In this series of 3 blogs (you can find part 1 here, and part 2 here), so far we have understood the implications of promoting files to “Evil Twins” where they can be created and remain in the system as different entities once case sensitiveness is enabled, and some issues that could be raised by just basic assumptions on case-sensitiveness during development.
In this 3rd post we focus on the “confusion” technique, where even though the technique is already known (Medium / Tyranidslair), the ramifications of these effects have not all been analyzed yet.
Going back to normalization, some Win32 API’s remove trailing whitespaces (and other special characters) from the path name.
As mentioned in the last publication, the normalization can, in some cases, provide the wrong result.
The common scenario that could be used as “bait” for the user to click, and even to hide what is seen, is to create a directory with the same name ending with a whitespace.
A very trivial example “That’s not my notepad…..”:
Open task manager, Right click on the “notepad” with putty icon -> Properties. (The properties were read from the “non-trailing-space” binary)
Open Explorer on “C:\Windows “; it will generate the illusion that the original files (from the folder without trailing whitespace) are there. This will happen for any folder/file not present in the whitespace version.
Screenshots opening a McAfee Agent Folder:
Both folders opened; note that the whitespace version does not have any .dll or additional .exe but Explorer renders the missing files from the “normalized – non-whitespace directory”.
Trying to open the dll…
Getting properties from task manager will fetch those from the normalized folder path, that means you can be tricked to think it is a trusted app.
Watch the video recorded by our expert Cedric Cochin illustrating this technique:
Related Links / Blogs: