[24084] in bugtraq
Re: Long path exploit on NTFS
daemon@ATHENA.MIT.EDU (Hans Somers)
Mon Feb 4 13:46:22 2002
Date: 4 Feb 2002 10:26:10 -0000
Message-ID: <20020204102610.6447.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Hans Somers <hans.somers@hccnet.nl>
To: bugtraq@securityfocus.com
In-Reply-To: <OFADFDE497.D1849058-ONC1256B51.002E7352@abnamro.com>
Several reply's on this posting revealed the following
additional information on this behaviour.
Possible Reason/Explination:
There are several API's one can use when accessing
file-systems. Of these API's there are ANSI-versions,
where filenames might be limited to MAX_PATH
characters, and UniCode-versions where filenames
can take up to 32.000 characters.
For reference: check the info on the CreateFile()
function:
>>Windows NT/2000/XP: In the ANSI version of this
function, the name is
>>limited to MAX_PATH characters. To extend this
limit to nearly 32,000
>>wide characters, call the Unicode version of the
function and prepend
>> "\\?\" to the path. For more information, see File
Name Conventions.
BTW, The Fine Manual can be found at
http://msdn.microsoft.com/library/en-
us/fileio/filesio_7wmd.asp?frame=true
It seems that the source of this behaviour lies within
the backwards-compatablity to "provide" (Microsoft)
and "use" (several vendors) the ANSI-versions of
these API-functions.
Possible solitions:
- change the application to use the Unicode-version
of the API's. This may cause an application to loose
its backwards compatability to Windows9x/ME. This
is a issue for each vendor of the vunerable
application.
- change the ANSI-version of the API (if possible).
This may cause other applications to react differently,
since the expect the return/output of the old/current
version. This is a issue for Microsoft.
Vunerability report:
The following applications have been reported as
unable to access a path that exceeds the normal
limitation.
The list is far from complete and serves just as a
general guide.
----------------------------------- ----------------------------------
----------
Platform
Application
----------------------------------- ----------------------------------
----------
Vunerable:
----------
NT4
Explorer.exe, CMD.exe
Windows2000
Explorer.exe, CMD.exe
WindowsXP
Explorer.exe, CMD.exe
NT4 SP6a
Mc Afee V4.5.1 SP1 with Engine 4.160
Windows 2000 Advanced Server SP2 AntiVirus
eXpert Professional ver 5.9.3
Windows NT 4.0 SP4
Norton AntiVirus 5.0
Windows NT 4.0 SP6a
Norton AntiVirus 7.5.1
*1
Norton Antivirus Corporate 7.60.926
Windows 2000 Professional SP2
Norton Antivirus 8.00.58
Windows XP Pro
Norton Antivirus 8.00.58
*1
Legato Networker 6.1.1
Not Vunerable:
--------------
*1
Sophos Anti-Virus v3.53
Win2000 SP2
Sophos AV, January edition (Engine build
2.7)
NT4
NTBACKUP.EXE
Win2000
NTBACKUP.EXE
NT4
Seagate BackupExec 6.11
NT4
Veritas BackupExec 8.6
----------------------------------------------------------------------
----------
*1 = Platform used when checking the given
application was not reported.
----------------------------------------------------------------------
----------
