[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] "." (period) in file extension(s) in windows
- From: Gynvael Coldwind <gynvael AT coldwind.pl>
- Subject: Re: [FD] "." (period) in file extension(s) in windows
- Date: Tue, 02 Jan 2018 01:57:10 +0000
- Arc-authentication-results: i=1; mx.google.com; spf=pass (google.com: domain of fulldisclosure-bounces AT seclists.org designates 2600:3c01::f03c:91ff:fe98:ff4e as permitted sender) smtp.mailfrom=fulldisclosure-bounces AT seclists.org
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:cc:list-subscribe :list-help:list-post:list-unsubscribe:list-id:precedence:subject:to :message-id:date:from:in-reply-to:references:mime-version :delivered-to:arc-authentication-results; bh=+5mnITwgQfl2rs3kCRHdzgmDO3JWxQSA2m6tXiFw5io=; b=TVwxu2/XIh6/mwKg1BpImoUbuMBAD5s5/7uAOSVOLfwqclkyIZWLHhBx76ZPeVFFVb UNwOmLImVsluNctItSjFvVj3oJ403/NJZwFrWlzsmagRDRoCSnHWu0mIytglXYQ3KDlW 84pzLjkhnet7kj2W2SfqG2mbcFkAaBf8joORe58BNuJw8l5zp5BxRm2O/4qztZE5sVuH KV7WdpqhG78SCyub5ywsJWVubBwYk278houVT2n31LWDMSEDxipZfy2grIltnG9pTK1m U/gb5WJpTKf9VdA6FKuw4BSrHZvtGaxghdg6IkBA3bKMEpujmPsfpCq8mTnOcnunMyie PI3g==
- Arc-seal: i=1; a=rsa-sha256; t=1514955431; cv=none; d=google.com; s=arc-20160816; b=pJS6GavmOZm4DVsyoeUR8zHfIrpBQeANzIIfFdd90r3XzC1oxZizOQm8Gk8LuHkfoe FffWSo5vsulTeioet7dVHXeDBj/hOiK3adsE/S7rHhskmXErV3tKq0b/vez8T2VILbdt bRDrDg/Bui99PCCOZM8kaxV/+xrsZBoHpUDt9tfdLfkxModB+ZckujT2gPcLOsuTX/lm bKKV4scYT675cZEJ1Ngeo/yzNSbwpDHCSNhY7T0sFWm7Hh6Wnu/Z9uXrptggt6Ioi15f 2bTJ/4LdftCap27NVg3VI+qjdLjvlK6mcr68/LoVm0TY16bTYYNc8cP8xuna6vLmjYr9 8gMQ==
- Cc: fulldisclosure AT seclists.org
- Sender: "Fulldisclosure" <fulldisclosure-bounces AT seclists.org>
- To: debug <debug.net AT gmail.com>
It's the same with spaces btw (see also James Forshaw's mention of this in
his post ):
>echo test > asdf
>type "asdf. . . ... .. . ..... . "
Reading doesn't seem to work with Windows Subsystem for Linux (Windows 10)
$ cat asdf
$ cat "asdf . ... . .... . . "
cat: 'asdf . ... . .... . . ': No such file or directory
$ cat < "asdf .. . . ... "
bash: asdf .. . . ... : No such file or directory
Creating a file with spaces/dots from WSL does work (in the same mapped
$ echo test2 > "asdf . . . . . ... "
$ cat "asdf . . . . . ... "
And the file is listable on Windows (i.e. not WSL) too:
>dir /b asdf*
asdf . . . . . ...
Removing it, as you said, is pretty funny (actually the "asdf" file is
removed in this example):
>del "asdf . . . . . ... "
>dir /b asdf*
asdf . . . . . ...
Neither Total Commander nor Windows Explorer were able to remove the file.
That said, Total Commander DID successfully rename the file (even if there
were several "weird" files in the directory, it was able to correctly
rename the right one) - props to TC ;) (Explorer was not able to do it).
(This probably means that the space/dot stuff is implemented in WinAPI, but
TC uses NTAPI for some reason; well, I guess James did explain this in )
I've also tested Virtual Box's folder sharing - I expected it to behave the
same way Windows does (i.e. not WSL), and it's pretty similar. When
creating files in a shared folders the dots/spaces are ignored, but when
trying to read a file with a weird name it just doesn't work.
Anyway, WSL makes this interesting, but it's not the end of the world. In a
2008 article (for hakin9 out of all places ) I've also mentioned the
dot/space removal behavior might be problematic when doing file name
blacklists on Windows (well, just another argument for blacklists not
A fun trick ;)
search for "space"
 "Niebezpieczne nazwy plików" (hakin9 Nr 01/2008) - yeah, in Polish, sry
On Tue, Jan 2, 2018 at 2:05 AM debug <debug.net AT gmail.com> wrote:
> So I tried to rename a file to something like "hi..." and it would revert
> back to "hi" no matter how many periods i put after the name (last
> character must be a period for this to work). This got me to wonder if I
> was to create a file using POSIX software or say by mounting the drive in
> Linux and creating the file on the drive directly; what could one do?
> Because of the way Windows handles extensions differently than the name of
> the file itself, extensions cannot contain a period and therefore the file
> when specially created, becomes inaccessible through any builtin windows
> methods. This could be exploited by hiding data on a windows system in
> plain sight and making it impossible to delete unless one deletes the
> entire folder it is in (rd /q/s works great in my test). This could still
> be defeated by using bash from Cygwin or any Linux distro mounting the
> drive directly but if one works in a business environment where external
> tools are not allowed and a system is exploited then this could frustrate
> administrators until they are able to get approval for external software to
> fix the issue. Or this could cause other issues if something is being
> referred to by this "invalid" name (Windows reports it as missing or
> inaccessible), so if a certain service keeps track of what files names are
> changed to while the operating system is up an running and its name is
> changed to this "invalid" format, a system could be DoS or other vectors of
> Sent through the Full Disclosure mailing list
> Web Archives & RSS: http://seclists.org/fulldisclosure/
Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/