09-12, 14:30–15:15 (Europe/Stockholm), Main hall
As backwards compatibility is a key element in Windows, some known issues stay unfixed. We encountered such an issue when we ended a file name with a dot using NT API. Surprisingly, we couldn't delete, write or rename it. Then, we created a similarly named file without the dot, and like magic, operations on the first file, affected the new file.
We set a goal to reverse engineer this magic and create greater magic tricks. We then realized that trailing dots and spaces are removed when Windows converts normal (DOS) paths to NT paths.
This was a perfect primitive for new magic tricks. Without any control over API or system calls, we managed to hide files and processes, hide files in archives, completely disable ProcExp with a DoS vulnerability, affect prefetch file analysis to report false information, and even make Task Manager and ProcExp users think a malware is a verified executable published by Microsoft. We had rootkit-like abilities as unprivileged users.
Furthermore, we found an RCE vulnerability in Windows' new extraction logic for RAR, 7ZIP, TAR, and more! We also found two more vulnerabilities that allowed us to escalate both deletion and writing privileges.
In this talk, we'll present MagicDot - A set of vulnerabilities and unprivileged rootkit techniques that are all possible thanks to disappearing dots and spaces. A full attack chain starting from remote code execution, to concealments, and privilege escalation. In this magic show you'll also learn the tricks.
Or Yair is a security research professional with 6+ years of experience, currently the Security Research Team Lead at SafeBreach. His primary focus lies in vulnerabilities in Windows OS's components, though his past work also included research of Linux kernel components and some Android components. Or's research is driven by innovation and a commitment to challenging conventional thinking. He enjoys contradicting assumptions and consider creativity as a key skill for research.