The Twin Journey, Part 3: I’m Not a Twin, Can’t You See my Whitespace at the End?

By and on Aug 13, 2019

In this series of 3 blogs (you can find part 1 here, and part 2 here), so far we have understood the implications of promoting files to “Evil Twins” where they can be created and remain in the system as different entities once case sensitiveness is enabled, and some issues that could be raised by just basic assumptions on case-sensitiveness during development.

In this 3rd post we focus on the “confusion” technique, where even though the technique is already known (Medium / Tyranidslair), the ramifications of these effects have not all been analyzed yet.

Going back to normalization, some Win32 API’s remove trailing whitespaces (and other special characters) from the path name.

As mentioned in the last publication, the normalization can, in some cases, provide the wrong result.

The common scenario that could be used as “bait” for the user to click, and even to hide what is seen, is to create a directory with the same name ending with a whitespace.

A very trivial example “That’s not my notepad…..”:

Open task manager, Right click on the “notepad” with putty icon -> Properties. (The properties were read from the “non-trailing-space” binary)

Open Explorer on “C:\Windows “; it will generate the illusion that the original files (from the folder without trailing whitespace) are there. This will happen for any folder/file not present in the whitespace version.

Screenshots opening a McAfee Agent Folder:

Both folders opened; note that the whitespace version does not have any .dll or additional .exe but Explorer renders the missing files from the “normalized – non-whitespace directory”.

Trying to open the dll…

Getting properties from task manager will fetch those from the normalized folder path, that means you can be tricked to think it is a trusted app.

Watch the video recorded by our expert Cedric Cochin illustrating this technique:

Related Links / Blogs:

https://tyranidslair.blogspot.com/2019/02/ntfs-case-sensitivity-on-windows.html

https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e

About the Author

Leandro Costantino

Leandro Costantino is a seasoned software architect in the Office of the CTO at McAfee where he is researching and applying cutting edge technology to the future of security. Leandro has more than 17 years of experience in product development, research and innovation spanning Endpoint to Cloud technologies. In his free time, Leandro manages personal ...

Read more posts from Leandro Costantino

Cedric Cochin

Cedric Cochin is a Senior Security Architect, CyberThreat SME; and a Senior Principal Engineer on McAfee’s Future Threat Defense Technologies team. He 20 years of experience in information security. Cochin’s primary mission is to provide expertise to McAfee teams and serve as an expert on cybersecurity threats, understand the threat landscape and technologies to defeat ...

Read more posts from Cedric Cochin

Categories: McAfee Labs

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to McAfee Securing Tomorrow Blogs