A new vulnerability has been unearthed, allowing attackers to gain rootkit-like abilities on Windows systems without requiring administrative privileges.
Dubbed “MagicDot,” this vulnerability exploits the DOS-to-NT path conversion process within the Windows operating system.
Here, we delve into the technical details of the vulnerability, the attack methods, the rootkit-like abilities it confers, and the mitigation strategies to protect against such exploits.
.png
)
Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot
Vulnerability Description
The MagicDot vulnerability is rooted in the way Windows handles file paths. Specifically, it is a known issue within the DOS-to-NT path conversion process that attackers can manipulate.
The vulnerability allows for the concealment of files, directories, and processes, effectively granting the attacker the ability to operate undetected on the system.
| DOS Path | NT Path (MagicDot) |
| C:\example\example. | \??\C:\example\example |
| C:\example\example… | \??\C:\example\example |
| C:\example\example<space> | \??\C:\example\example |
| C:\example\example<space><space> | \??\C:\example\example |
| C:\example.\example | \??\C:\example\example |
| C:\example<space>\example | \??\C:\example<space>\example |
The issue arises from the handling of file paths that include dots and spaces in a manner that is not anticipated by the system or the software operating on it.
This can lead to a variety of unexpected behaviors, including the misrepresentation of files and processes to the user and the system’s own management tools.
Attackers can exploit the MagicDot vulnerability through several methods:
- Hiding Malicious Files and Processes: By using specially crafted file paths with dots and spaces, attackers can hide malicious files and processes from the user and system monitoring tools, such as Task Manager and Process Explorer.
- Archive File Manipulation: Attackers can manipulate archive files to hide their contents. When a victim extracts the archive, the extraction logic is tricked into creating symbolic links instead of the actual files, leading to the execution of the attacker’s payload.
- Misrepresentation of Files: The vulnerability can be used to make malware files appear as verified executables published by Microsoft, deceiving users and potentially bypassing security measures.
- Denial of Service (DoS): Attackers can disable Process Explorer by exploiting a DoS vulnerability, hindering the victim’s ability to analyze and detect malicious activity.
Rootkit-like Abilities
The MagicDot vulnerability grants attackers abilities akin to a rootkit, which is a type of malware designed to gain unauthorized root or administrative access to a computer while remaining hidden:
Stealth: The ability to hide files, directories, and processes from both users and system monitoring tools.
Anti-Analysis: Techniques to disable or mislead analysis tools like Process Explorer, making it difficult for users or administrators to detect the presence of malware.
Persistence: By hiding malicious processes and files, attackers can maintain a persistent presence on the system without detection.
Researchers disclosed findings to Microsoft, as noted above. Microsoft did address the vulnerabilities, but has decided to leave the DOS-to-NT path conversion known issue unfixed.
- Remote Code Execution (CVE-2023-36396, CVSS: 7.8): The vulnerability was confirmed, reproduced, and fixed by Microsoft. It was assessed as an RCE with an “Important” severity.
- Elevation of Privilege (Write) (CVE-2023-32054, CVSS: 7.3): The vulnerability was confirmed, reproduced, and fixed by Microsoft. It was assessed as a privilege elevation (PE) with an “Important” severity.
- Elevation of Privilege (Deletion): The vulnerability was reproduced and confirmed by Microsoft. However, they did not issue a CVE or a fix, but instead provided the following response: “Thank you again for submitting this issue to Microsoft. We determined that this issue does not require immediate security service but did reveal unexpected behavior. A fix for this issue will be considered in a future version of this product or service.”
- Process Explorer Unprivileged DOS for Anti-Analysis (CVE-2023-42757): The vulnerability was reproduced, confirmed, and fixed by the engineering team of Process Explorer in version 17.04. CVE-2023-42757 was reserved for this vulnerability by MITRE. MITRE confirmed the vulnerability with Microsoft and will publish the CVE once online publication of the details is available.
