researcher at SafeBreach, Or Yair, has highlighted a critical issue associated with the DOS-to-NT path conversion process in Windows that poses a significant risk to businesses. Yair revealed the vulnerabilities during a session at Black Hat Asia 2024, naming it “MagicDot.”

The problem arises from the way Windows handles the conversion of DOS paths to NT paths. Windows automatically removes periods and extra spaces from DOS paths during the conversion process. Attackers can exploit this flaw by creating specially crafted DOS paths that will be converted to NT paths of their choice, allowing them to conceal malicious content and activities.

Yair demonstrated several post-exploitation techniques, including the ability to lock up malicious content, hide files in archives, and impersonate legitimate file paths, granting adversaries rootkit-like abilities without requiring admin privileges.

Moreover, Yair identified four vulnerabilities related to the issue, three of which have been patched by Microsoft. These vulnerabilities include remote code execution, elevation of privilege and privilege, and Process Explorer unprivileged DOS for anti-analysis bugs.

While Microsoft has addressed these specific vulnerabilities, the underlying issue of automatic stripping of periods and spaces in DOS-to-NT path conversion persists, leaving room for potential exploitation. Yair emphasized the importance of developers using NT paths to avoid the conversion process and recommended security teams to develop detections for rogue periods and spaces within file paths to mitigate the risks for businesses.

Related articles

Recent articles